If you’re not careful, suspicious code within your sites can easily go unnoticed and wreak havoc. Whether you’ve been hacked and need a resolution ASAP, or you simply want to check your sites for suspicious activity, Defender can help you quickly detect and eliminate malware for good. See how it’s done in this tutorial.

Looking for a convenient and hassle-free way to locate and delete suspicious code from your sites?

In this tutorial we’re showing you, step-by-step, how Defender‘s vast suite of security features can help banish and keep suspicious code at bay.

You’ll also learn how to keep your sites protected from these kinds of issues going forward.

Let’s not delay, the health of your sites is at stake!

How To Detect and Resolve Suspicious Code and Files With Defender

First order of business… Detecting and removing suspicious files and code can only be done with the Pro version of Defender.

You can get Defender Pro, along with our suite of Pro WordPress plugins and site management tools for a low $3/month. Which is incredible value, especially if you own or manage critical sites that are particularly susceptible to malware or attacks.

The first step is to enable the Suspicious Code setting via Malware Scanning > Settings.

You also need to ensure that File Change Detection is enabled for both ‘Scan Core Files’ and ‘Scan Plugin Files.’ This will help reduce the occurrence of false positives in your scans.

A screen showing Defender's various security settings
Enable these vital security settings before proceeding any further.

Once you’ve enabled these settings, you’re ready to scan your site for malware.

To do this, go to Malware Scanning via the WordPress admin sidebar or from the main Defender dashboard.

A screen showing where you can start a new malware scan
Start a new malware scan with a click and identify threats in seconds.

Once here, you can initiate a new scan with a click.

Then sit back and let Defender work its magic. The scan should only take a few minutes, depending on the size of your site.

A screen showing a Defender malware scan in progress.

Once the scan is completed, you will be alerted to any issues found relating to file change detection, known vulnerabilities, and suspicious code.

A screen showing that vulnerabilities have been detected.
The Issues tab details all of the vulnerabilities or suspicious behavior detected.

Next, simply click on the Issues tab. Here you will find a list of all the potentially harmful files that have been compromised or changed in some way.

A screen showing the issues the Defender scan has detected.
Defender quickly identifies issues for you to address.

Click on any of the detected files to get more details about the issue and its exact location.

In the example below, the suspicious code has been detected inside of a WordPress plugin. Defender specifically points out the error and the file in which it was found.

A screen showing details of an issue that was detected during the malware scan.
Quickly see where the detected issue was found.

Along with seeing important details like the plugin URL, location of the issue, date added, and developer, you have three options when it comes to addressing suspicious files or code.

You can either ignore, delete, or Safe Repair the file.

Caution: It’s strongly recommended to ensure that something is harmless before choosing to delete and/or ignore it. If you’re unsure or need advice, you can consult our 24/7 WordPress experts.

It’s important to note there is a chance that reported issues or vulnerabilities could be false positives, meaning that legitimate code being flagged as suspicious due to its resemblance to malicious code.

This can happen for various reasons, such as a function being modified by a plugin or theme, or if something is directly modified in the file or theme editor.

Fortunately, Defender is designed to minimize the occurrence of false positives. However, malicious code often mimics legitimate code, making it almost impossible to avoid completely.

To help verify suspicious code, you can take a couple of steps:

  • Verify custom edits: Check with the plugin developer to confirm the questionable code.
  • Contact our support: If you didn’t add the code, and you’re certain no one you know did, feel free to contact WPMU DEV support for feedback and to share what you deem to be malicious code.

We highly recommend you reach out to either the plugin developer or our expert support team for advice before deleting any files. You’ll also need to deactivate the plugin before you can delete the associated file.

Another great and risk-free option is to use Defender’s Safe Repair feature.

A screen showing where the user can enable the Safe Repair feature
Using Defender’s Safe Repair feature is a great way to repair your site without worrying if deleting a file will do even more damage.

Click Safe Repair to automatically quarantine the file for a defined amount of time that you specify (30 days – one year).

FREE EBOOK
Your step-by-step roadmap to a profitable web dev business. From landing more clients to scaling like crazy.

By downloading this ebook I consent to occasionally receive emails from WPMU DEV.
We keep your email 100% private and do not spam.

FREE EBOOK
Plan, build, and launch your next WP site without a hitch. Our checklist makes the process easy and repeatable.

By downloading this ebook I consent to occasionally receive emails from WPMU DEV.
We keep your email 100% private and do not spam.

The advantage of this is it allows you to quickly repair your site and fix the issue instantly if it is the cause. The quarantine period also gives you ample time to properly investigate what happened.

Plus, if it turns out to be a false positive, you can easily restore the file. This saves you from accidentally deleting a critical file and preventing further damage to your site.

A screen showing a potentially malicious file in quarantine, and the options you have to deal with it
Restore or delete files permanently with one click

Once you’re sure that deleting the file is safe and necessary, you can securely do so from within the Quarantined tab.

And that’s it!

You’ve seen how easy and fast it is to identify and address suspicious files or code in the event of a hack or malware incident.

However, resolving critical issues promptly once they occur is one thing….

Preparing and protecting your sites against future attacks is another!

On that note, here are some ‘bonus tips’ to ensure your sites are well-prepared to deal with potential hacks or other issues should they reoccur.

BONUS TIPS: How To Configure Your Sites For Future Protection

Schedule Automated Site Scans

Another useful Defender Pro feature is the ability to run automated site scans.

This not only saves you from running scans manually, but also ensures your sites are checked more frequently for security issues without any hassle.

Scheduling scans can be set up via Malware Scanning > Settings. From there, all you need to do is enable scheduled scanning and set the frequency, day of the week, and time of day for the scans to run.

A screen showing where you can schedule and automate your malware scans.
Easily set up automated scans to your preferred frequency.

Enable Notifications of Suspicious Activity

After setting up automated scans, you should also set up notifications so that you can be alerted about scan results from wherever you are, saving you from having to manually check in.

Simply navigate to the Notifications section using the sidebar or from your main Defender dashboard.

Here you’ll find a number of different notification options to choose from.

In the case of detecting suspicious code, you would enable the Malware Scanning “Notification” and “Reporting” options.

A screen showing where you can enable Defender notifications.
Defender gives you a number of options for the types of notifications you want to receive.

Once selected, you can set up additional settings and configurations for each notification.

You also have the option to either add users directly or invite them via email.

A screen showing where Defender users can adjust the recipients of their notifications

Next, you can further configure notification settings to ensure you only receive notifications at appropriate times.

Additionally, you can set up custom email template messages for your clients to guarantee that the notifications they receive are to your liking and clear for the user.

A screen showing where you can confirm notification settings and set up email message templates
Enable notifications when you really need them and provide custom message templates for your users.

Finding and Deleting Suspicious Code Just Got Easier With Defender

As you can see, suspicious code is no match for Defender and it really just takes no more than a few clicks to remove.

Beyond finding malicious code and the ability to delete it, Defender can stop SQL injections, prevent hackers from exploiting WordPress vulnerabilities, prevent PHP execution, and much more.

To discover more about WordPress security, check out our Ultimate Guide to WordPress Security. And for more information on how Defender works, be sure to view the plugin’s documentation.

Don’t have the time or resources to address malware or hacks yourself? Try our Expert Services!

We know that when a malware attack happens on a client site that you are managing, you may not have the time or resources to fix this yourself.

In this case, our Expert ‘done-for-you’ Services are another great option.

Because instead of worrying about security or malware attacks yourself, you can hire our experts at an affordable price to handle it for you. You can also easily resell these services to your clients without any additional charges from us.

Plus, we offer a full 7-day money-back guarantee. So, if we help resolve a hacked site and a problem reoccurs within seven days, we’ll return to fix it absolutely free of charge!

Learn more about our Expert Services here.

[Editor’s note: This post was originally published in August 2023 and updated in May 2024 for accuracy.]

What do you think of Defender’s malware eliminating capabilities? Let us know in the comments!