Infinite | Squares

Art of code and more

Remove Malware in Wordpress Site

Beside develop web application with Javascript, I also work as an IT support. I had to manage (setup and server side maintenance) several Wordpress based company sites running on IIS 6.1 on Windows Server 2008. Lately, our latest sites has been infected with malware. This is the notes on how I clean those sites.

To start, let me say that I am not a security expert. If you find any errors within this post, let me know. I would be very grateful for that.

I am following notes on How To Remove Malware From WordPress here. Note that, for now, I skipped on cleaning the database. We will revisit this if needed later.

Wordpress malware scanner

Using Wordfence Scan plugin, my colleague who manage our site content, give me the list of malicious files:

1
2
3
4
wp-content/themes/index.php
wp-content/plugins/index.php
wp-content/index.php
wp-includes/theme.php

The infected file will looks like this Infected index.php

The attack seems like related to the theme. Perhaps there is vurnerability in the third party theme that we used.

Cleanup steps

1. Download latest wordpress

Go to Wordpress official site and download the latest version. Extract the zip into a location. We will use it as reference when we clean our files and folder

2. Remove most of the files

Before deleting all of the Wordpress files, you might want to make a copy of it first.

Delete everything in the site folder except for the wp-content folder, and the wp-config.php file. Your wordpress folder sites will looks like below:

1
2
wp-content
wp-config.php

3. Inspect wp-config.php

Check wp-config.php for any malicious content (random string and such). Use latest wordpress downloaded before as reference. You can also change Unique keys and salt using this wordpress service.

4. Inspect wp-content folder

By default, wp-content folder should have following structure

1
2
3
4
plugins
themes
uploads
index.php

Since the content is managed by someone else, I proceed to delete all files except uploads folder. I will have to manually check that folder for malicious files (php files or anything that you may not have uploaded)

5. Re upload wordpress and themes

We can just copy and paste from latest wordpress files we downloaded earlier

And we are done.

Comments