Our blog, keeping you up-to-date on our latest news.

 

Removing Malware from a WordPress Site

June 30, 2012 at 5:42 am | Blog | No comment

 

Last week, a friend asked urgent help from me, as his wordpress website was hacked. I opened his website with Firefox, and there was an Alert saying that the website distributed Mal ware, and was blocked by google (see the figure). I did some research on this, and finally fixed his Mal ware issue. I hope this article will help someone who has the similar problem.

First, there are some tips from Stopbadware for cleaning and securing your website. you should read this article first http://www.stopbadware.org/home/security. I followed the three steps to clean the badware.

1. Identifying badware behavior
2. Removing the badware behavior
3. Preventing future infection

1. Identifying badware behavior

There are three most common forms of badware that StopBadware sees on compromised sites:

1. Malicious scripts
2. .htaccess redirects
3. Hidden iframes

There are some tools to help you identify the malware.
1. Google Diagnostics page:
user can find certain information of the malware by replacing example.com in the following URL with your own site’s URL: www.google.com/safebrowsing/diagnostic?site=example.com. but this information is quite general.
2. Sucuri SiteCheck
Sucuri is a charge free online malware scanner. you can put in your web site address in to http://sitecheck.sucuri.net/scanner/ and have it analyzed for any malware issues. If your site is clean, it shows a green check with status: verified clean.

otherwise, it will show status: site infected with malware. There would be a list of scanned url. click each url, you would see the details of how it was infected. usually, this information is enough to identify it is malicious javascript. or .htaccess redirects or hidden frame.

3. wordfence wordpress plugin.
Wordfence Security is a free enterprise class security plugin that includes powerful anti-virus scanning for WordPress websites. It would scan the whole site, and list all malware suspicious files. and you can easily identify the infected file.

4. Google Webmaster Tools
First thing to do if you’re not already- register with Google Webmaster tools and get verified. At the beginning, the malware warning is actually from google. so it is the only way to get the malware warning lifted and get your site back in the google index. “The Malware page (under Health) lists sample URLs from your site that have been identified as containing malicious code. Where possible, the page will also include samples of the problem code.” As it does not list all injected urls, you have to find all the occurrence of the malware to make your site clean.

by using these tools, i found that my friend’s site is infected by malicious javascript. in the index.php file in the theme folder, a piece of code is injected. it looks like:

eval(base64_decode(“DQpzZXRfdGltZV9saW1pdCgwKTsNCg0KDQpmdW5jdGlvbiBpbmplY3….

it is very standard javascript injection.

2. Removing the badware behavior

once the infected files are identified, you can easily fix the malware.

1. use wordfence wordpress plugin to scan all the files, and fix each infected file listed by this tool.
2. use search. In this case, it is malicious javascript injection. search all the files with “eval(base64_decode” to mark all the occurrences.

remove this code from the index.php.

once it was removed from all the files, use the wordfence wordpress plugin and Sucuri SiteCheck to scan again to make sure that there is no more infected files.

if you want to quickly remove your site from Google’s blacklist, please use the google’s webmaster tool to submit review request. Without the request, it may take several week before your site’s status is cleared.

3. Preventing future infection

after removing all the malicious code. There are some steps to take to prevent from future hack.

0. change your all passwords!! this is the most important!

1. upgrade the wordpress to the latest version.

2. change the theme files not writable. go to your control panel of your web hosting, change the theme files (.php and .js files) to readable.

3. upgrade the timthumb (if any) to the latest version, or update the theme to the latest version. grab the timthumb from http://code.google.com/p/timthumb/

4. once you make sure that the site is clean, submit site review in the webmaster tool, to remove the warning.

5. contact your web host company for this case.

Hope this blog help you! to make the Web safer!

<< Back to Blog Discuss this post

 
Comments are closed.