WordPress Core files integrity check

Posted by on April 25, 2015 at 12:30 pm

My plugin can now scan your WordPress Core files and compare them with the installation source code available from wordpress.org. This new integrity check could be very helpful for finding new threats hidden in WP Core file. There may be lots reasons, other than malicious threats, for Core files to differ from the original source so this is an optional fix that requires you to check the box next to each file you want to restore. If a Know Threat is found in these files it will still come up as an automatic fix but if not you can now optionally revert any of these modified Core files to the original code.

This new feature is currently only available to those who have donated at the default $29+ level.

SoakSoak bug, round two, still widespread infections

Posted by on December 19, 2014 at 12:39 pm

I've been really busy so it's been a while since my last post, but this is really important so thought I should update everyone.

This recent SoakSoak bug infected a lot of WordPress sites through a vulnerability in the Revolution Slider plugin. Apparently the developers know about this security hole back in September but did nothing about it until the exploit was widespread. There is now a new version of Revolution Slider that has been patched but there are also many themes that use this slider that cannot be automatically upgraded. The newest version of my Anti-Malware plugin will automatically block the attempts to exploit this vulnerability on your site, even if you have a vulnerable version of Revolution Slider installed.

The bigger problem is that once you have been hit by this bug then there may be other backdoors planted on your site and your DB password may also have been stolen. Your site can also then be used to spread this infection to other sites. I have seen a new round of this threat that no longer uses the popular IP address in the script source. Now its using a variety of infected domains spread the infection.

This threat is changing all the time so please make sure to download the Definition Updates whenever I release a new one. You can follow my Twitter feed @GOTMLS to get notified of new updates.


Heartbleed vulnerability

Posted by on April 14, 2014 at 1:13 pm

heartbleedIf you are hosting an SSL site on a server running OpenSSL version 1.0.1 - 1.0.1f or 1.0.2 with the HEARTBEATS extension turned on then your site has been vulnerable to a Heartbleed attack. You should upgrade to OpenSSL version 1.0.1g, rebuild OpenSSL with -DOPENSSL_NO_HEARTBEATS, or move your site to a more secure host.

Is your site vulnerable to the Heartbleed attack?

Here are four independent sites that will check your server:


I started a twitter account

Posted by on February 12, 2014 at 12:01 am

I'm going to use this twitter account to post plugin and definition update notices as well as any other important info I need to get out there: @GOTMLS


Spanish translation added in last release

Posted by on January 11, 2014 at 1:17 am

Thanks to Andrew Kurtis of webhostinghub.com my plugin has now been translated into Spanish of by Jelena Kovacevic. The new language files were tested and packaged in the last release. Now, if you have WPLANG defined as 'es_ES' in your wp-config.php file then the Anti-Malware Settings and Scan pages will be output en Español :-)

I'm also thinking of creating a facebook page for my plugin to get more feedback and collaboration form my users. Have some big ideas I would like share and get some help with to move this plugin forward. Leave a comment here and let me know what you think. Would you follow me on facebook? comment, Yes or No.


Posted by on August 19, 2013 at 12:13 pm

I have had quite a few WordPress users having trouble with plugin upgrades or re-installing plugin that were not completely removed. The problem is that sometime WordPress will not remove the main folder for a plugin that is being upgraded or removed but it will remove all the contents of the folder. So then WordPress does not see that the plugin is installed but it cannot create the directory structure to reinstall it either.

The only thing you can do then is to login to your server via FTP (or a file manager in your hosting control panel) and delete the directory so that it can be re-installed. But for some people that just isn't so easy to get to. So I created this little helper plugin to force the deletion of any plugin's main directory and all of it's contents before upgrading or installing another version of that plugin. It's still under development and I would not recommend installing all your plugins with this one activated, but if you are have trouble upgrading a plugin because the destination directory already exists then this will probably help.

You can download the BETA vesion of this plugin here

Good Luck!

Eli Scheetz

Downgraded the WP-Login threat and changed it to an opt-in fix

Posted by on June 1, 2013 at 1:46 pm

In my ongoing attempts to improve the security of WordPress and to clarify the brute-force threat, I have isolated the code for my login patch into an include file and added some notes to explain why the wp-login.php file comes up as a vulnerability.

I have also downgraded the severity of this threat and changed it to an "opt-in" fix instead of being marked in red and default checked for automatic repair. This is partly because I have perceived an ebbing of the brute-force attacks on WordPress sites that spiked a couple of months ago, but also because a moderator on wordpress.org suggested that I should not be modifying WordPress core files.

I will also be taking the "Dave" and other references from the movie 2001: A Space Odyssey out of the login patch because some people (not named Dave) didn't see the humor in it and I don't want to upset anyone.

Comments and suggestions are always welcome.


Just what do you think you are doing, Dave?

Posted by on May 3, 2013 at 10:18 pm

In the last two weeks I have been working on perfecting a patch for the wp-login.php page that will prevent a swarm of brute-force attacks from guessing your password or bringing down your server. When I first released this patch it was a bit overzealous and caused a few people to be temporarily locked out of their own blogs as their login attempts were incorrectly identified as brute-force attacks.

This patch of mine has also caused a small wave of paranoia because it displays the unconventional (and a possibly spooky) message "Just what do you think you are doing, Dave?" whenever brute-force or too many failed logins is detected. This message is a quote from the movie 2001: A Space Odyssey. Even though I intended this message to bring out the humor of the situation, I also feel it is very relevant (unless your name is not Dave :-)

The linked response "Open the Pod bay doors, HAL!" also a quote from the same movie and it's just there to link you back to the login page should you wan to try to login again.

I have also received many inquiries as to why the wp-login.php file is flagged as an WP Login Exploit on every install of WordPress, even brand new installs of the most current version. This is simply because WordPress has no built-in brute-force protection and it's login page is exploitable. It has been clearly demonstrated through the widespread attacks on login pages around the world as of late that it is not only vulnerable to password cracks via brute-force but it also has been shown to overload and bring down a whole server if the attacks are too numerous. That is why my patch also prevents the loading of the WordPress bootstrap if a brute-force attack is detected so that your server's resources are not tied up just telling hackers if they guessed the right password or not.

I hope this helps answer your questions about this new threat and my approach to solving it. Feel free to leave a comment if I could do better explaining anything.

Eli Scheetz

Happy Birthday to GOTMLS Anti-Malware

Posted by on March 26, 2013 at 4:21 pm

Today is the official one-year anniversary of the first release of this plugin on the WordPress Plugin Repository. I feel really positive about how far this plugin has come in the last year. I am also very proud of how many people that my plugin has helped. I've got a lot of plans for improving this plugin so I want to thank those who have made a donation and ask all those who have not yet donated to contribute now. Donations to this project support me making time to work on it and make it better. So don't just use it, support it!

Eli Scheetz

Best Buy Award for 2012 by reviewboard.com

Posted by on November 22, 2012 at 2:01 pm

This plugin was just reviewed by reviewboard.com and given 5 Stars and their Best Buy Award for 2012. This is a great honor and I really appreciate them spreading the word about my plugin. They also wrote a nice review on WordPress.org which you can do to if you would like to help.

Donations also help as I am constantly working hard to push out updates with improvements and new features. The more donations I get, the more time I can spend on it.

A big "Mahalo!" (thanks) to those that have already donated.

Eli Scheetz