Skip to main content

Malware tests

Malware tests scan your extension's codebase to detect potentially malicious or suspicious PHP code. By identifying known malware signatures, backdoor-like behaviors, or hidden code, these tests help ensure the integrity and safety of the extensions offered through the WooCommerce Marketplace.

What the malware test checks

  • Non-printable characters: Flags hidden or unusual characters often used to obfuscate malicious code.
  • Obfuscated or dangerous PHP functions: Detects usage of eval, system, shell_exec, and other functions commonly associated with security threats.
  • Suspicious encoding and files: Identifies base64-encoded strings, hidden directories, or disguised file formats that attackers may leverage.
  • Cloudflare bypass attempts and dodgy strings: Looks for patterns that suggest attempts to circumvent security measures or interact with known malicious domains.

If any of these patterns are found, the test reports them as potential issues, prompting you to review the code.

Understanding the results

  • Success: No malicious or suspicious code detected.
  • Failure: Potentially dangerous or suspicious code patterns identified. Treat these findings seriously and review the flagged lines immediately.

False positives and remediation

While rare, false positives can occur if legitimate code resembles known malicious patterns. If you encounter a false positive:

  • Review the flagged code to confirm it is safe and intentional.
  • Consider refactoring to avoid suspicious patterns or add appropriate comments.
  • If you believe a rule is too strict or misidentifies your code, contact QIT support for guidance.

Best practices

  • Regular reviews: Periodically run malware tests, especially after incorporating third-party code or dependencies.
  • Clean coding practices: Avoid obfuscation, unnecessary encoding, or suspicious function usage that can trigger warnings.
  • Combine with other tests: Run malware scans alongside security tests, PHPStan, and PHPCompatibility checks for comprehensive quality assurance.

CLI Usage

Enqueue Malware tests.

  run:malware [options] [--] [<sut>]

Arguments:
  sut                                           Extension slug or WooCommerce.com ID

      --profile[=PROFILE]                       Test profile to use [default: "default"]
      --whitelist_paths[=WHITELIST_PATHS]       (Optional) Paths to whitelist from malware scan. (multiple values allowed)
      --zip[=ZIP]                               (Optional) Local ZIP / dir / URL build to test
  -j, --json|--no-json                          (Optional) Output raw JSON response
      --async|--no-async                        (Optional) Enqueue test and return immediately without waiting
  -w, --wait|--no-wait                          (Deprecated) Wait for test completion - this is now the default behavior
      --print-report-url|--no-print-report-url  (Optional) Print the test report URL (contains sensitive data - use cautiously in public logs)
  -t, --timeout[=TIMEOUT]                       (Optional) Wait timeout in seconds
  -g, --group|--no-group                        (Optional) Register the run into a group