It looks like the WordPress Misinformation Virus is at work again. This time its purpose is to spread the idea that WordPress Malware Scanning is completely useless.

This sort of idea propogation doesn’t actually help WordPress admins, unfortunately.

I’ll preface this article by encouraging the reader to understand our position on some of the flaws of WordPress malware scanning – something we wrote over a year ago (before it was cool to dis Malware scanning). It’s worth bearing in mind that our security apparatus has included malware scanning for a long time. So why would we write an article that appears to undermine our own product?

Because we prefer to be honest about these things. Our blog isn’t just a marketing channel for our services – it’s also about education and keeping members informed.

Let’s examine the case against WordPress Malware scanning.

The Core Argument Against WordPress Malware Scanning

A few weeks ago an article was published that exposed one of the biggest weaknesses of WordPress malware scanning, and we urge the reader to explore that article if you want to get into the important details.

It’s a straightforward concept, but the challenge we face can be summarised a little like this:

How can you trust a mutable system to scan itself for malicious code?
Since WordPress can be changed dynamically at run time, sophisticated malware can use the mutability of WordPress to hide themselves, in realtime, as the Malware scanner is running, and thereby evade detection by the scanner.

So how can you trust the scan results?

You can’t.

At least, you can’t trust them100%.

The key here, is “100%”.

And it’s because it’s not 100% trustworthy, that there’s a newly forming bandwagon of nay-sayers telling the WordPress world that malware scanning is entirely worthless.

The same folks expousing this ideology are neglecting to mention that the entire WordPress plugin security concept is susceptible to exactly the same weakness.

How can any WordPress security plugin ever be 100% trusted to protect against anything?

It can’t.

If the site itself is compromised, and the infection is sufficiently pernicious and well architected, it could hide from all but the most manual and deep inspections.

Their argument is this then: since it can’t be 100% trusted, it’s completely worthless.

Well then, these same folk should stop selling WordPress Security plugins. Security plugins are either useful or they’re not. You can’t have it both ways.

Surely We’re Denying Malware Scanning Weaknesses Just To Sell Our Own Product?

We don’t deny the weakness. Here is it plainly: the principle outlined above and in the linked-to article is completely sound.

What we deny is the idea that since trust of scan results can’t be 100%, then the entire enterprise must be abandoned.

We wrote that malware scanning isn’t true WordPress protection. The presence of Malware doesn’t suddenly make you vulnerable, it highlights that you were already vulnerable.

We haven’t previously discussed the weakness of a WordPress site scanning itself for malware, but as I already mentioned, that weakness applies to many other elements of WordPress plugin security.

And, the most important aspect of that malware scanning weakness, is this: most malware isn’t that clever. Most infections we see are pretty basic – and we see thousands of malware samples with our AI Malware Detection. (Yes, I know, we wouldn’t see any malware that’s hidden. But we see bountiful malware samples that aren’t hidden!)

Sure, you’ll have sophisticated malware infections that can avoid scanners, but that’s not an excuse to stop providing tools for scanning for those less-sophisticated infections.

The “burn it all to the ground” approach is nonsensical, and can only really be justified by those promoting an approach to security that lacks malware scanning completely.

I can’t think of a single good reason to adopt such a rigid, all-or-nothing approach to security.

If Malware Scanning Is Flawed, What Can We Do To Protect Ourselves?

We don’t deny the fact that malware can bypass scanners – anyone motivated to build malware will also be motivated to avoid detection. Otherwise, what’s the point?

The solution isn’t to throw away the tools we have because they’re not 100% effective. The solution is to build better tools.

It’s no bad thing for us all to be reminded that malware scanning isn’t a panacea. WordPress Security is a process that doesn’t stop, and your best course of action is to put in as much effective protection (& detection) as you possibly can.

Just because no malware is detected, doesn’t mean that you don’t have malicious code on your site. This is why a WordPress Security Audit is so critical. When you perform a security audit, you’re looking not only at scan results, but you’re also searching for anomolies that are the secondary effects of malware.

It’s no accident that our article on the biggest WordPress vulnerabilities only lists 1 item for malware, and refers to “existing” malware infections. Malware scanning is just 1 part of the process of WordPress security protection.

“I’m Still Not Convinced That Malware Is Any Use”

That’s completely fine! We all have opinions and we each take different positions on the many issues that we face.

If you feel strongly that all malware scanning by a WordPress site on itself isn’t important, then we suggest you don’t deploy that sort of tech.

Malware scanning isn’t protection, but we feel it still plays an important role in detecting infection and signalling that your WordPress site is vulnerable.

Our position on that may evolve over time, but we’ll keep you updated if that’s the case. Opinions can, and should be allowed to, change. An example of this is our approach to IP Address Blocking. We stated quite strongly that security based on IP Address blocking is fundamentally flawed.

That was nearly 10 years ago! And was based on the idea that folk would add IPs to bloated .htaccess files and never remove them. Our approach has evolved quite a lot since then. Now we love to block the IP addresses of malicious bots, ensuring that IP addresses are blocked only for a limited time.

Our CrowdSec blocklist IPs also expire after 7 days, and they themselves are experts at ensuring blocked IPs expire from their own lists.

Just like everyone, we reserve the right to change our mind as the available information changes.

Comments & Suggestions?

I know that, as usual, our opinions buck the trend. We understand that security is rarely a black & white comparison, and it’s often very nuanced. Nuanced opinions in 2023 aren’t often welcome, but that’s our position as it stands today.

If you have any comments or rebuttals after reading this article, we’d love to hear them below.