I’ve just released version 0.95 of WordPress Exploit Scanner.
This release fixes a number of bugs and makes it easier to scan for exploits and read the results.
I’ve added an “Exploits” scan level which looks for obvious code that hackers use. It will return a few false positives but it’s a good first scan to try if you suspect your website has been hacked. You can then use the “Blocker” and “Severe” to scan for ever more suspect strings.
Scans are now done 50 files at a time, with the page reloading after each. The scan results are saved in the database (in your options table as not-autoloaded records to minimize load on your blog) and you can open another browser window or tab on the Exploit Scanner admin page to view the saved results even before the scan is completed.
MD5 hash records for WordPress 2.9.2 have been added, and the hash records for 2.9.1 were corrected.
In other news I’m looking for testers to try out the almost ready WordPress MU 2.9.2. More details are on the forum thread above.
The WordPress Exploit Scanner has been updated, with lots of help from Jon and Ryan.
In recent weeks blogs running older versions of WordPress were exploited. If you’re concerned that your blog might have been broken into, download the plugin and run it. It will find false positive results but it will do a reasonably good job of finding the code that’s inserted into a hacked site.
The plugin works by scanning every directory on your site. This is done recursively which unfortunately takes up quite a bi of memory. If you get an out of memory error please read the readme.txt as it has a suggestion for fixing the problem.
PS. WordPress 2.8.5 was released last night. Make sure you upgrade! A WordPress MU release will follow shortly.
My previous post about hacked WordPress sites caused Donnacha to ask,
After your last post on this subject, I was thinking that it would be a good idea for Automattic to create a plugin that carries out all the checks you suggested people do to find out if they’ve been hacked…
At the time I wasn’t too optimistic about it but after thinking about the idea for a few days I came up with the WordPress Exploit Scanner which does most of what Donnacha wanted.
This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.
It also allows the blog owner to search for whatever string they like which could come in handy when new exploit code is used in a hack.
You must be running WordPress 2.5.1 or higher to use this plugin. There’s not much point in finding exploited files if you’re running an old version of the software that can be broken into again.
Download the plugin from here: WordPress Exploit Scanner
Thanks to those who tested the plugin, especially Cathal Garvey who provided some great feedback!