Detect Malicious Code in WordPress Themes and Plugins

It is Quite Important To Detect Malicious Code in WordPress Themes and Plugins and Possibly For This Reason, You Should Not Use Nulled One. Hackers are dangerous. Official WordPress repository too, not very trustable these days of PRISM. It is possible to perform an URL Hijack via 302 redirection just like described for the malicious method performed via Tracback.

Let us discuss some points on this topic. Actually the topic itself has been discussed on Make.WordPress.ORG. Still, Open Source or Free Software is always safer than a closed sourced software, just like we wrote in the article – Cloud Computing Security Means Opting For Open Source.

Detect Malicious Code in WordPress Themes and Plugins

Frankly, exploits are near impossible to detect by very advanced users. There are plugins like Exploit Scanner, which can automate the checking to certain extent. But, these kind of Plugins actually can miss quite serious block of code if used alone, so we might need to use two or three methods. One is using Securi’s Scanning Tool, another is using Virus Total :

On official Plugin repository, you will find a good Plugin named Theme Authenticity Checker (TAC). Truly, malicious code is there doesn’t mean it’s qualify as a threat (yes) at the same time; an Ajax or Javascript can be called on demand or a Good plugin can be changed by a bad plugin to a malware. Akismet probably is the most common target of the hackers. Some tips can help :

1. Please do not nulled Plugin or Theme unless you have the capability to check the codes, we are not considering the legal part.
2. Paid Themes or Plugins has Malware like function by default – they checks via API call the Theme/Plugin’s validity. This can be dangerous.
3. Plugins loaded with hundreds of Affiliates  like W3 Total Cache, should be avoided. It was good once, many months ago. WP Supercache is maintained by Akismet. Also you can use Batcache, Memcache and other plugins. Too much popularity probably opens the mind to make money.
4. Always check all the codes, if possible; modify to your own version of Plugin.
5. I have suspect about a Related Post Plugin, a WordPress SEO Plugin. They have API based checking function.
6. With time, it is important to use your only own resources, as much possible.
7. Do not trust Google’s scripts. Avoid Google Fonts – it is collaboration between two closed source brands. Adobe is well known for spying activities.
8. Many good wordpress developers are uploading plugins to Github. This is a good move, as checking the source code is easier.
9. Clean your MySQL database regularly.