Jump to content

Wordpress site infected with Malware.


Sajesh Mohan

Recommended Posts

  • 3 weeks later...

I've actually been dealing with a few clients of mine who have recently had their Wordpress sites injected with malware.

I dealt with 3 different websites.

Two of them were very similar. A plugin and file in the wp_uploads folder allowed for easy code injection. Code was injected into a few index.php files.

 

I manually removed the code, double and triple checked every single file for any sort of possible issue. I searched for the keywords eval, base64, and <script. All keywords that aren't heavily used throughout Wordpress, but are quite common to website injections.

 

After finding nothing, I went into the wordpress admin panel, made sure there were no 'ghost' users, as some malicious bots will set themselves up as administrator as to easily reinfect your website. I updated wordpress and every single plugin. I changed the wordpress password.

 

Because these types of viruses can also infect websites through a user accessing the website's admin panel, FTP, etc, I told my clients to scan for viruses and malware in any and all computers which they may use to access these backend interfaces.

 

 

The third one was a lot worse. Every single PHP file was infected. I backed up what I could - including uploaded images (making sure there were no PHP files and no malicious files in the folders), and the database. I took note of all the installed themes and plugins, and then proceeded to delete every single file on their FTP. It was that badly infected.

 

I cleanly installed Wordpress. This entire process was made easier because she had been using the latest version of Wordpress. I restored her database, changed her wordpress admin password, as well as FTP password, and told her to completely scan all her computers, as I did my previous clients. I made sure I installed the latest version of all the plugins that she was using, and I also restored her themes.

 

 

The malware has not returned.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.