If you’re not careful, suspicious code within your sites can easily go unnoticed and wreak havoc. Whether you’ve been hacked and need a resolution ASAP, or you simply want to check your sites for suspicious activity, Defender can help you quickly detect and eliminate malware for good. See how it’s done in this tutorial.
Looking for a convenient and hassle-free way to locate and delete suspicious code from your sites?
In this tutorial we’re showing you, step-by-step, how Defender‘s vast suite of security features can help banish and keep suspicious code at bay.
You’ll also learn how to keep your sites protected from these kinds of issues going forward.
First order of business… Detecting and removing suspicious files and code can only be done with the Pro version of Defender.
You can get Defender Pro, along with our suite of Pro WordPress plugins and site management tools for a low $3/month. Which is incredible value, especially if you own or manage critical sites that are particularly susceptible to malware or attacks.
The first step is to enable the Suspicious Code setting via Malware Scanning > Settings.
You also need to ensure that File Change Detection is enabled for both ‘Scan Core Files’ and ‘Scan Plugin Files.’ This will help reduce the occurrence of false positives in your scans.
Once you’ve enabled these settings, you’re ready to scan your site for malware.
To do this, go to Malware Scanning via the WordPress admin sidebar or from the main Defender dashboard.
Once here, you can initiate a new scan with a click.
Then sit back and let Defender work its magic. The scan should only take a few minutes, depending on the size of your site.
Once the scan is completed, you will be alerted to any issues found relating to file change detection, known vulnerabilities, and suspicious code.
Next, simply click on the Issues tab. Here you will find a list of all the potentially harmful files that have been compromised or changed in some way.
Click on any of the detected files to get more details about the issue and its exact location.
In the example below, the suspicious code has been detected inside of a WordPress plugin. Defender specifically points out the error and the file in which it was found.
Along with seeing important details like the plugin URL, location of the issue, date added, and developer, you have three options when it comes to addressing suspicious files or code.
You can either ignore, delete, or Safe Repair the file.
Caution: It’s strongly recommended to ensure that something is harmless before choosing to delete and/or ignore it. If you’re unsure or need advice, you can consult our 24/7 WordPress experts.
It’s important to note there is a chance that reported issues or vulnerabilities could be false positives, meaning that legitimate code being flagged as suspicious due to its resemblance to malicious code.
This can happen for various reasons, such as a function being modified by a plugin or theme, or if something is directly modified in the file or theme editor.
Fortunately, Defender is designed to minimize the occurrence of false positives. However, malicious code often mimics legitimate code, making it almost impossible to avoid completely.
To help verify suspicious code, you can take a couple of steps:
- Verify custom edits: Check with the plugin developer to confirm the questionable code.
- Contact our support: If you didn’t add the code, and you’re certain no one you know did, feel free to contact WPMU DEV support for feedback and to share what you deem to be malicious code.
We highly recommend you reach out to either the plugin developer or our expert support team for advice before deleting any files. You’ll also need to deactivate the plugin before you can delete the associated file.
Another great and risk-free option is to use Defender’s Safe Repair feature.
Click Safe Repair to automatically quarantine the file for a defined amount of time that you specify (30 days – one year).
FREE EBOOK
Your step-by-step roadmap to a profitable web dev business. From landing more clients to scaling like crazy.
FREE EBOOK
Plan, build, and launch your next WP site without a hitch. Our checklist makes the process easy and repeatable.
The advantage of this is it allows you to quickly repair your site and fix the issue instantly if it is the cause. The quarantine period also gives you ample time to properly investigate what happened.
Plus, if it turns out to be a false positive, you can easily restore the file. This saves you from accidentally deleting a critical file and preventing further damage to your site.
Once you’re sure that deleting the file is safe and necessary, you can securely do so from within the Quarantined tab.
And that’s it!
You’ve seen how easy and fast it is to identify and address suspicious files or code in the event of a hack or malware incident.
However, resolving critical issues promptly once they occur is one thing….
Preparing and protecting your sites against future attacks is another!
On that note, here are some ‘bonus tips’ to ensure your sites are well-prepared to deal with potential hacks or other issues should they reoccur.
BONUS TIPS: How To Configure Your Sites For Future Protection
Schedule Automated Site Scans
Another useful Defender Pro feature is the ability to run automated site scans.
This not only saves you from running scans manually, but also ensures your sites are checked more frequently for security issues without any hassle.
Scheduling scans can be set up via Malware Scanning > Settings. From there, all you need to do is enable scheduled scanning and set the frequency, day of the week, and time of day for the scans to run.
Enable Notifications of Suspicious Activity
After setting up automated scans, you should also set up notifications so that you can be alerted about scan results from wherever you are, saving you from having to manually check in.
Simply navigate to the Notifications section using the sidebar or from your main Defender dashboard.
Here you’ll find a number of different notification options to choose from.
In the case of detecting suspicious code, you would enable the Malware Scanning “Notification” and “Reporting” options.
Once selected, you can set up additional settings and configurations for each notification.
You also have the option to either add users directly or invite them via email.
Next, you can further configure notification settings to ensure you only receive notifications at appropriate times.
Additionally, you can set up custom email template messages for your clients to guarantee that the notifications they receive are to your liking and clear for the user.
Finding and Deleting Suspicious Code Just Got Easier With Defender
As you can see, suspicious code is no match for Defender and it really just takes no more than a few clicks to remove.
Beyond finding malicious code and the ability to delete it, Defender can stop SQL injections, prevent hackers from exploiting WordPress vulnerabilities, prevent PHP execution, and much more.
To discover more about WordPress security, check out our Ultimate Guide to WordPress Security. And for more information on how Defender works, be sure to view the plugin’s documentation.
Don’t have the time or resources to address malware or hacks yourself? Try our Expert Services!
We know that when a malware attack happens on a client site that you are managing, you may not have the time or resources to fix this yourself.
In this case, our Expert ‘done-for-you’ Services are another great option.
Because instead of worrying about security or malware attacks yourself, you can hire our experts at an affordable price to handle it for you. You can also easily resell these services to your clients without any additional charges from us.
Plus, we offer a full 7-day money-back guarantee. So, if we help resolve a hacked site and a problem reoccurs within seven days, we’ll return to fix it absolutely free of charge!
Learn more about our Expert Services here.
[Editor’s note: This post was originally published in July 2020 and updated in May 2024 for accuracy.]
