WordPress malware infection can be a nightmare. And while everyone hopes it won’t happen to their website, we don’t have very assuring news. It’s Not a Matter of ‘If,’ It’s a Matter of ‘When’. Software vulnerabilities are discovered everyday and with each version and update newer ones are discovered. Meanwhile malware attacks continue to increase manifolds each year and the variants evolve every minute.
You need to act prudently, proactively to contain the situation before the SEO sees a downfall and the malware spreads to other areas.
- The first thing to do is to put your website into maintenance mode. That way visitors and SEO will not be impacted and you’ll be prepared to take the bull by the horns.
- The second thing to do is to fix the malware issue. That’s where this toolset comes into the picture.
We tested 11 malware removal plugins (and then some) that let you detect malware on your WordPress website. And we tested them on the basis of the following factors:
- Precision: How well does the plugin detect malware. Does it miss malware?
- Ease of Use: How easy is it to setup the plugin and comprehend the results.
When your website is infected, only the above 2 factors really matter. Rest is all fluff. Each factor has a star rating.
This means other security plugins not having malware detection capabilities do not qualify for malware detection and removal purposed even though they may have a plethora of options and features like brute-force, firewall etc. Those serve a different purpose.
Also instead of just going by their advertised features, we installed each plugin on a test site with lots of plugins and uploads etc. to get a real picture on how the plugins perform.
One common thing we noticed is that all the plugins we tested (except for one) have a set of files that they ignore. These commonly are archives, images etc.
This means that given a malicious file with a .jpg extension, it’s next to impossible to detect hidden malware unless you force these plugins to scan every file. You may well think that the site is clean while it continues to be infected and makes a mess of things.
Another classic example is cited in this case study of a hack where a rogue user registered on the site uploads suspicious PDFs: This hack will nearly kill your online business.
The Best WordPress Malware Removal Plugins
1. Malcure Malware Scanner
Malcure Malware Scanner’s allows you to scan as well as clean the malware. Its unique feature is that it scans all files including fake images, fake binaries and even the database. So it’s able to detect malware hidden inside files renamed as .png, .ico etc.
Malcure Test Results:
- It takes a little while to complete the scan but the results are thorough and give you the exact point of infection like the exact file and database record. It also scans post comments, revisions, options and post meta.
Ease of Use: ⭐⭐⭐⭐⭐
Recommendation: The most thorough malware scanner we tested.
2. Quttera Web Malware Scanner
Quttera was the most interesting of the entire lot. It has external, internal as well as a high sensitivity scan option. It has reasonable detection and a relatively simple setup.
Quttera Test Results:
- Quttera failed to detect malware inside the exempted files. Quttera also gave several false-positives and failed to detect 6 out of 10 malicious files we had planted. Also it didn’t detect any database infections at all.
Ease of Use: ⭐⭐⭐⭐
Recommendation: Don’t trust the results.
3. Anti-Malware Security and Brute-Force Firewall
One of the best in this list, the plugin has minimal options and is easy to setup. The plugin supports one-click malware removal which means that given a false-positive, the end user may end up deleting legitimate files and breaking WordPress.
- It has excellent malware detection though it did miss malicious files renamed to .tar.bz2 or .jpg etc.
- It has entry-level protection from brute-force attacks and a limited firewall.
Ease of Use: ⭐⭐⭐⭐
Recommendation: If configured to scan all files, this works better than most other plugins here.
4. Wordfence Security – Firewall & Malware Scan
Wordfence is the most popular security plugin in WordPress repository. Its main feature is the firewall and that’s where it really shines. But it does have a malware scanning functionality.
Wordfence has comprehensive options which need to be tweaked to ensure complete detection.
Wordfence Test Results:
- Wordfence firewall is easy to circumvent.
- Wordfence only detects malicious URLs in an extremely limited set in the database.
- Missed 100% of the database infections that we had planted.
- Missed 100% of the file infections that we had planted.
- The scan also broke mid-way as one file threw a PHP notice.
- Supports one-click malware removal. However we see it as a security issue because the end user may end up deleting legitimate files flagged as false-positives.
Ease of Use: ⭐⭐⭐
Recommendation: As far as malware detection and removal is concerned, this most used WordPress security plugin is more about protection than cleanup.
WordPress Malware Removal Plugins — Honorable Mentions
We found that some extremely popular plugins didn’t fit the bill as far as malware detection is concerned. In order to give you a clear picture of things, we are outlining which plugin does what and it’s specific usage case-scenario.
The point is to help you avoid going in circles when you are struggling with a malware infection.
5. Security & Firewall – MalCare Security
We tested the free version of MalCare plugin from the WordPress plugin repo. MalCare makes big promises but it failed to detect even a single issue with the website. MalCare copies all of your WordPress files to their server and runs a scan.
Even after we uninstalled the plugin, they kept pinging our test site trying to get in for whatever reason.
6. NinjaScanner – Virus & Malware scan
NinjaScanner has comprehensive options which need to be tweaked to ensure complete detection. However the results are not easy to comprehend. The plugin does support malware removal. However we see it as a security issue because the end user may end up deleting legitimate files. Also NinjaScanner missed 7 of the 10 infected files we tested.
7. iThemes Security (formerly Better WP Security)
iThemes Security is intended for WordPress hardening and its primary purpose is not malware removal. If you want to lock down your site after a malware cleanup, this plugin comes in highly recommended.
8. Sucuri Security – Auditing, Malware Scanner and Security Hardening
Sucuri uses an external scanner to scan the website. This means the scanner ends up missing a lot of malware. It also is only able to list the infection rather than pinpointing the exact source of infection like the database or specific file. However that said, it’s one of the best online website scanners around and doesn’t miss much if you do have an infection that would show up on the frontend of your website.
9. Cerber Security, Antispam & Malware Scan
Cerber has comprehensive settings however it ends up throwing more false-positives and missed almost all infections. It’s also quite difficult to configure and comprehend the results for new users.
10. BulletProof Security
Missed 100% of the infections we planted in the test site.
11. Exploit Scanner
In our experience using this plugin, it failed to fetch WordPress checksums and gave us 100% false positives.
About the Author: This article is contributed by James Richard. James is a freelance web security analyst and loves to work towards making a secure web.