Our WordPress malware removal service is an after the event service for fixing WordPress websites that have become infected with malware, viruses, spam scripts etc.
Often we see hacked WordPress websites that have been compromised for a few months prior to the site owner finding out anything is wrong.
Any website can be infected with malware. There are hackers constantly scanning websites for vulnerabilities to see if they can find an entry point into a web hosting account. WordPress is the most popular content management system in use today and powers around 30% of all the websites on the internet.
The popularity of WordPress makes it a prime target for hackers as there are large amounts of misconfigured WordPress websites and hosting accounts. Hackers use automated tools to probe and find backdoors, which can be as simple as incorrect file permissions, to a known vulnerability in a plugin or theme.
How do I know if my WordPress has been hacked?
Usually the first sign that a website has been hacked is the appearance of small, nearly invisible links in the footer of a website, these are usually injected into WordPress theme files. A slow wp-admin dashboard can also be a sign that something isn’t quite right.
Other signs that your WordPress website has been hacked include a warning on Google results pages with a visual warning – this is a bad sign as potential customers will also see this warning when searching for your companies website, not good for your companies reputation. Even worse, if you get on an anti-virus blacklist your website could potentially be flagged up as malicious or hacked when your customers try to visit your website.
Your compromised WordPress website may have had a spam program or script placed on it by the hackers, their intention is to send out lots of spam emails from your web hosting account. This can have dire consequences as in many cases your domain name, the same which you use for your corporate business email accounts, will end up on email blacklists, disrupting your ability to send business emails to customers.
What malware do hackers put into WordPress?
We frequently see what’s called remote shells, small programs that are hidden as regular WordPress files but they give the hackers the ability to connect to your website remotely and upload any other files to your web hosting account. Some of them come with a GUI, below is an example of one from a site I cleaned. It allows hackers to effectively upload any file they want to your WordPress website
Once they have installed a file manager and can upload any file they want, the first signs we often see of a hacked WordPress website is spamvertising links/pages. Below is an image of such an hack, where the hackers gained access to a site, probably via an outdated plugin. They generated randomly named directories each with a single file in. The probable outcome of their actions was to extend their network of compromised WordPress websites for a likely spam network – directing recipients of spam email to their malicious content. You can see in the image there is a mix of languages, both written and computational.
How do you remove WordPress Malware?
Removing malware from WordPress is a multi-pronged process. It involves various tools to track down the files that hackers have placed on a site. It’s also a process of auditing – working out what plugins and themes are installed, how old those plugins or themes are and if there are any updates to them or known vulnerabilities. In short it can be a time consuming exercise when done properly.
Below is a list of programs, plugins and tools used to scan for malicious content and files that shouldn’t be in WordPress. Some use strict search patterns or file comparison, others use a form of heuristics to determine if a file should belong in the average WordPress website.
The key to using these programs effectively is to ignore some directories in WordPress, mainly the root folder (where wp-config.php resides) and the wp-admin and wp-includes directories. The logic behind this is that there should be no user files uploaded into these directories, in essence they should be the same as if you had installed a fresh copy of WordPress. So your scanning scope is strictly targeted at the wp-content directory. There are two stages to this analysis. Part one is to find files that shouldn’t belong where they are, the second is to make sure that any existing files haven’t been tapered with.
Search for hacked WordPress website files
Grep and find are two commands found in linux. they search for things on file systems. We#re going to use them to find files that shouldn’t be in the uploads folder. Whenever you upload an image via the WordPress dashboard it ends up in the /wp-content/uploads folder. You can upload other file formats as well, such as PDF, XLSX and DOCX. We’re going to specifically look for files that aren’t images. To do this we’ll run the following find command:
find /home/Work/homedir/public_html/wp-content/uploads/ -type f -not -name "*.jpg" -not -name "*.png" -not -name "*.gif" -not -name "*.jpeg" > uploads-non-binary.log
This will find files that don’t have jpg, png, gif or jpeg as a file extension. Or if you want to do it the other way round, you can search for any php files:
find /home/Work/homedir/public_html/wp-content/uploads/ -type f -name "*.php" > uploads-shouldnt-be-here.log