BD Malware Cleaner

Getting Started with BD Malware Cleaner

Updated March 9, 2026 5 min read

Introduction

BD Malware Cleaner is a lightweight WordPress malware scanner that protects your site by detecting malicious code, verifying WordPress core file integrity, quarantining threats, and supporting automated scheduled scans with email alerts. It is designed to work reliably on shared hosting environments with chunked scanning to avoid server timeouts.

Requirements

  • WordPress 5.6 or later
  • PHP 7.4 or later
  • A valid BD Malware Cleaner license key (required for all scanning and quarantine features)

Installation

  1. Download the bd-malware-cleaner plugin ZIP file from your BDShield account at getbdshield.com/shop.
  2. In your WordPress admin, navigate to Plugins → Add New → Upload Plugin.
  3. Select the ZIP file and click Install Now, then Activate.
  4. After activation, you will be automatically redirected to the BD Malware Cleaner dashboard at BD Malware in your admin sidebar.

Activating Your License

  1. Go to BD Malware → License tab.
  2. Enter your license key in the input field and click Activate.
  3. Once activated, the header will display a green “Licensed” pill and your tier (Starter, Professional, or Agency).
  4. Your license details including expiration date and site count will be shown below the key field.

Note: A valid license is required to run scans and quarantine files. Without a license, the scanner dashboard is visible but the Start Scan button is disabled.

What BD Malware Cleaner Scans For

BD Malware Cleaner performs five distinct types of security checks across your entire WordPress installation:

1. Malware Pattern Matching

The scanner checks PHP files against a library of over 50 malware signatures organized by severity level. These patterns detect:

  • Critical threats: Known backdoor shells (c99, r57, WSO, b374k, FilesMan, Meterpreter), base64 eval chains, obfuscated PHP (gzinflate, str_rot13, strrev), eval of superglobals ($_GET, $_POST, $_REQUEST, $_COOKIE), remote file eval, cryptocurrency miners (CoinHive, CryptoLoot, JSEcoin, XMRig), reverse shells, data exfiltration, and SEO spam injections.
  • WordPress-specific backdoors: Direct database manipulation of wp_options, encoded add_action hooks, theme functions backdoors, unauthorized user creation, admin role injection, and cronjob-based backdoors.
  • High-severity threats: Dynamic function creation with obfuscation, preg_replace with /e modifier, assert with variables, remote file inclusion via superglobals, hidden iframes, mailer abuse, upload backdoors, variable callback hooks, chmod 777, and hidden SEO link injections.
  • Medium threats: Hex and chr() obfuscation chains, remote fopen operations, and variable function calls with superglobal input.
  • Low-severity indicators: Disabled error reporting and display_errors suppression.

Tip: Trusted directories such as WordPress core (wp-admin, wp-includes), known popular plugins (WooCommerce, LiteSpeed Cache, Elementor, etc.), and all BD plugins are excluded from pattern matching to avoid false positives. Core integrity checks still run on these files.

2. Core File Integrity Verification

The scanner fetches official WordPress core checksums from api.wordpress.org for your exact WordPress version and locale. Each core file on your server is compared via MD5 hash against the official checksum. Any modified core file is flagged as a “core_modified” threat with high severity. Checksums are cached for 24 hours to avoid repeated API calls.

3. PHP in Uploads Detection

PHP files have no legitimate reason to exist inside your wp-content/uploads/ directory. The scanner flags any file with a PHP-related extension (.php, .php3, .php4, .php5, .php7, .phtml, .phar) found inside the uploads directory as a critical “php_in_uploads” threat.

4. Double Extension Detection

Attackers sometimes disguise malicious files using double extensions like malware.php.jpg. The scanner detects files matching the pattern .php.xxx, .phtml.xxx, or .phar.xxx and flags them as high-severity suspicious files.

5. World-Writable File Detection

Files with overly permissive permissions (world-writable, i.e., the “other write” bit is set) are a security risk. The scanner checks file permissions and flags any world-writable file as a medium-severity suspicious finding, displaying the octal permission string (e.g., 0777).

Additional Checks

  • PHP code in non-PHP files: Image files (.jpg, .png, .gif, .ico, .svg), CSS, JS, HTML, and other non-PHP extensions are checked for embedded <?php tags, which is a common malware hiding technique.

Scannable File Types

For malware pattern matching, the scanner processes files with these extensions: .php, .php3, .php4, .php5, .php7, .phtml, .phar, .inc, and .module. Files larger than 2 MB are automatically skipped to avoid memory issues.

Skipped Directories

The following directories are entirely excluded from scanning to save time and avoid false results:

  • wp-content/cache/
  • wp-content/uploads/backups-bdbk/ (BD Backup files)
  • wp-content/uploads/bdmc-quarantine/ (quarantined files)
  • wp-content/uploads/bestdid-security-quarantine/
  • wp-content/upgrade/
  • wp-content/wflogs/
  • node_modules/
  • .git/

Running Your First Scan

  1. Navigate to BD Malware in your WordPress admin sidebar.
  2. On the Scanner tab, you will see a statistics bar showing Last Scan date, Files Scanned count, Threats Found, and Quarantined files count.
  3. Review the Scan Settings at the bottom of the page. By default, all three scan types are enabled:
    • Core File Integrity — verifies WordPress core files against official checksums
    • Malware Pattern Matching — scans PHP files for known malware signatures
    • PHP in Uploads Detection — detects PHP files hidden in the uploads directory and double-extension files
  4. Click the Start Scan button. A progress bar will appear showing the percentage complete and the file currently being scanned.
  5. The scan processes files in chunks of 50 files at a time via AJAX requests, so your browser remains responsive and the server does not time out.
  6. When the scan completes, results are displayed in a table showing the file path, threat type, severity level (critical, high, medium, or low), the matched signature name, and action buttons.
  7. If no threats are found, a green checkmark with “No threats detected. Your site looks clean!” is displayed.

Tip: You can cancel an in-progress scan at any time by clicking the Cancel button that appears next to the Start Scan button.

Dashboard Overview

The BD Malware Cleaner dashboard has three tabs:

  • Scanner — Run scans, view results, configure scan settings, and manage individual findings (quarantine, ignore).
  • Quarantine — View all quarantined files with their original path, quarantine date, and file size. Restore or permanently delete quarantined files.
  • License — Activate or deactivate your license key, view your plan tier, expiration date, site count, and a plan comparison table.

Next Steps

After completing your first scan, proceed to the Scanning, Quarantine & Scheduling article to learn how to interpret scan results, quarantine and restore threats, set up automatic scheduled scans, and configure email alerts.