Note: The article below covers a simple case scenario of a hacked WordPress site. It’s neither an all-case scenario approach to the problem, nor it is the best way to handle that kind of infection: with some steps like database check being omitted here. See the bottom section of the article for further reading. I also, do not guarantee, that the steps provided below may help one out in his case scenario.
Discovering a hack
Front End Security Discovery
Site #1 – hacked WordPress files
A couple of days ago, a friend approached me that his site grafpoint.net went randomly offline. I was like, give me a minute or two and I’ll fix it xD At first, I took a look at his website and I thought, it’s just offline, the debugger is disabled, so, I’ll just log in, I will check the error.log, fix issues, and voila. I expected an auto-update to crash the website.
Later on, I checked the website via mobile phone, and I realized (actually pretty randomly) that in some case scenarios, the site was displaying an awkwardly looking content with Chinese text and some bags for sale, see the images below:
Desktop screnshot of the website
Mobile screenshot of the website
I realized, there was something wrong, and that my first impression, that an auto backup failed was wrong. The above page was displayed only in several rare case scenarios, i.e. browsers w/o any firewall or virus scanner, so I thought this was pretty odd.
Site #2 – hacked WordPress database
On December 2023, a friend of mine approached me, that their website was having a redirect problem, where visitors viewing their websiteĀ https://zawszenawakacjach.pl/Ā from mobile have been experiencing an odd problem, i.e. they have been irregularly redirecting to a malicious website. Upon investigating the issue myself I realized, they were infected withĀ Balada InjectorĀ I figured this out by googling the problematic website and landing on the Sucuri Security blog.
A proof of potential infection, found in the source code
Back End Discovery (files)
So, I decided to login to the site via FTP and I found, a bunch of suspiciously looking files and directories under the hood, say:
Suspicious Directories
Suspicious Files
Notice, the strange names of these. To the left:Ā 26sos5p7 – which doesn’t seem humanly readable, and say:Ā FoxEx-v1 and several others named with most likely a Kanji (visible through the server Control Panel FTP Manager, only). This assured me, that the site was being tampered with and that it required immediate attention. Such file names are usually, nowhere to be found within the WordPress ecosystem, hence, they should be removed right away.
Manual malware pursuit & cleanup try
Site #1
Since, the site was, most likely infected and I had no means of accessing the website via wp-admin / wp-login.php and so on. I did the following:
I logged in via FTP and I manually removed as many infected/suspicious files as possible – to prevent further infections (if any). I did that directly via FTP or Control Panel, w/o downloading the files to my local PC (to prevent potential infection of my local PC – remember not to open these files (if not required) and if you are certain of potential risks involved).
In some case scenarios, where files couldn’t be removed I checked the server-side logs. Some oddly looking files were being blocked from being accessed. These files that I missed while traversing the FTP, have also been quite suspiciously looking:
Some suspicious files as seen in the logs
Again, I removed these files manually, I tried enabling the debugger again, and I tried checking the logs, and the site was still inaccessible… I thought I got rid of all the infections, yet nothing has changed.
Digging further into the files, I discovered that WordPress core files may have been tampered with, so there was not much I could do, but just overwrite everything with the latest core WordPress files.
Site #2
Similarly to #1, I tried to find the malicious code directly within the WordPress files first – to no avail. With no code found in the files of their install, I decided to investigate the database of the website, taking into account the mitigation steps outlined on theĀ Sucuri Blog.Ā The script to find the code was pretty simple, I searched the {prefix}_options table of the website, with a simple search as suchĀ SELECT * FROM `wp_options` WHERE `option_value` LIKE ‘%startperfectsolutions%’. To simplify the process, you can useĀ the phpMyAdminĀ tool, usually available with most hosting providers, and perform a search there.
phpMyAdmin is a great tool for performing easy db operations through its GUI
With the usage of the above tool, I managed to find and remove the infected row directly from the db. Thus getting rid of it and preventing any further redirects.
This section applies to both of the websites. The problems described above, and inability to relaunch the site, made me do the following:
I’ve uploaded latest WordPress core files, overwriting everything (i.e. files, directories) we have had with the latest WordPress files. Note: The FTP client, gives a good info of potential failures, with information of what has been overwritten and what not. I got to the point where I was quite certain no core file would remain infected, as they were simply overwritten.
I’ve set up a new WordPress install, loading vanilla WordPress within the same directory as the previous one (using separate DB). This gave me the option to log in to a fresh Dashboard and run the updates of all WordPress existing plugins, again reducing the risk of having malicious files on the platform. Hence, after a longer while of fighting with the updates, I got to a point, where the client’s website was accessible from the browser š
For the sake of visitors, I used the Maintenance Mode plugin to inform them, that we were dealing with some sort of problem here – no details were provided/needed at this point.
Website after enabling Maintenance Mode
Possible Security Penalty
This was a first good step forward. If you get stuck with malware removal (as I did) and want to avoid clients seeing the infected version of your website, and also you want to avoid, getting a penalty from Google (assuming the infection would spread and cause some unwanted behavior, say: https://www.wordstream.com/blog/ws/2021/06/30/google-penalty (point #6)) then this should temporarily do the job (or at least calm your client down) and prevent further infection.
Ā
Cleaning up Malware
Site #1
The above temporary solution gave me some extra time and room for different kinds of work. With WordPress Dashboard being accessible and most likely all files up-to-date, I started proceeding with hardening and checking the site for any remains of the malware. Note: It’s not a problem to run a separate DB on the same WordPress install, as long as you don’t touch the DB of the original site – this gives one an access to the files from the Dashboard of the original install. Also, I’ve run Sucuri Security, Malcare, and iThemes Security plugins one by one with the hope of them removing any remains of malware. Find the results here:
Sucuri Scan Results
iThemes Security Scanner Results
Sucuri Hardening
Sucuri helped me out in adding extra layers of hardening, however, it failed in the removal/restoration of the remaining, supposedly infected files, which were most likely correctly identified. iThemes Security failed to perform any scan (most likely due to my friends’ server configuration), and Malcare… Well, Malcare identified that the site got infected and asked me for a paid service which I resigned from using š
A follow up from the iThemes
Update: A follow up quote from Daniel Knauss from the iThemes. This is a part of the conversation to be found on Linkedin.
IThemes Security is quite different from the others you looked at. It does not have a malware detection tool. The Site Scan feature checks if you have installed software with known vulnerabilities that could be hacked. It also checks if Google has flagged your site for the presence of malware, which indicates you have been hacked: https://ithemes.com/security/site-scan/ Ā You can also use our File Change scanner to look for malware, but this really is not a comprehensive breach detection and cleanup tool. Finding and cleaning up a breach is not a security activity. Security is about prevention, so those hacks never happen, and you never have to do cleanup. So iThemes Security is focused on helping you harden your site and protect your users so you never get malware on your site. Ā It looks like your friend’s hosting account may not be capable of running these scans ā if you run into rate limiting you can wait and hope the server fres up, but you really may need more server resources. Here’s a support forum discussion about this: https://wordpress.org/support/topic/exceeded-rate-limit-please-wait-81-seconds/
What was I to do next, I asked myself? The site was up-to-date, and most likely most of the identified malicious files (excluding the potentialy malicious files mentioned by Sucuri) have been removed, while Sucuri (first choice) helped me out by adding an extra layer of protection. So, I gave it a try and I tried enabling the previous version of the website. I edited the wp-config.php file, to load the DB of the original website, to see if it would work now, and it did. Here’s what the site looked like next:
Post Removal Website Up & Running
The site seemed to be running properly now. With “everything” up-to-date and an extra hardening applied on top of that. Based on the Sucuri Check, the site was free from Malware and was not blacklisted.
Note: I’ve immediately notified the hosting provider of the site of the infection and a hack, with specifics of the files to be removed/potentially suspicious, for another round of hardening. With my limited site access (i.e. only FTP and Hosting Provider File Manager), there’s still a slight risk, that I haven’t managed to get rid of everything. I’ve also notified my friend (or a client) of other, further steps required by him to take to avoid this happening again in the future.
Site #2
With the row containing the Mailcious script removed from the db the website, was clean. However, to prevent this issue from happening again, we’ve updated all of the plugins and WordPress to their latest version and we’ve applied hardening methods described in the final section of the article, thus preventing any other infections from happening.
Conclusion
Dealing with an infected WordPress website is a PITA, not only you may have problems fixing the website yourself (as I had), but commonly used Malware Scanners may fail as well. The best way to prevent a malware infection or a hack is to stick to several rules, that improve the website’s layers of protection. The term is called risk mitigation, and with WordPress, one can follow several rules to prevent an infection:
Perform regular checks of your website, including security scans, they may fail (as in my case scenario) but they may give you an impression of having problems.
Finally, If you are having a problem with your website and you are looking for help, don’t hesitate to reach out the me via the Contact Page, or directly through the Codeable.
By browsing through the site and filling in the Contact Forms you agree to our PRIVACY POLICY. Moreover WP doin website uses COOKIES to improve your experience. We assume you're ok with this, but you can opt-out if you wish. ACCEPTREJECTCookie settings
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Cookie
Duration
Description
cookielawinfo-checkbox-advertisement
1 year
Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics
1 year
Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional
1 year
The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
1 year
Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others
1 year
Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance
1 year
Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent
1 year
CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
__cf_bm
30 minutes
Cloudflare set the cookie to support Cloudflare Bot Management.
aet-dismiss
never
Disqus sets this cookie for the functionality of the websiteās comment system.
badges-message
never
Disqus sets this cookie for the functionality of the websiteās comment system.
drafts.queue
never
Disqus sets this cookie for the functionality of the websiteās comment system.
submitted_posts_cache
never
Disqus sets this cookie for the functionality of the websiteās comment system.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Cookie
Duration
Description
__jid
30 minutes
Disqus sets this cookie to remember the user's Disqus login credentials across websites that use Disqus.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
__gads
1 year 24 days
Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.
_ga
1 year 1 month 4 days
Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*
1 year 1 month 4 days
Google Analytics sets this cookie to store and count page views.
_gh_sess
session
GitHub sets this cookie for temporary application and framework state between pages like what step the user is on in a multiple step form.
brwsr
1 year 1 month 4 days
This cookie is set by the provider Impact Radius. This cookie is used for affiliate marketing.
CONSENT
2 years
YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
disqus_unique
1 year
Set to record internal statistics for anonymous visitors.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
__gpi
1 year 24 days
Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.
DSID
1 hour
This cookie is set by DoubleClick to note the user's specific user identity. It contains a hashed/encrypted unique ID.
IDE
1 year 24 days
Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
test_cookie
15 minutes
doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE
5 months 27 days
YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC
session
Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId
never
YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests
never
YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
