Today I learned something completely new and more importantly I never considered a WordPress Malware Scan.

Let’s answer the question of “What is Malware?”

I think many of us have a pretty general idea that Malware is generally bad. More specifically Malware is code someone has written with the intent to harm your computer, steal personal information such as financial information, passwords or information about others in an effort to extend their reach. This type of malware tends to exploit operating systems vulnerabilities.

Have you considered “What is Web-Malware?”

Web-Malware doesn’t necessarily differ in regards to intent but rather the platform for which they collect information. Some may think of it as Social Engineering. In the early 2000’s we saw the fall of Web 1.0 static web pages and rise of Web 2.0 dynamic web pages. Having dynamic web pages meant programmers could generate server side code using PHP, Java, ASP or ASP.NET to generate page content. It also meant the ability to generate code that could run on the users computer such as JavaScript or ActiveX components.

If the programmer was able to get the user to run their client-side code they could extract information from that users computer. Similarly, with server-side code they could store information such as contact information, passwords, etc.

Recall me saying something about Social Engineering? Now that we have the ability to run custom code on a users computer then there is the art of getting someone to install and run this code. Hackers thrive on the idea that Web-Malware is “write once run often.” As you can see if a hacker could gain access to a highly active website and place malicious code that would run with every visit they could gain a lot of information.

Immediate value in using a WordPress Malware Scan!

So back to what I learned today. I have always known about security scanning websites looking for vulnerabilities but never considered looking for malicious code. I have always had this sense or trust the code I was responsible for was always clean and secure. I have taken for granted the code I haven’t written as not being malicious.

Turns out I was wrong and actually got a little slap on the wrist for it. In another business my wife and I own we use Indeed extensively and they use Norton Safe Web to scan sites referring sites. I think you can see where this is going, yes they found “suspicious code” on our site and actually blocked us. This is very bad for us and what makes it so bad is the no notification. This meant we were down for a couple days until the signs added up.

Unfortunately Norton doesn’t provide much detail beyond your site has X number of threats. I used Website Scanner. The only drawback is the inability to run repeated scans to test fixes.

Sitescan Report

Get an overview of clean versus suspicious files.
PCRisk Scan Overview

Scanned Files Analysis

Check out files that are deemed a threat.
PCRisk Scanned Files Analysis

Additional Information

Get details about iframes and external links.
PCRisk Additional Information

Blacklisting Check

Have PhishTank, Google-SafeBrowsing or MalwareDomainList blacklisted you?
PCRisk Scan Blacklisting Check

Looking at the Scanned Files Analysis above I found the JavaScript line “String.fromCharCode” is being inserted on every page by the addition of Emoji starting in WordPress v4.4. Note the _wpemojiSettings reference as the variable being set.
Emoji Settings JavaScript

The solution is quite simple actually but does require you have access to your themes Functions.php file. Simply add these two lines to the end of the file and you’ll notice the suspect JavaScript be removed.

After a rescan everyone is happy. Norton is happy and more importantly Indeed is happy.

Lessons learned, always take a moment to perform a WordPress malware scan on sites code before calling it complete.