Detect Malware and Malicious in WordPress Themes
The first step in discovering hidden malware or malicious code in your WordPress theme is to check if the files contained in the theme are all required in the WordPress theme. WordPress theme has some basic files required and may have additional files that are in a folder called include, images, and JS if any file has not been called in the functions.php file, it should be your first suspect. There are also a number of issues that can lead you to suspect your theme or website has been infected with the malware:
White screen of death: When your site shows a sudden white screen of death, you should suspect there is a possibility of malware infection or malicious code in your website.
Malware Warning: Warning from the malware site and it should be displayed on your site either blocking your site entirely or partially.
WordPress .htaccess hijack: Your .htaccess has been high jacked and the site keeps redirecting to sites that you don’t understand, at times the redirect is to Google search.
Popup ads and redirects: Several popup ads all over the site that keep redirecting to more popups when you click on the close button.
If you have experienced these issues there is a high likelihood that your website has been infected and possibly your theme. I would like to narrow down to WordPress themes malware infection and injection of malicious code and how to get rid of it.
Reasons why WordPress theme is infected by Malware
When you are downloading and installing WordPress themes you should be very cautious not to download and install a WordPress theme from unknown sources, pirate websites or nulled themes websites. The danger of downloading and installing themes from these sites far outweigh the benefits of using such a theme.
I would recommend you always install themes from the WordPress repository. Make sure you install themes like evolve whose authors are reputable.
Most infected themes that have malicious code or malware are always obtained outside the WordPress repository or outside a reputable marketplace like Themeforest. These themes are infected since they are manipulated by hackers with the intention of stealing your data.
I cannot overemphasize the need to install only those WordPress themes whose authors you can trust. Most theme hackers want to create a secret backlink to their site, get access to your blog, redirect your site to spam blogs, add advertisements banners to your site and worse bring your site down!
How to Detect Malicious Code in WordPress Themes
Scanning WordPress Themes before Installation
The first step when scanning for malware in WordPress themes is to scan the zip file before you can even install it on your WordPress site. When I download a WordPress theme and want to scan it for malware before install, I go to Virus Total which is a very useful scanning tool. I upload and analyze the zip for any malware or malicious code:
Scanning Installed WordPress Themes
The fastest and easiest way to detect malware and malicious code in already installed WordPress themes is to use a plugin called TAC, a theme authenticity checker. This plugin is priceless since it is able to scan your site and point out the location of malicious code making it easier for you to remove this code.
The first step to detecting malware and malicious code in your WordPress theme is to download and install this plugin Theme Authenticity Checker (TAC)
How to Scan a WordPress Theme for Malicious Code with TAC
After downloading and installing this plugin you should go to Dashboard > Appearance > TAC and will see a list of WordPress themes with the warnings highlighted in red for those that contain malicious code if your theme is ok you see the message against the theme:
Testing for Malicious Code in WordPress Themes
I would illustrate by installing some malicious code in one of the installed WordPress themes and we'll see what happens when TAC scans again. I have added malicious encrypted code in the footer of the Twentysixteen theme as shown below:
After adding this malicious code in this theme, I go back to TAC to check if it has been detected and look at the details for this malicious code:
As you can see from the scan, already we can see that this Twentysixteen theme has some encrypted code. This makes TAC a very effective plugin for detecting malicious code in WordPress themes.
For you to determine where the malicious code is located you need to click on the Details button and look at the file and line of code that has this malicious code:
Since we have located the file and the line of code where the encrypted code is located, we can navigate to that file and clean up the file. After cleaning up the code, you can now test to see if the theme is clean:
After cleaning this theme we can now see that it is devoid of any malicious code or links.
Conclusion
Just as we have seen in this tutorial, WordPress themes can have injected malicious code that can harm or steal your information. It helps to stop and think about the source before you install that WordPress theme.
If you would like to have a surefire way to keep malware and malicious code in WordPress themes, the first step is installing themes you can trust. You can install our free WordPress themes since they have been tried and tested by thousands of clients.
Secondly, you need to scan WordPress themes that you suspect might be infected with malware or malicious code. I hope this article is an eye-opener to you, please take time to share your experience, ask any question regarding this topic or leave a compliment in the comments section below.
Cant believe no mention of GOTLMS plugin for WordPress. Singly the best malware detection and removal plugin for WordPress. Yes hardening the site security to prevent infection is super important but I swear by running these scans every few weeks. Yet to see an infection on my sites but working for a Web Hosting company I use this plugin almost daily.
TAC is outdated by years to the point that WordPress no longer allows you to install it through the typical install new plugin search, do you have any better suggestions?
I installed the plugin through search just fine.