WordPress Malware

Posted by {"display_name"=>"greg", "login"=>"greg", "email"=>"greg@udon.org", "url"=>""} on February 14, 2012 · 6 mins read

This site has been blacklisted by Google in the past because it has been hacked into and malware deposited. Here are the changes I've made and the tools I've found helpful when this happens.

I'm using 1and1 for hosting and am suspicious about access to my account there.

Confirm the Problem

There are a couple of quick ways to confirm that the site is infected.

Use Chrome to attempt to browse to your site and if Google has determined that your site is infected, you'll see a page that looks something like this:

Use the Sucuri tool to scan your site and it will not only tell you if there is malware but also which files are infected. Save the results of this scan.
Also try the Google Safe Browsing diagnostic to see if it reports your site as having malware.

We'll be coming back to these tools to re-test the site.

First Steps

- Change the passwords (ssh, ftp, etc) for your host accounts that have access to the WordPress site
- Login to your WordPress site as admin
- Change the admin password
- Remove any unused accounts

Quick Fixes

A fresh install of WordPress is the right thing to do and I have the steps below to do that but assuming this is JavaScript-based malware, you may be able to take some quick steps to stop the malware in a few minutes with these steps:

- Review the results from the Sucuri scan you did previously and you will probably find that the infected files may be in three areas of the WordPress site - PlugIns, Themes or the Core WordPress files such as the javascript includes
- Update to the latest WordPress release
- Download the original sources for the PlugIns, Themes and includes and replace the infected files

- As you replace each script, the Redleg File Viewer tool which will show you if the file is still infected. In fact, this tool is useful to see where the infected script is re-directing your users.
- Generate a random password and change your MySQL database password using your hosting providers MySQL admin screen and in the wp-config.php script's DB_PASSWORD line.

Full Clean-Up Steps

- Login to WordPress as admin
- Backup the whole WordPress database (using the Export tool and via an SQL dump using phpMyAdmin)
- Backup the entire WordPress directory for analysis and removed it from the site
- Rename database tables per these instructions if the prefix is currently "wp_"
- Changed all passwords, unused accounts and services and cleaned up the box
-  Visit the WordPress key generator to obtain a new random set of keys, then overwrite the values in your wp-config.php file with the new ones.
- Reinstalled WordPress from scratch
- Re-import the database (after checking that it was safe) and reinstall themes and plugins from scratch
- Compare the old and new .htaccess and wp-config.php files. Use the old ones only if you recognize everything in them.

Confirm The Infection Has Been Removed

You can use the same tools described at the beginning to confirm that the infection has been removed but you'll probably find that the information has been cached. The Redleg File View tool will work.

Getting Google to De-list Your Site

When your site is clean, you'll want Google to rescan it to remove it from their list of infected sites. They provide help on what to do here.

I also found this Unmasked Parasites to be helpful in explaining the Google process.

Defensive Maneuvers

The popular Timthumb image cropping tool has had many security exploits. The Timthumb Vulnerability Scanner plugin checks for these vulnerabilities and corrects them if you want. Scans are run daily (unless you disable them via the options link on the scanner page) via wp-cron. An immediate scan can be run under the WP Tools menu. I've found this to be very useful.

The WP Security Scan also by WebsiteDefender scans your site for security vulnerabilities and suggests corrective actions. It adds a WP Security menu item to the bottom of the wordpress menu with the scan information.

The Secure WordPress plugin by WebsiteDefender beefs up the WordPress security. It has over 625,000 downloads!

The WordPress File Monitor Plus Plugin is a fork of the original version that was not being updated. It has a good configuration page to set the monitor interval and a few other options and I like the Perform Scan Now option. It has had 6,700 downloads, 12 ratings for 4.75 stars and was last updated in June 2011.

The WP MalWatch Plugin runs once per night. There isn't a configuration page (just access to the PHP scripts) and no ability to run the scan now. It uses a dashboard widget to report issues (not sure if it will send an email). The documentation talks alot about monitoring the .htaccess file. As of this writing there are 25,000 download and 12 ratings averaging 4.5 stars and it was last updated Sept 2010.

You'll also find a good post on this topic from July 2010 by Jeff Starr.

Additional Pointers

- Wordpress.org has this post on how to deal with Malware.
- This post was helpful.
- This blog post from the Sucuri site is also good.