Title: Database scan feature
Last modified: August 30, 2016

---

# Database scan feature

 *  Resolved [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/database-scan-feature/)
 * A “competing plugin’s” changelog says:
 *     ```
       New scanning routine examines the wp_options table for executable code based on a new infection we are seeing that is well hidden.
       ```
   
 * There are injection attacks, you know it.
    The only trace the left behind is 
   a small change in the wp_options table. For example a script tag in a plugin’s
   option that does script printing without sanitizing the value. There are a lot
   of these script printing plugins not using `wp_localize_script()`.
 * Do you have a plan for this?
 * [https://wordpress.org/plugins/sucuri-scanner/](https://wordpress.org/plugins/sucuri-scanner/)

Viewing 14 replies - 1 through 14 (of 14 total)

 *  [SucuriSupport](https://wordpress.org/support/users/kvllz/)
 * (@kvllz)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244250)
 * Hi there,
 * Our plugin itself doesn’t actually perform malware scanning, it uses SiteCheck
   scanner (sitecheck.sucuri.net) and it detects when these issues are displayed
   remotely.
 * Thanks
 *  Thread Starter [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244251)
 * Thank you!
    I usually to contribute to your plugins by bug reports and feature
   requests. Is Yorman around here?
 *  Thread Starter [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244252)
 * A remote scan may or may not catch these.
    A local DB scan can easyly spot `<
   script` of `<iframe` in the options.
 *  Thread Starter [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244255)
 * > Is Yorman around here?
 * I am very sorry about this sentence.
 * It was hard to realize that I am treated as a plugin user when I am willing to
   contribute, and – as I’ve experienced that earlier – Yorman treats me as a contributor.
 *  Thread Starter [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244256)
 * > I usually to contribute to your plugins
 * has two typos:
 * I usually contribute to your plugin …
 *  Thread Starter [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244257)
 * You have to know that I was an iThemes Security plugin contributor when it was
   developed actively.
 *  Thread Starter [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244308)
 * Until it gets into Sucuri Scan:
 * [https://github.com/szepeviktor/wordpress-fail2ban/blob/master/wpf2b-option-scan-mu.php](https://github.com/szepeviktor/wordpress-fail2ban/blob/master/wpf2b-option-scan-mu.php)
 * or robust solution:
 * [https://wordpress.org/plugins/exploit-scanner/](https://wordpress.org/plugins/exploit-scanner/)
 *  [yorman](https://wordpress.org/support/users/yorman/)
 * (@yorman)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244309)
 * Thanks for your suggestion, it would be great to have a feature like this to 
   add an additional layer of protection to all sites using this plugin. Unfortunately
   I am not allowed to write the code to power this feature because there is already
   a premium service offered by Sucuri that does exactly this [1].
 * An alternative would be to write a database scanner with reduced functionality
   that can be used to send alerts about a possible infection and then let the user
   choose to either clean the data by himself or buy the premium service.
 * However there are plenty of plugins that already offer this option for free [
   2] and they are probably willing to keep improving their code, in the other hand
   I could implement a limited feature as I suggested above but I can not ensure
   that it will be updated in the near future _(because of my job restrictions)_
   which makes it worthless taking in consideration the quantity of new malware 
   that appear daily.
 * [1] [https://sucuri.net/website-antivirus/](https://sucuri.net/website-antivirus/)
   [
   2] [https://wordpress.org/plugins/search.php?q=malware+scanner](https://wordpress.org/plugins/search.php?q=malware+scanner)
 *  Thread Starter [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244310)
 * Thank you.
    This feature should go into my handmade WAF.
 * Excuse me!
    Which of the linked plugins have high code quality? Could it be that
   none of them?
 *  Thread Starter [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244311)
 * … and I’ve pointed out:
 * > A remote scan may or may not catch these.
   >  A local DB scan can easyly spot 
   > <script of <iframe in the options.
 * So even a paid WAF could be unable to detect malicious code in the `wp_options`
   table.
 * Please take a look at exploit-scanner, the zillon pattern it detects:
 * [https://plugins.trac.wordpress.org/browser/exploit-scanner/trunk/exploit-scanner.php](https://plugins.trac.wordpress.org/browser/exploit-scanner/trunk/exploit-scanner.php)
 *  Thread Starter [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244312)
 * **off:** Does Sucuri Sitescan scan for page content that is generated with HTTP_REFERER
   =google.com ?
 *  [yorman](https://wordpress.org/support/users/yorman/)
 * (@yorman)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244313)
 * The Sucuri WAF _(aka. CloudProxy)_ does not scans anything, but the antivirus
   service does [1] considering that it is a server side scanner and the database
   of signatures is pretty big. SiteCheck is another story, it is a simple web scanner
   so technically speaking it should not detect malicious code injected in the database
   that is not reflecting in the rendered HTML code _(as you already explained)_.
 * To answer your question _“which of the linked plugins have high code quality”_
   I do not know. I suppose all of the plugins listed in that page have different
   features so one have to check them all to be make a good decision.
 * The list of static signatures included in class _“File\_Exploit\_Scanner”_ of
   the plugin mentioned in one of your previous comments seems good enough for common
   attacks. But to build a good malware scanner you have to implement a _“Mutation
   Algorithm”_ [2], and after a couple of hours working on that you will realize
   that writing an algorithm like that for free does not make sense.
 * [1] [https://sucuri.net/website-antivirus/](https://sucuri.net/website-antivirus/)
   [
   2] [https://en.wikipedia.org/wiki/Mutation_(genetic_algorithm)](https://en.wikipedia.org/wiki/Mutation_(genetic_algorithm))
 *  Thread Starter [Viktor Szépe](https://wordpress.org/support/users/szepeviktor/)
 * (@szepeviktor)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244314)
 * Thank you.
 * So Sucuri Website AntiVirus actually is written in PHP.
 *  [yorman](https://wordpress.org/support/users/yorman/)
 * (@yorman)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244315)
 * I do not know, I do not have access to the code of all projects, I work in the
   CloudProxy team. But I know that PHP is one of many programming languages that
   we use, including: C, Go, Lua, Python, and Bash.

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘Database scan feature’ is closed to new replies.

 * ![](https://ps.w.org/sucuri-scanner/assets/icon-256x256.png?rev=2875755)
 * [Sucuri Security - Auditing, Malware Scanner and Security Hardening](https://wordpress.org/plugins/sucuri-scanner/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/sucuri-scanner/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/sucuri-scanner/)
 * [Active Topics](https://wordpress.org/support/plugin/sucuri-scanner/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/sucuri-scanner/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/sucuri-scanner/reviews/)

## Tags

 * [sucuri-technical](https://wordpress.org/support/topic-tag/sucuri-technical/)

 * 14 replies
 * 3 participants
 * Last reply from: [yorman](https://wordpress.org/support/users/yorman/)
 * Last activity: [10 years, 10 months ago](https://wordpress.org/support/topic/database-scan-feature/#post-6244315)
 * Status: resolved