=== Exploit Scanner ===
Contributors: donncha, duck_, ryan, azaozz, tott, pento, philipjohn
Tags: security, scanner, hacking, spam, hack, crack, exploit, vulnerability
Tested up to: 4.4
Stable tag: 1.4.9
Requires at least: 3.3

Search the files and database of your WordPress install for signs that may indicate that it has fallen victim to malicious hackers.

== Description ==
This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.

It does not remove anything. That is left to the user to do.

Latest MD5 hash values for Exploit Scanner:

* 6d1a7b0e8473bcedee1fcf5b1227a037  exploit-scanner.php (1.4.8)
* 2b0d0e1f028dc4dfeaa44bff7d24a605  hashes-4.3.1.php
* 570cc1e5aa4cc76260119c83d0a819ae  hashes-4.2.5.php
* 95f92e75c354ded98e6dff4f16932ca4  hashes-4.1.8.php
* 5fe89402f4b1130e62a1874ad8e26a52  hashes-3.9.9.php
* 6964b4ceb046069d7cde83341fe7b463  hashes-3.8.11.php
* cf251de319137edd9d43339c0407f4c6  hashes-3.7.11.php
* bd1f04ed3355a96e22b162cdd8d11ad1  hashes-4.0.8.php
* d45d010b90935cfbb7f690f29ac06d01  hashes-3.7.9.php
* d67dca846634692f0fcafbb287b0e9e2  hashes-3.7.10.php
* 83e9b85e82f57731030f6d24a5076dbd  hashes-3.8.9.php
* d6b1411c62dcebc5873224ea704f5fac  hashes-3.8.10.php
* 3ceb4f75e5d5bf2322a3815b9829ebd1  hashes-3.9.7.php
* 071807f22d4b04fafe51ce5cf30af4d1  hashes-3.9.8.php
* dceaefb77a18a6333672d8deed3adcb5  hashes-4.0.6.php
* 69c55007ce1eba31d76d4ad10bdc3075  hashes-4.0.7.php
* 15fab6a2ecfd993e47410b7877e28248  hashes-4.1.6.php
* b64ca1ed90e4d8624ce07995425504f1  hashes-4.1.7.php

Latest SHA1 hash values for Exploit Scanner:

* 74981a5b014524f0a9c7bbc5d0308bb4a5856e65  exploit-scanner.php (1.4.8):
* 5cf810bcf2f83e03926ee279a11cbf90a47d46e8  hashes-4.3.1.php
* 1831a54308762b6af552236243e68b5c8ea3a573  hashes-4.2.5.php
* ddcbf8e2a77b0875ea18f3cdf5f8f4d599c2e762  hashes-4.1.8.php
* ea5cf56f3058bbc23a309502d968517745e14ad9  hashes-3.9.9.php
* 15956b557b43c3d8db42c9b6faeae77051349bb0  hashes-3.8.11.php
* 0c9bf6b7b6ad4ba4bc4a51b255fc81e9c0dd6057  hashes-3.7.11.php
* 3bb5d1f281673cd4a60780f05488fcaf3cb153b7  hashes-4.0.8.php
* 7e1efa35f30f3d1537d92ddf598fc4a3a1405864  hashes-3.7.9.php
* 3ecd073247978406328503e064b13714d003425c  hashes-3.7.10.php
* 4463da725f7c69b75c27a859d07fd75483b537ab  hashes-3.8.9.php
* 43a28f7130242e0b75d6dcc2dc891ea74744987c  hashes-3.8.10.php
* aa4c0458df2fef2a13b9fbbb8ed7b8f0caef4b45  hashes-3.9.7.php
* eb8896715041218dd4b663d5770e39fd04fabbfb  hashes-3.9.8.php
* 0a4303dbfe7b6d0b8a727c983ab25679f76416d9  hashes-4.0.6.php
* 84c1949b35ec20e8211addc1cb331b11d353bd97  hashes-4.0.7.php
* aa514c1ab68836c0c56dbaad416780c7f8cc4486  hashes-4.1.6.php
* b840aaabb2d3faac9e61b4a9654f6dbd906df30e  hashes-4.1.7.php

See the [Exploit Scanner homepage](http://ocaoimh.ie/exploit-scanner/) for further information.

== Upgrade Notice ==

= 1.4 =
* Remove an example link to a hacked site
* Fixed the eval() check incorrectly matching function names that end in "eval"
* Fixed some PHP warnings
* WordPress 3.5.2 hashes
* WordPress 3.6 and 3.6.1 hashes
* Wordpress 3.7, 3.7.1 and 3.7.2 hashes
* Wordpress 3.8, 3.8.1, 3.8.2 and 3.7.3 hashes
* Wordpress 3.9, 3.9.1 and 3.9.2 hashes
* Wordpress 4.0 and 4.0.1 hashes

== Changelog ==

= 1.4.9 =

* WordPress 4.4 hashes

= 1.4.8 =
* WordPress 4.3.1 security release hashes
* Other missing hashes

= 1.4.7 =
* WordPress 4.3 hashes

= 1.4.6 =
* WordPress 4.2.3 hashes
* WordPress 4.2.4 hashes

= 1.4.5 =
* WordPress 4.2.2 hashes

= 1.4.4 =
* WordPress 3.7.3 hashes
* WordPress 3.7.4 hashes
* WordPress 3.7.5 hashes
* WordPress 3.7.6 hashes
* WordPress 3.7.7 hashes
* WordPress 3.8.4 hashes
* WordPress 3.8.5 hashes
* WordPress 3.8.6 hashes
* WordPress 3.8.7 hashes
* WordPress 3.9.4 hashes
* WordPress 3.9.5 hashes
* WordPress 4.0.2 hashes
* WordPress 4.0.3 hashes
* WordPress 4.0.4 hashes
* WordPress 4.1.4 hashes
* WordPress 4.2.1 hashes

= 1.4.3 =
* WordPress 4.1.3 hashes

= 1.4.2 =
* WordPress 4.2 hashes

= 1.4.1 =
* WordPress 3.9.3, 4.1, 4.1.1 and 4.1.2 hashes

= 1.4 =
* Remove an example link to a hacked site
* Fixed the eval() check incorrectly matching function names that end in "eval"
* Fixed some PHP warnings
* WordPress 3.5.2 hashes
* WordPress 3.6 and 3.6.1 hashes
* Wordpress 3.7, 3.7.1 and 3.7.2 hashes
* Wordpress 3.8, 3.8.1, 3.8.2 and 3.7.3 hashes
* Wordpress 3.9, 3.9.1 and 3.9.2 hashes
* Wordpress 4.0 and 4.0.1 hashes

= 1.3.3 =
* WordPress 3.5 and 3.5.1 hashes

= 1.3.2 =
* WordPress 3.4.2 hashes

= 1.3.1 =
* WordPress 3.4.1 hashes

= 1.3 =
* Detect unknown files in the wp-admin and wp-includes directories
* WordPress 3.4 hashes

= 1.2.1 =
* WordPress 3.3.2 hashes

= 1.2 =
* WordPress 3.3.1 hashes
* Use help tabs introduced in WordPress 3.3
* Help prevent one cause of hanging scans (MySQL error 1153)

= 1.1 =
* Scan for and fix old, vulnerable TimThumb scripts
* Detect old export files even if they're larger than the size limit
* WordPress 3.3 hashes

= 1.0.5 =
* WordPress 3.2 and 3.2.1 hashes

= 1.0.4 =
* WordPress 3.1.4 hashes
* Suspicious pattern updates and tweaks

= 1.0.3 =
* Detection of export files left by incomplete imports.
* WordPress 3.1.3 hashes

= 1.0.2 =
* WordPress 3.0.6 and 3.1.2 hashes

= 1.0.1 =
* WordPress 3.1.1 hashes

= 1.0 =
* Core file diffs
* WordPress 3.1 hashes
* Updated suspicious patterns

= 0.97.6 =
* WordPress 3.0.5 hashes

= 0.97.5 =
* WordPress 3.0.4 hashes
* Dropped wp-content from hashes

= 0.97.4 =
* WordPress 3.0.3 compatibility

= 0.97.3 =
* 3.0.2 compatibility

= 0.97.2 =
* 3.0.1 compatibility

= 0.97.1 =
* PHP 4 compatibility

= 0.97 =
* AJAX paging
* simplified results system (now only 3 levels)
* contextual help
* moved to Tools menu section
* a number of backend changes

= 0.96 =
* Compatibility for WordPress 3.0

= 0.95 =
* Added "exploits" scan level for obvious hacker exploit code.
* Stored results for later review.
* Rearranged layout of results.
* Paged scanning so plugin scans 50 files at a time to avoid timeout errors.
* Only show "General Info" to non MU sites (it's too expensive for large MU sites)

== Installation ==
1. Download and unzip the plugin.
2. Copy the exploit-scanner directory into your plugins folder.
3. Visit your Plugins page and activate the plugin.
4. A new menu item called "Exploit Scanner" will be available under the Tools menu.

== Frequently Asked Questions ==

= How do I fix the out of memory error? =
Scanning your website can take quite a bit of memory. The plugin tries to allocate 128MB but sometimes that's not enough. You can modify the amount of memory PHP has access to from within the plugin admin page. You can also limit the max size of scanned files. Reduce this number to skip more files but be aware that it may miss hacked files. Any skipped files are listed after scanning. Memory is also used if you have deep directories because of the way the scanner works. It will help if you clean out any cache directories (wp-content/cache/ for example) before scanning.

== Interpreting the Results ==
It is likely that this scanner will find false positives (i.e. files which do not contain malicious code). However, it is best to err
on the side of caution; if you are unsure then ask in the [Support Forums](http://wordpress.org/support/),
download a fresh copy of a plugin, search the Internet for similar situations, et cetera. You should be most concerned if the scanner is: 
making matches around unknown external links; finding base64 encoded text in modified core files or the `wp-config.php` file; 
listing extra admin accounts; or finding content in posts which you did not put there.

Understanding the three different result levels:

* **Severe:** results that are often strong indicators of a hack (though they are not definitive proof)
* **Warning:** these results are more commonly found in innocent circumstances than Severe matches, but they should still be treated with caution
* **Note:** lowest priority, showing results that are very commonly used in legitimate code or notifications about events such as skipped files
	
== Help! I think I have been hacked! ==
Follow the guides from the Codex:

* [Codex: FAQ - My site was hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
* [Codex: Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress)

Ensure that you change **all** of your WordPress related passwords (site, FTP, MySQL, etc.). A regular backup routine 
(either manual or plugin powered) is extremely useful; if you ever find that your site has been hacked you can easily restore your site from 
a clean backup and fresh set of files and, of course, use a new set of passwords.

== Updates ==
Updates to the plugin will be posted here, to [Holy Shmoly!](http://ocaoimh.ie/) and the [WordPress Exploit Scanner](http://ocaoimh.ie/exploit-scanner/) page will always link to the newest version.

== Other Languages ==
Unfortunately for people using WordPress versions for other locales some of the file hashes may be incorrect as some strings have to be hardcoded in their translated form. Here are some file hashes for WordPress in other languagues provided separately by other members of the community:

* [Japanese](http://wpbiz.jp/files/exploit-scanner-hashes/ja/) - thanks to Naoko
* [German](http://talkpress.de/artikel/exploit-scanner-hash-deutsch-wordpress) - thanks to Robert Wetzlmayr

The hash files should only be declaring an array called $filehashes and the majority of the hashes should still be the same.

