Home

This Plugin was created to help WordPress admins clean infections off their site. It was inspired by my own need to to clean up one of my BlueHost accounts after a pretty bad hack (see How It All Started). It is still a little rough around the edges and I want to add many new and exciting features. It is currently being offered completely FREE of charge, though it did take quite a lot of time to develop, test, and make nice.

This project will continue to need my energy to keep it effectively getting rid of new threats and patching new vulnerabilities. That is why I am asking anyone who can, to please make a donation to keep it going.

Aloha,
Eli Scheetz

Testimonials

  • Thanks for such a useful plugin! One of my sites was hacked and infected a week ago - and is now free and clear of all viruses thanks in part to your malware scanner. Good work - I look forward to updated versions. Cheers!
    -- Matt H.

599 Comments on "Home"

  • On February 23, 2024 at 2:20 am, Digital Mango said:

    Excellent tool – Cleaned a few Bricks Builder sites in 20min. Needed the upgraded ver tho for the Core files. Absolutely brilliant, considering the s***storm it caused for many others. Total breeze w/ GOTMLS. TY! Can’t say enough good words! Cheers.

    Reply
  • On February 16, 2024 at 3:49 am, Xeon King said:

    Thank you sir, thanks to your script I am getting better

    Reply
  • On February 6, 2024 at 6:42 am, Влад Чепелевський said:

    Disabled xmlrpc and now site “500 internal server error(

    Reply
    • On February 6, 2024 at 7:26 am, Anti-Malware Admin said:

      Look in the error_log file on your server to see what is actually causing the error.

      If you are unable to figure it out then you can remove the XMLPRC protection from your .htaccess file and see if that helps.

      The lines you want to remove start with:
      Files xmlrpc.php
      (that’s in angle-brackets (less-than/greater-than) … and all the lines down to the following line:
      # END GOTMLS Patch to Block XMLRPC Access

      Reply
      • On February 6, 2024 at 9:13 pm, Влад Чепелевський said:

        I deleted the rule that the plugin added, and everything worked. But how to disable xmlrp so that the site does not crash?

        Reply
        • On February 7, 2024 at 12:44 am, Anti-Malware Admin said:

          You would need to look in the error_log file on your server to see what is actually causing the error. From the error we can figure out what it is on your server that is conflicting with that rule.

          Reply
        • On February 7, 2024 at 12:52 am, Влад Чепелевський said:

          All work. Thanks!

          Reply
  • On December 1, 2023 at 4:23 am, Kiss Zsolt said:

    Hello!
    I love using your tool for cleaning up my infected websites. Thank You!
    However im wondering if the plugin can look for any unwanted data on the database as well, or it can only see and clean the files of the site itself (like what i see over FTP)
    If it does not check the DB, can we say that we are safe? Can you recommend something to use?

    Reply
  • On November 16, 2023 at 3:42 am, Walter said:

    Aloha,
    I was testing your fantastic plugin and it found three vulnerabilities.
    /wp-content/plugins/patchstack/includes/listener.php
    /wp-content/plugins/patchstack/includes/views/access-denied-login.php
    /wp-content/plugins/patchstack/includes/views/access-denied.php

    It is the official patchstack wordpress plugin. I checked the files and could not find malware code. I think it is a false positive.

    Best regards,

    Wa;ter

    Reply
    • On November 18, 2023 at 10:06 am, Anti-Malware Admin said:

      Thanks for reporting this to me. You are correct, these are in fact False Positives. The first one was simple enough to correct, but the other two were a bit of a problem. They are not malicious but the HTML is improper, there should not be any tags between the and the tags, and it is all too common for malicious JavaScript to be injected outside the BODY tag. But I have gone ahead and whitelist this usage too. This is something that the developers of this plugin should really address to be complaint with HTML coding standards but as long as the script is not malicious and does not present a exploitable vulnerability then it is outside my scope of interest and it will be excluded from future scan using the definition updates that I have just released.

      Reply
    • On November 26, 2023 at 8:53 am, Mike said:

      Hi, Please advise if this plugin can be initiated from Bluehost cpanel/file manager. I suspect a few wp sites are corrupt with malware. Happy to donate if I can get things back in the coming days.

      Reply
      • On November 27, 2023 at 5:12 am, Anti-Malware Admin said:

        My plugin must be activated and scans run through the wp-admin on each site. It is best to install my plugin on every site on your server to properly protect and effectively scan each one.

        Reply
  • On September 19, 2023 at 9:53 pm, Jakub Juncewicz said:

    Hey, nice tool. Helped a lot. but on every site after few days I get fatal errors like this out of nowhere

    Warning: require_once(wp-content/plugins/gotmls/images/index.php): failed to open stream: No such file or directory in wp-content/plugins/gotmls/index.php on line 18

    Fatal error: require_once(): Failed opening required ‘wp-content/plugins/gotmls/images/index.php’ (include_path=’.:’) in wp-content/plugins/gotmls/index.php on line 18

    How can I avoid it?

    Reply
    • On September 20, 2023 at 3:22 am, Anti-Malware Admin said:

      This error indicates that the index.php file in the plugins/gotmls/images/ folder has been deleted. Some other plugin or malicious code is deleting this file which is required by my plugin and that is causing this error. You can delete and reinstall my plugin to replace any missing files but the bigger issue is to figure out what is deleting this file on all your sites.

      Once the files are all reinstalled then you can try to protect that file from being deleted by changing the permissions on the file to read-only, then you might even find out what script was trying to delete by watching the error_log files for any deletion attempts that might fail once the file is protected.

      Reply
  • On August 24, 2023 at 5:29 am, leandro xavier said:

    Olá, eu gostaria de fazer uma contribuição, mas minha conta do Paypal não funciona. Teriam outra forma de poder contribuir?

    Reply
  • On August 9, 2023 at 1:40 am, Usman Habib said:

    Started using this tool excellent so far

    Done the donation

    Reply
  • On July 20, 2023 at 10:30 pm, murat akgun said:

    thank you very much

    Reply
  • On July 9, 2023 at 10:31 pm, mohammad said:

    Thank You a Million. Your Plugin save my website.

    Reply
  • On June 14, 2023 at 12:46 am, Martin said:

    Hi would you consider adding scheduled scanning feature and admin notification?

    Reply
    • On June 20, 2023 at 5:35 am, Anti-Malware Admin said:

      I am working on this feature now. It is taking so time to reconfigure and optimize the scan engine for offline or background scanning but I will get there ;-)

      Reply
  • On June 7, 2023 at 8:44 am, FireSpike LLC said:

    Thank you for providing and supporting this excellent tool. We recommend it and use it for all of our clients’ websites!

    Reply
  • On December 27, 2022 at 1:39 pm, Zidan Pragata said:

    can you please make this great plugin a standalone PHP version, used not only for wordpress, but all web applications?

    Reply
    • On December 28, 2022 at 4:03 am, Anti-Malware Admin said:

      I have experimented with this concept on other platforms and found that there are often a great many false positives. WordPress is a unique environment for this plugin because of it’s opensource nature and because it is so widely used it has become a large target for hackers and malware. A similar plugin for other popular CMS platforms would need to be customized for that specific environment to be as effective. There are already anti-malware products you can install at a server level to scan and remove malware across all platforms which are much more efficient that PHP scripts but they must be managed with more expertise. This plugin is a targeted DIY solution for non-technical website adminitrators of WordPress.

      There are ways in which you can get this plugin to scan other sites, either by embedding those sites into a sub-directory of a working WordPress installation or by creating a symlink of the site-root for another site in a WordPress site’s directory hierarchy, but I would causation you be careful with this and scrutinize the results closely.

      Reply
      • On January 9, 2023 at 7:41 am, Zidan Pragata said:

        symlink.. ok..
        thank for respons

        Reply
      • On March 6, 2023 at 10:03 am, Zidan Pragata said:

        on windows server, i tried to use “mklink /J [dest folder][source folder]”

        for the scan process there is no problem, but when it finds a malware, gotmls can’t remove it. perm folder is already 0777.

        Reply
        • On March 7, 2023 at 6:25 am, Anti-Malware Admin said:

          That might be the permissions on the symlink for that folder but what about the contents of the destination folder? Also, there may be directory restrictions on paths outside of the web-root, or other methods of chroot’ing the web/php user into a limited path selected for security reasons.

          Reply
          • On March 7, 2023 at 10:58 am, Zidan Pragata said:

            can you add function “immediately quarantine if “Threat found”.

            this function is very helpful if the scanned files are very large, scan process can be left while sleeping. :)

          • On March 8, 2023 at 7:47 am, Anti-Malware Admin said:

            That would be a great idea if we could be 100% confident that it would be safe to quarantine all threat right when they are found. At this time I prefer to have the user review all there threats found and actively decide to fix them when they can then make sure that the site is still functioning and that non of the modification need to be reverted. I am working on a feature that will be part of a bigger update that will allow you to automatically fix threats that have already been fixed once and then have gotten reinfected, but this too is somewhat problematic because it’s not a real solution either. If the site is getting reinfected then the root cause of those infection needs to be stopped for good, not just repeatedly fix.

            It sounds like the bigger issue for you is that the complete scan is taking so long at all. You shouldn’t have to be waiting all night for the scan to finish in the first place. There are usually a few things you can tweak on your server to speed up the scan, like increasing the memory_limit in your php.ini, deleting all cache files in the scan path, and removing any unneeded themes and plugins or any other unused directories in the scan path.

  • On December 2, 2022 at 5:11 pm, Wil Haines said:

    Use Anti-Malware on all of my sites. Best thing that I’ve seen to help keep the enemy contained.

    Reply
  • On October 29, 2022 at 9:17 am, Zohaib Iqbal said:

    awesome

    Reply
  • On August 31, 2022 at 10:34 pm, 34SAD ZNS said:

    Hi Eli, I have cleande my site, there was a several thousand of malware files but I am missing something. The index.php file gets hacked only a second from cleaning. There must be a backdoor somewhere lbut your plugin says enerything else is clean. If I delete the .htaccess and index.php files in Cpanel, they get created immediately and with the same content. Here is a code from the top of the index.php.

    Reply
    • On September 2, 2022 at 6:55 am, Anti-Malware Admin said:

      It sounds like there is an open instance of PHP running on the server that is continuously executing the malicious code that is re-writing those files you are fixing. You can try stopping the Apache service in your Cpanel and then replace the index.php file before it is triggered again, then restart the Apache service.

      Reply
  • On November 30, 2021 at 4:49 am, jagan nair said:

    Hi Eli

    Been using your super plugin to clean up a server, I ran it in all the websites, it found the malwares and fixed the files, but its getting affected again. So my plan is to download all the web files, scan them locally and upload them back website after another. What do you think of this approach and please suggest a good malware scanner which I can use locally in my desktop, is it possible to use yours locally?

    Reply
    • On November 30, 2021 at 8:15 am, Anti-Malware Admin said:

      My plugin only work inside a working install of WordPress and I would strongly recommend against installing a working copy of any infected site on your local machine. You can download the files as long as there are not executed locally and scan them with any anti-virus software but it is not likely to find anything new that way, PHP and web-based malware is very different from PC malware and so the scanning software must look for very different patterns.

      If your site is getting reinfected and the malware is coming back then there must be some backdoor or exploitable vulnerability on the live server that is letting these infection in. Try running the Complete scan again on all the sites to see if it finds the same re-infected files mostly on one site or if the infections are spread equally over all sites. This will help you determine if the threat is coming from one of your sites or if it could be a root infection of the server. Keep in mind that most shared hosting platforms don’t have any kind of protection against crossover contamination from one site to the next (sometime even from sites on other accounts on that same server that you don’t have access to). How many sites do you have on this server?

      You can reply to my email directly if you need more help.

      Reply
  • On October 21, 2021 at 6:22 pm, Petar Krajinovic said:

    Hi,
    Can I scan and clean the public_html folder of my WordPress installation?
    I have several WP installations within that folder and I’ve been informed by BlueHost during a chat that I have infections all over the public_html folder.

    Reply
    • On October 22, 2021 at 3:31 am, Anti-Malware Admin said:

      Yes, if you install the plugin on the root site in the public_html directory then it will scan all the files in all the sub-directories, including those other sites installed in folders inside the public_html path. However, it is also a good idea to install my plugin on each of those sites individually for quicker scanning and better protection for each site.

      Reply
  • On August 19, 2021 at 7:57 am, Joel said:

    WHEN I DOWNLOAD DEFINITION

    Request Entity Too Large

    The requested resource does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit.

    Reply
    • On August 19, 2021 at 9:10 am, Anti-Malware Admin said:

      This is a limitation of your host that can be configure in the php.ini on your server. Please ask your hosting provider to help you increase the post_max_size and and upload_max_filesize values in your php.ini file. If you and your host cannot decide what value to set these to then I could suggest that you at lease double them to start with or maybe just set them to something reasonably large like 32M or higher if you like.

      Reply
  • On June 23, 2021 at 7:37 am, Chandra kant tiwari said:

    incredible plugin.

    Reply
  • On June 1, 2021 at 8:48 pm, Derek Batty said:

    Hi Eli

    How can I get in contact to discuss a core.file that has come up in the scan?

    I am concerned about affecting web site functionality.

    Appreciate your advice

    Regards

    Derek

    Reply
    • On June 2, 2021 at 2:58 am, Anti-Malware Admin said:

      You can email me directly if you need to attach files or screenshots, but I can tell you that unless you have purposefully made custom changes to any of your core file and you want to keep those alterations then you should absolutely use the auto-fix in my plugin to restore any modified core files to their original state.

      Reply
  • On May 28, 2021 at 4:14 am, Hamamd Ali said:

    Hello,

    I was simply amazed as how your plugin removed the malware code from my website and donated upon the half scan. But regarding the brute force protection I am getting an error

    Brute-force Protection Not Installed – No response from Server

    Can you please help me regarding this?

    Reply
    • On May 28, 2021 at 3:33 pm, Anti-Malware Admin said:

      Thank you, I’m glad that you like the plugin.

      The message you are getting (“no response from server”) suggests that your server is not responding to the session check. There are a few server requirements for the Brute-Force Protection to work. First, your site must be hosted on a server running Apache with mod_rewrite installed. Most importantly though, your server must be capable of creating a persistent session. In other words the php function Session_start() has to successfully open a session cookie on the server and write that cookie file to the server’s temp file location. Ask you hosting provider to check these thing on the server and verify that your site is able to create a persistent session file.

      Let me know if you need any more help with this. You can also email me directly:
      eli AT gotmls DOT net

      Reply
  • On May 13, 2021 at 7:51 pm, Niels Nicolas Przybilla said:

    Hi,

    i had a adsformarket malware in my site.

    Gotmls found a lot, but not all like:

    <?php
    /**
    * @package WordPress
    * @subpackage AirWP
    */

    get_header();

    It is located for example in the index.php of the theme.

    Reply
    • On May 14, 2021 at 2:44 am, Anti-Malware Admin said:

      There is nothing malicious about the code you posted here, that is why it was not removed.

      Reply
  • On May 3, 2021 at 4:22 am, Pietro Fernandes said:

    Muito OBrigado!!

    Reply
  • On April 22, 2021 at 7:06 pm, Yneka Myers Myers said:

    Hello, does this clean the website after scan?

    Reply
    • On April 23, 2021 at 3:21 am, Anti-Malware Admin said:

      Yes, The automatic fix option is available as soon as any known threats are found. Just make sure that you have downloaded the latest definition updates and then run the Complete Scan.

      Reply
  • On April 21, 2021 at 6:01 pm, Mohammad Doulat said:

    Thank you for Anti-Malware software.

    Reply
  • On April 20, 2021 at 4:06 am, Michael Wing said:

    Hi. Your plugin is great but I’m wondering why it’s skipping certain folders/files during a complete scan? I have it set to not skip any file extensions and yet it skips like 29 important folders during a complete scan. Some of the folders that it’s skipping I consider to be a priority for scanning. Thanks.

    Reply
    • On April 20, 2021 at 4:08 am, Michael Wing said:

      Actually it was 24 skipped files, not 29 skipped folders, but those files are important files to scan for me. Thanks

      Reply
      • On April 20, 2021 at 12:04 pm, Anti-Malware Admin said:

        If you hover over each of the file names on the list of skipped files then it will tell you why they were skipped. It sounds like you may have already cleared out the list of file extensions to skip so my guess is that the remaining 24 skipped files were empty (0 bytes) so there would be no reason to scan them. Let me know what explanation you find in the ToolTip when you hover over those items and I can help you more if there is something else going on.

        Reply
  • On March 11, 2021 at 12:20 pm, enel lee said:

    Are you still an active member of the Internet Defence League??

    Reply
    • On March 12, 2021 at 5:53 pm, Anti-Malware Admin said:

      I wouldn’t say I that “active” of a member but I still support the cause and promote their site.

      Reply
  • On March 11, 2021 at 9:30 am, Stav said:

    Hi there,

    Just wondering whether the “Anti-Malware Security and Brute-Force Firewall” plugin for WordPress will keep getting updates since it has not been updated for a while now. Thanks!

    Regards,
    Stav

    Reply
    • On March 12, 2021 at 5:49 pm, Anti-Malware Admin said:

      The plugin does not need frequent updates because I offer definition updates on a regular bases that can be automatically downloaded from within the plugin. When code changes are needed or when I have a new feature to release then I will release new plugin updates but otherwise the plugin itself does not need many changes.

      Reply
      • On March 12, 2021 at 10:08 pm, Stav said:

        Great thanks for your reply. So how do i go about purchasing the premium version of the plugin? And if i buy the premium version of the plugin, will i be able to use it on several websites or single website? Thanks!

        Reply
        • On March 14, 2021 at 12:24 pm, Anti-Malware Admin said:

          Sure, you can register all your keys under the same email address so that they are all on the same account. Then just make a donation using the link in any of wp-admin pages and you will have access to the premium features on all site.

          Reply
          • On March 16, 2021 at 4:55 am, Stavros Charidemou said:

            Hi there,

            Thanks for your reply! Just installed the plugin and made a donation! When do i know that the premium features are going to be enabled?

            Kind Regards,
            Stav

          • On March 16, 2021 at 4:07 pm, Anti-Malware Admin said:

            I see your donation, thanks. The premium features are automatically enabled when you donate. If you don’t see the option to enable the automatic update feature then try clearing your cache and refreshing your wp-admin.

      • On March 19, 2021 at 7:20 am, Amanda Nave said:

        The WordPress Plugins page says that the plugin is untested with the current version of WordPress. Is this true?

        Reply
        • On March 26, 2021 at 3:36 am, Anti-Malware Admin said:

          No, it just says that Because I have not released a plugin update since the last WordPress release. I release frequent definition updates which are downloaded directly through the plugin so I do not need to release plugin updates that often. I have personally tested my current plugin version with the latest version of WordPress and it does work fine.

          Reply
  • On March 6, 2021 at 8:14 am, Francis Kilroy said:

    I donated but never got my code to enter on the site. Could you please let me know what I have to do?

    Reply
    • On March 7, 2021 at 3:53 am, Anti-Malware Admin said:

      The premium features were automatically unlocked for the key that you already registered when you made your donation. Just refresh the Anti-Malware Settings page in your wp-admin and you should see the option to enable automatic updates. Check that box and click same and it will automatically install the core files definitions. If you don’t those option then try clearing your cache and refreshing the page again. If you need more help finding it then please send me a screenshot so that I can see what might be wrong on your end.

      Reply
  • On December 9, 2020 at 5:39 am, Kristal said:

    Hi I bought your plugin, well made a donation so i could scan core files. However wordfence is detecting this virus

    The issue type is: Backdoor:PHP/apies-hex.8825
    Description: Hex-encoded apies.org C2 domain, typically found in backdoors

    But your plugin is not and I am stuck at 99%

    Got Stuck (1) Got Stuck (2) Got Stuck (4) Got Stuck (8) Got Stuck (16) Got Stuck (32) Got Stuck (64) Got Stuck (128) Got Stuck (256) Got Stuck (512) Got Stuck (1024)

    Reply
    • On December 9, 2020 at 3:13 pm, Anti-Malware Admin said:

      Thanks for your donation ;-) I have just now updated the Definitions with the Core Files for the new version of WordPress 5.6, so just make sure that the Automatic Updates is set to “Yes” and then click “Save Settings” again to automatically install the definitions for the WP 5.6 Core Files.

      If you find any files that are not getting cleaned by my plugin then please email them to me so that I can add them to my definition updates.

      If you run the Complete Scan again after this latest update and it still ends at 99% with “Got Stuck …” then can you see what files are left in the Queue that are not getting scanned (click on “Selected Folders
      ” on the right of the scan progress and scroll down to see which ones are not finished)?

      Reply
      • On December 13, 2020 at 4:30 am, Kristal said:

        Still getting donate now button on some of my website. I did make a donation

        Reply
        • On December 13, 2020 at 8:49 am, Anti-Malware Admin said:

          You probably registered those other sites to an different email address so they are not on the same account. You can click on the registration key to open the pre-filled registration form and change the email address to match the account with your donation and click submit. Then clear your cache and refresh your wp-admin and it should show your donation ;-)

          Reply
  • On November 13, 2020 at 1:15 am, Christian Hammenstede said:

    Hej, I finally made a donation today because I was able to experience first hand what happens when you focus on other things but not on the really important ones.
    Thanks for the great work!
    Christian

    Reply
  • On September 17, 2020 at 11:15 pm, Farmaci a prezzi scontati said:

    Ottimo plugin che userò per evitare malware. Grazie

    Reply
  • On August 13, 2020 at 1:39 am, Harris said:

    Malware (monit.php) has been fixed using your plugin. I really appreciate this plugin.

    Reply
  • On July 31, 2020 at 10:45 pm, Mohit Gupta said:

    If the plugin was aunable to scan some files and had scan / read errors, what does it mean and how can I correct it.

    Reply
    • On July 31, 2020 at 10:49 pm, Mohit Gupta said:

      …/wp-content/plugins/uncanny-automator/src/assets/vendor/fontawesome/js/fontawesome-5.min.js

      This is one of the files

      Reply
    • On August 3, 2020 at 6:52 pm, Anti-Malware Admin said:

      This is most likely because that file is too big for your server to open and scan using the memory_limit set for all PHP processes in your php.ini file.

      Reply
  • On July 13, 2020 at 7:26 am, AD Bhatti said:

    Thanks for your support.

    Reply
  • On July 3, 2020 at 4:45 am, Derek Harris said:

    can you please add a detection to the scan for wordpress ADD USER function via PHP, i was hacked recently and this code was added to several files.

    Thank you

    Reply
    • On July 8, 2020 at 9:51 am, Anti-Malware Admin said:

      There are already multiple definition that look for malicious uses of the wp_create_user function. There are also many legitimate uses for that function so I cannot just ban the use of it all together or I would break a lot of otherwise functional sites. If you have discovered a new malicious use of this function or any other malicious code, please send me the whole file that contains these malicious scripts and I will add them to my definition updates.

      Reply
  • On June 16, 2020 at 7:46 am, Marten Davis said:

    I added to my donation total. Use the plugin on all my WP sites and regularly run scans. I do have a problem that my Brute Force Protection does not populate on the Firewall options at the bottom. It just runs and runs….

    Thanks for a great plugin
    Marten Davis

    Reply
    • On June 16, 2020 at 11:10 am, Anti-Malware Admin said:

      Thanks for your donations!

      The issue with the Brute-force Protection could be related to the permission on the /tmp/ directory, or a partition is full, or there is something else wrong with the session_start in PHP or the rewrite rules in the .htaccess files on your server. Or it might just be a JavaScript error caused by a popup blocker or other security setting in your browser. There are so many other things too that might be interfering with your ability to enable this protection on your server, so we need more information to figure out exactly what is causing this issue for you. Can you check the Console tab in your browser’s Inspector for any errors on that page that might explain why that option won’t finish loading? There might also be an error in the error_log files on your server that may reveal more info about the problems on your server that might prevent you from using this feature.

      Reply
  • On June 4, 2020 at 7:22 pm, janca palomino said:

    Solo puedo decir lo agradecido que estoy. de verdad mil gracias.

    Reply
  • On May 21, 2020 at 7:01 am, Carambola Marketing said:

    Hi, do you have updates regarding the malware related to monit.php script that is causing injections to DB?

    Reply
    • On May 21, 2020 at 10:25 am, Anti-Malware Admin said:

      Yes, All know variant of this threat should be found by the Complete Scan if you have the latest definition updates for my plugin. Please let me know if you have a new variation of this threat that it still not being detected so I can look into it more.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>