WP Malware Scanner

Lightweight PHP scanner for suspicious patterns in WordPress databases, focused on wp_options. This tool does not clean malware—it flags risky patterns so you can investigate safely.

Scope & Threat Model

• Scope: Reads selected option values (default: wp_options) and matches curated regex rules.
• Threat model: Detects common webshell/obfuscation signatures, not complete malware eradication.
• Safety: Read-only access; no writes or deletions.

Safe Usage (Required)

1. Run locally or on staging with read-only DB credentials.
2. Export results (JSON/table) for review.
3. Delete the scanner immediately after use.

✅ Strict guidance: remove the scanner files after every scan. Never keep this tool deployed.

Modes

• CLI (recommended): predictable output, exit codes, JSON export.
• Web UI (temporary): local-only page for one-off scans.

Prerequisites

• PHP 8.1+ with PDO MySQL
• Composer
• WordPress database credentials (read-only)

Install

composer install
cp .env.example .env

Edit .env with your DB credentials.

Vercel Deployment (Community PHP Runtime)

⚠️ Safety reminder: this scanner is intended for local or staging use only. Avoid deploying with real credentials unless you have a secure, isolated environment.

Minimal structure for a Vercel PHP deploy:

project/
├── api/
│   └── index.php
├── composer.json
├── vercel.json
└── .vercelignore

vercel.json should point Vercel at the community PHP runtime:

{
  "version": 2,
  "functions": {
    "api/*.php": {
      "runtime": "vercel-php@0.7.4"
    }
  }
}

.vercelignore keeps vendor/ out of the upload so Vercel installs dependencies during build:

/vendor

The sample api/index.php in this repo returns a JSON status response so you can validate the runtime is working.

Configuration (.env)

Key settings:

• DB_HOST, DB_PORT, DB_USER, DB_PASS, DB_NAME
• WP_TABLE (default: wp_options)
• OPTION_NAMES (comma-separated)
• OUTPUT_FORMAT (table or json)
• WEB_ALLOW_REMOTE (default: false)

CLI Usage

php bin/scan.php

Examples:

php bin/scan.php --format=json --output=scan.json
php bin/scan.php --format=table

Exit codes:

• 0 no suspicious patterns
• 1 suspicious patterns found
• 2 execution error

Web (Temporary Local-Only)

php -S 0.0.0.0:8080 -t public

Then open http://127.0.0.1:8080. Remote access is blocked unless WEB_ALLOW_REMOTE=true.

For a simpler startup (and for containerized screenshot tools), use:

bin/serve-ui.sh

Remove the public/ directory (or the whole project) after scanning.

Output Formats

• Table: human-readable ASCII table
• JSON: structured export for incident response

Documentation

• Error handling guide (client + server)

What It Does (And Doesn’t)

✅ Scans suspicious patterns (e.g., eval, <script>, base64_decode) in known option keys.

❌ Does not disinfect files, detect every attack, or fix WordPress.

Troubleshooting

• No results but still compromised? Add option names or broaden rules.
• DB errors: verify .env, confirm DB user has read-only access.
• Remote UI blocked: expected for safety—use CLI or localhost.

Security Disclaimer

This tool identifies suspicious patterns only. Always perform a full incident response and restore from clean backups when in doubt.

Remove After Scan (Non-Optional)

Delete the scanner files immediately after scanning:

rm -rf wp-malware-scanner

---

MIT License