{"id":33289543,"url":"https://github.com/imagewize/wp-security-scanners","last_synced_at":"2026-04-16T02:31:45.849Z","repository":{"id":322546313,"uuid":"1089929707","full_name":"imagewize/wp-security-scanners","owner":"imagewize","description":"Dual-scanner WordPress malware detection suite: targeted threat detection + broad malware scanning (pharma hacks, webshells, backdoors)","archived":false,"fork":false,"pushed_at":"2025-11-05T03:33:45.000Z","size":38,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-17T22:03:54.707Z","etag":null,"topics":["security-tools","wordpress"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/imagewize.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY-SCANNER-GUIDE.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-05T02:14:49.000Z","updated_at":"2025-11-15T17:28:47.000Z","dependencies_parsed_at":null,"dependency_job_id":"a4aedded-2cb7-4c4a-9bc4-fb317925ed57","html_url":"https://github.com/imagewize/wp-security-scanners","commit_stats":null,"previous_names":["imagewize/wp-security-scanners"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/imagewize/wp-security-scanners","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagewize%2Fwp-security-scanners","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagewize%2Fwp-security-scanners/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagewize%2Fwp-security-scanners/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagewize%2Fwp-security-scanners/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/imagewize","download_url":"https://codeload.github.com/imagewize/wp-security-scanners/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagewize%2Fwp-security-scanners/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31868492,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T15:24:51.572Z","status":"online","status_checked_at":"2026-04-16T02:00:06.042Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security-tools","wordpress"],"created_at":"2025-11-17T22:03:54.214Z","updated_at":"2026-04-16T02:31:45.827Z","avatar_url":"https://github.com/imagewize.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# WordPress Security Scanner Suite\n\n**Version:** 1.0.0\n**Created:** November 5, 2025\n**License:** MIT\n\nComprehensive dual-scanner security suite for WordPress malware detection and security auditing.\n\n---\n\n## 🎯 Quick Start\n\n```bash\n# Clone to your WordPress root\ncd /path/to/wordpress\ngit clone https://github.com/imagewize/wp-security-scanners.git\n\n# Run both scanners (recommended first scan)\nphp wp-security-scanners/security-scanner.php\n\n# Or run individually\nphp wp-security-scanners/security-scanner-targeted.php  # Quick check\nphp wp-security-scanners/security-scanner-general.php   # Deep scan\n```\n\n---\n\n## 📁 What's Included\n\n```\nwp-security-scanners/\n├── security-scanner.php            # Wrapper (runs both scanners)\n├── security-scanner-targeted.php   # Site-specific threat detection\n├── security-scanner-general.php    # Broad malware detection\n├── SECURITY-SCANNER-GUIDE.md       # Complete documentation\n├── SCANNER-SUMMARY.md              # Quick reference guide\n└── README.md                       # This file\n```\n\n---\n\n## 🔍 Two-Scanner Strategy\n\n### Targeted Scanner (Site-Specific)\n**Purpose:** Fast detection of common WordPress vulnerabilities\n**Speed:** ~1.7 seconds for 6,600 files\n\n**Detects:**\n- Facebook redirect attempts\n- File disclosure vulnerabilities\n- WordPress-specific exploits (unauthenticated AJAX)\n- SQL injection patterns\n- PHP malware (eval, base64_decode)\n- Code obfuscation\n\n**Use:** Weekly monitoring, post-deployment checks\n\n### General Scanner (Broad Detection)\n**Purpose:** Comprehensive malware detection\n**Speed:** ~2.5 seconds for 7,400 files\n\n**Detects:**\n- Known malware filenames (c99.php, r57.php, shell.php, etc.)\n- Pharmaceutical spam injection\n- SEO spam and hidden iframes\n- Webshell signatures (FilesMan, WSO, etc.)\n- Multiple encoding layers\n- Backdoor functions\n- Long suspicious base64/hex strings\n\n**Use:** Monthly deep scans, after suspected compromise\n\n---\n\n## 🚀 Usage\n\n### Basic Scanning\n\n```bash\n# Scan current WordPress installation\nphp security-scanner.php\n\n# Scan specific directory\nphp security-scanner.php /path/to/wordpress\n\n# Scan with home directory shortcut\nphp security-scanner-targeted.php ~/sites/mysite.com\n```\n\n### Via WP-CLI (Production Safe)\n\n```bash\n# Run from WordPress root (auto-detects path)\nwp eval-file wp-security-scanners/security-scanner.php\n\n# Scan specific WordPress installation with --path flag\nwp eval-file wp-security-scanners/security-scanner.php --path=/var/www/vhosts/yoursite.com\n\n# Run individual scanners\nwp eval-file wp-security-scanners/security-scanner-targeted.php --path=/var/www/vhosts/yoursite.com\nwp eval-file wp-security-scanners/security-scanner-general.php --path=/var/www/vhosts/yoursite.com\n```\n\n### Recommended Schedule\n\n| Frequency | Scanner | Command |\n|-----------|---------|---------|\n| **Weekly** | Targeted | `php security-scanner-targeted.php` |\n| **Monthly** | General | `php security-scanner-general.php` |\n| **After Deployment** | Targeted | `php security-scanner-targeted.php` |\n| **After Incident** | Both | `php security-scanner.php` |\n\n---\n\n## 📊 Sample Output\n\n```\n============================================\n  SECURITY SCAN COMPLETE\n============================================\n\nSCAN SUMMARY:\n  Directories scanned: 1,828\n  Files scanned: 6,638\n  Files with matches: 79\n  Total matches: 86\n  Errors: 0\n  Scan time: 1.69 seconds\n\n✓ No suspicious patterns detected!\n```\n\n---\n\n## ⚠️ Security Notes\n\n**IMPORTANT:**\n1. **Never commit scanner files to your WordPress repository**\n2. **Delete after scanning** or move outside web root\n3. **Use IP whitelist** if accessing via browser\n4. **Recommended:** Use WP-CLI for production scans\n\n### Browser Access (Not Recommended)\n\nIf you must access via browser:\n\n1. Edit scanner file and add your IP:\n```php\n$allowed_ips = [\n    '127.0.0.1',\n    'YOUR.IP.ADDRESS.HERE', // Add your IP\n];\n```\n\n2. Navigate to:\n```\nhttps://yoursite.com/wp-security-scanners/security-scanner.php\n```\n\n3. **DELETE the scanner directory immediately after use!**\n\n---\n\n## 🎓 Understanding Results\n\n### Severity Levels\n\n- **CRITICAL** - Investigate immediately (malware signatures, backdoors)\n- **HIGH** - Review within 24 hours (suspicious redirects, file operations)\n- **MEDIUM** - Review as time permits (WordPress exploits, obfuscation)\n\n### Common False Positives\n\n**These are SAFE and can be ignored:**\n\n✅ `xmlrpc.php` - Legitimate WordPress XML-RPC\n✅ `wp-includes/rest-api/*` - Legitimate REST API\n✅ LiteSpeed Cache files - Legitimate optimization\n✅ ACF Pro AJAX - Legitimate frontend functionality\n✅ Gravity Forms - Legitimate form handling\n✅ SimplePie/MySQL.php - Legitimate library\n\n**See SCANNER-SUMMARY.md for complete false positive list**\n\n### Real Threats (Examples)\n\n**Investigate these immediately:**\n\n❌ `c99.php`, `r57.php`, `shell.php` in uploads\n❌ `eval(base64_decode(...))` in theme files\n❌ `system($_GET['cmd'])` anywhere\n❌ Files modified in last 24 hours with suspicious names\n❌ New PHP files in `/wp-content/uploads/`\n\n---\n\n## 💻 Installation\n\n### Method 1: Git Clone (Recommended)\n\n```bash\n# From WordPress root\ngit clone https://github.com/imagewize/wp-security-scanners.git\nphp wp-security-scanners/security-scanner.php\n\n# Clean up after scanning\nrm -rf wp-security-scanners\n```\n\n### Method 2: Download \u0026 Extract\n\n```bash\n# Download release\nwget https://github.com/imagewize/wp-security-scanners/archive/main.zip\nunzip main.zip\nphp wp-security-scanners-main/security-scanner.php\n\n# Clean up\nrm -rf wp-security-scanners-main main.zip\n```\n\n### Method 3: Individual Files\n\nDownload only the scanner you need:\n- [security-scanner-targeted.php](security-scanner-targeted.php) (site-specific)\n- [security-scanner-general.php](security-scanner-general.php) (broad detection)\n- [security-scanner.php](security-scanner.php) (runs both)\n\n---\n\n## 🛠️ Advanced Usage\n\n### Scan Multiple Sites\n\n```bash\n#!/bin/bash\n# weekly-scan.sh\n\nsites=(\n    \"/var/www/site1.com\"\n    \"/var/www/site2.com\"\n    \"/var/www/site3.com\"\n)\n\nfor site in \"${sites[@]}\"; do\n    echo \"Scanning $site...\"\n    # Option 1: Direct PHP\n    php security-scanner-targeted.php \"$site\"\n\n    # Option 2: Via WP-CLI with --path flag\n    # wp eval-file security-scanner-targeted.php --path=\"$site\"\ndone\n```\n\n### Automated Cron Job\n\n```bash\n# Add to crontab: crontab -e\n# Weekly scan every Monday at 3am\n0 3 * * 1 /usr/bin/php /path/to/security-scanner-targeted.php /var/www/wordpress \u003e /var/log/wp-scan.log 2\u003e\u00261\n```\n\n### Integration with CI/CD\n\n```yaml\n# .github/workflows/security-scan.yml\nname: Security Scan\non: [push, pull_request]\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v2\n      - name: Run Security Scanner\n        run: |\n          git clone https://github.com/imagewize/wp-security-scanners.git\n          php wp-security-scanners/security-scanner-targeted.php .\n```\n\n---\n\n## 📚 Documentation\n\n- **[SECURITY-SCANNER-GUIDE.md](SECURITY-SCANNER-GUIDE.md)** - Complete usage guide with examples\n- **[SCANNER-SUMMARY.md](SCANNER-SUMMARY.md)** - Quick reference for busy developers\n\n---\n\n## 🔧 Customization\n\n### Add Custom Patterns\n\nEdit the scanner file and add your patterns:\n\n```php\n// In security-scanner-targeted.php or security-scanner-general.php\n$patterns = [\n    // ... existing patterns ...\n\n    'custom_threat' =\u003e [\n        'name' =\u003e 'My Custom Threat',\n        'description' =\u003e 'Description of what this detects',\n        'patterns' =\u003e [\n            '/your-regex-pattern-here/i',\n        ],\n        'severity' =\u003e 'CRITICAL',\n    ],\n];\n```\n\n### Exclude Directories\n\n```php\n$config = [\n    'exclude_dirs' =\u003e [\n        'node_modules',\n        '.git',\n        'vendor',\n        'your-custom-dir',  // Add your exclusions\n    ],\n];\n```\n\n---\n\n## 🐛 Troubleshooting\n\n### Timeout Errors\n\n```bash\n# Increase timeout\nphp -d max_execution_time=600 security-scanner.php\n```\n\n### Memory Errors\n\n```bash\n# Increase memory\nphp -d memory_limit=512M security-scanner.php\n```\n\n### Permission Errors\n\n```bash\n# Run as web server user\nsudo -u www-data php security-scanner.php\n```\n\n---\n\n## 📈 Performance\n\n### Benchmark Results\n\nTested on MacBook Pro M1, PHP 8.2:\n\n| Scanner | Files | Time | Speed |\n|---------|-------|------|-------|\n| Targeted | 6,638 | 1.7s | 3,905 files/sec |\n| General | 7,380 | 2.5s | 2,952 files/sec |\n| Both | 7,380 | 4.2s | 1,757 files/sec |\n\n### Optimization Tips\n\n1. Exclude large directories (`node_modules`, `vendor`)\n2. Run during off-peak hours for production\n3. Use targeted scanner for frequent checks\n4. Use general scanner for monthly deep scans\n\n---\n\n## 🤝 Contributing\n\nContributions welcome! Please:\n\n1. Fork the repository\n2. Create a feature branch\n3. Add tests for new detection patterns\n4. Submit a pull request\n\n### Adding New Malware Patterns\n\nFound a new threat? Submit a PR with:\n- Pattern regex\n- Sample malicious code (sanitized)\n- Description of the threat\n- Severity level (CRITICAL/HIGH/MEDIUM)\n\n---\n\n## 📜 License\n\nMIT License - see LICENSE file for details\n\n---\n\n## 🙏 Credits\n\n- Based on malware detection patterns from WordPress Security Best Practices\n- Inspired by [lookforbadguys.php](https://gist.github.com/jasperf/3191259)\n- Built for the Rob Disbergen WordPress site security investigation (November 2025)\n\n---\n\n## 📞 Support\n\n- **Documentation:** See [SECURITY-SCANNER-GUIDE.md](SECURITY-SCANNER-GUIDE.md)\n- **Issues:** https://github.com/imagewize/wp-security-scanners/issues\n- **Security:** Report vulnerabilities privately via GitHub\n\n---\n\n## 🔄 Changelog\n\n### v1.0.0 (November 5, 2025)\n\n**Initial Release:**\n- Dual-scanner architecture (targeted + general)\n- 8 malware detection categories\n- Severity-based prioritization\n- Command-line path arguments\n- Colored CLI output\n- Comprehensive documentation\n- False positive guidance\n- Production-ready security\n\n**Tested On:**\n- WordPress 6.4.x\n- PHP 8.1/8.2\n- 13,000+ files scanned\n- Zero false negatives on known patterns\n\n---\n\n**Created with ❤️ for WordPress Security**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimagewize%2Fwp-security-scanners","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fimagewize%2Fwp-security-scanners","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimagewize%2Fwp-security-scanners/lists"}