Security is scary at times, isn’t it? A few months ago we went through Patchstack’s State of the WordPress Security report and discussed where the WordPress community was in terms of security. There was a discussion of what we all were succeeding at and information on what we could do better. Dan Knauss of iThemes continued with a dive into the malware scanners many in the community use in his write-up, “Why WordPress Malware Scanners Are Worthless.”
What’s going on with our Malware Scanners?
Knauss takes new research from Snicco, WeWatchYourWebsite, GridPane, and PatchStack. It suggests that WordPress malware scanners are fundamentally flawed. As per the research, scanners operating as plugins in a compromised environment are at best cleanup tools and not robust defense lines. He also goes in-depth to explain how local and remote malware scanners can be easily outsmarted and rendered ineffective, with their functionality being tampered with by the malware.
Is there anything we can do?
If you are paranoid about security at this point in all aspects of life as I usually am, fear not because there are things that we can do to make ourselves a little more safe. In regards to malware scanners that make us vulnerable, Knauss advises shifting focus from detection to prevention, emphasizing strong user login security, careful user management, and maintaining vigilance in version management. Basically, echoing what cybersecurity experts have wanted us to understand for a long time: there is no one way to secure your information on the web. Several walls of protection are needed as malware, hackers, and other bugs evolve. We must evolve with them. You can read Knauss’ full article here on the history of malware scanners, and what we can do now to make sure we are safely protected.