Skip to content

Kvnbbg/wp-malware-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

82 Commits
.github
.github
 
 
.idx
.idx
 
 
.trunk
.trunk
 
 
.vscode
.vscode
 
 
Artifacts
Artifacts
 
 
bin
bin
 
 
consultation
consultation
 
 
docs
docs
 
 
logs
logs
 
 
my-cli-app
my-cli-app
 
 
public
public
 
 
src
src
 
 
tests
tests
 
 
wp-malware-scanner-laravel
wp-malware-scanner-laravel
 
 
.dockerignore
.dockerignore
 
 
.env
.env
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
ARCHITECHTURE.md
ARCHITECHTURE.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
about.txt
about.txt
 
 
android-chrome-192x192.png
android-chrome-192x192.png
 
 
android-chrome-512x512.png
android-chrome-512x512.png
 
 
apple-touch-icon.png
apple-touch-icon.png
 
 
composer.json
composer.json
 
 
composer.lock
composer.lock
 
 
config.php
config.php
 
 
detect_phishing.py
detect_phishing.py
 
 
docker-compose.yml
docker-compose.yml
 
 
favicon-16x16.png
favicon-16x16.png
 
 
favicon-32x32.png
favicon-32x32.png
 
 
favicon.ico
favicon.ico
 
 
fdb-3444444-cjazzy_241130_1503.nmon
fdb-3444444-cjazzy_241130_1503.nmon
 
 
fdb-3444444-cjazzy_241130_1625.nmon
fdb-3444444-cjazzy_241130_1625.nmon
 
 
fdb-3444444-cjazzy_241130_1810.nmon
fdb-3444444-cjazzy_241130_1810.nmon
 
 
fdb-3444444-cjazzy_241130_1908.nmon
fdb-3444444-cjazzy_241130_1908.nmon
 
 
help.php
help.php
 
 
index.html
index.html
 
 
index.php
index.php
 
 
index2.html
index2.html
 
 
logo.png
logo.png
 
 
metrics.php
metrics.php
 
 
mysql.sql
mysql.sql
 
 
phpstan.neon
phpstan.neon
 
 
phpunit.xml.dist
phpunit.xml.dist
 
 
scanner.php
scanner.php
 
 
screenshot.png
screenshot.png
 
 
script.js
script.js
 
 
site.webmanifest
site.webmanifest
 
 
style.css
style.css
 
 
styles.css
styles.css
 
 
vercel.json
vercel.json
 
 
wp-malware-scanner.php
wp-malware-scanner.php
 
 

Repository files navigation

WP Malware Scanner

Lightweight PHP scanner for suspicious patterns in WordPress databases, focused on wp_options. This tool does not clean malware—it flags risky patterns so you can investigate safely.

Scope & Threat Model

  • Scope: Reads selected option values (default: wp_options) and matches curated regex rules.
  • Threat model: Detects common webshell/obfuscation signatures, not complete malware eradication.
  • Safety: Read-only access; no writes or deletions.

Safe Usage (Required)

  1. Run locally or on staging with read-only DB credentials.
  2. Export results (JSON/table) for review.
  3. Delete the scanner immediately after use.

âś… Strict guidance: remove the scanner files after every scan. Never keep this tool deployed.

Modes

  • CLI (recommended): predictable output, exit codes, JSON export.
  • Web UI (temporary): local-only page for one-off scans.

Prerequisites

  • PHP 8.1+ with PDO MySQL
  • Composer
  • WordPress database credentials (read-only)

Install

composer install
cp .env.example .env

Edit .env with your DB credentials.

Configuration (.env)

Key settings:

  • DB_HOST, DB_PORT, DB_USER, DB_PASS, DB_NAME
  • WP_TABLE (default: wp_options)
  • OPTION_NAMES (comma-separated)
  • OUTPUT_FORMAT (table or json)
  • WEB_ALLOW_REMOTE (default: false)

CLI Usage

php bin/scan.php

Examples:

php bin/scan.php --format=json --output=scan.json
php bin/scan.php --format=table

Exit codes:

  • 0 no suspicious patterns
  • 1 suspicious patterns found
  • 2 execution error

Web (Temporary Local-Only)

php -S 0.0.0.0:8080 -t public

Then open http://127.0.0.1:8080. Remote access is blocked unless WEB_ALLOW_REMOTE=true.

For a simpler startup (and for containerized screenshot tools), use:

bin/serve-ui.sh

Remove the public/ directory (or the whole project) after scanning.

Output Formats

  • Table: human-readable ASCII table
  • JSON: structured export for incident response

What It Does (And Doesn’t)

âś… Scans suspicious patterns (e.g., eval, <script>, base64_decode) in known option keys.

❌ Does not disinfect files, detect every attack, or fix WordPress.

Troubleshooting

  • No results but still compromised? Add option names or broaden rules.
  • DB errors: verify .env, confirm DB user has read-only access.
  • Remote UI blocked: expected for safety—use CLI or localhost.

Security Disclaimer

This tool identifies suspicious patterns only. Always perform a full incident response and restore from clean backups when in doubt.

Remove After Scan (Non-Optional)

Delete the scanner files immediately after scanning:

rm -rf wp-malware-scanner

MIT License

About

Deploy: https://kvnbbg-wp-malware-scanner.up.railway.app. Scan for hidden malware, detecting common malicious code patterns, and more fun!🦠

kvnbbg.github.io/wp-malware-scanner/

Topics

php wordpress backend ubuntu scanner malware features hidden databse

Resources

Readme

License

View license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

5 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Sponsor this project

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages