To start, let me say that I am not a security expert. If you find any errors within this post, let me know. I would be very grateful for that.
I am following notes on How To Remove Malware From WordPress here. Note that, for now, I skipped on cleaning the database. We will revisit this if needed later.
Wordpress malware scanner
Using Wordfence Scan plugin, my colleague who manage our site content, give me the list of malicious files:
1 2 3 4
The infected file will looks like this
The attack seems like related to the theme. Perhaps there is vurnerability in the third party theme that we used.
1. Download latest wordpress
Go to Wordpress official site and download the latest version. Extract the zip into a location. We will use it as reference when we clean our files and folder
2. Remove most of the files
Before deleting all of the Wordpress files, you might want to make a copy of it first.
Delete everything in the site folder except for the
wp-content folder, and the
wp-config.php file. Your wordpress folder sites will looks like below:
3. Inspect wp-config.php
wp-config.php for any malicious content (random string and such). Use latest wordpress downloaded before as reference. You can also change Unique keys and salt using this wordpress service.
4. Inspect wp-content folder
wp-content folder should have following structure
1 2 3 4
Since the content is managed by someone else, I proceed to delete all files except
uploads folder. I will have to manually check that folder for malicious files (php files or anything that you may not have uploaded)
5. Re upload wordpress and themes
We can just copy and paste from latest wordpress files we downloaded earlier
And we are done.