Unlike common computer viruses, malware that infects WordPress often rewrites the legitimate WordPress core files to become a parasite. We will explain the reasons for this and how to deal with it.

Malware parasitic on legitimate WordPress files

This type of malware is embedded by altering legitimate WordPress files, such as

index.php
/wp-includes/query.php
/wp-includes/pluggable.php
/wp-includes/l10n.php

etc.

Let’s look at some examples of malware code parasitic on the above legitimate files.

Parasitic file name /wp-includes/pluggable.php

This malware has the ability to load the malware body with $wp_update_file=, which is common nowadays, and spread or save the malware in the server with @file_put_contents(.

Parasitic file name /wp-includes/blocks/media-text.php

The malware here is called a backdoor that processes cookie data containing malicious code sent by hackers to execute arbitrary code on the server.

Why does the malware parasitize legitimate WordPress files?

The reason for this is that these files are always executed every time a WordPress page is loaded.

Parasitizing malware in files that are always executed every time a page is displayed in WordPress makes it easier for hackers to spread the infection automatically every time a page on the site is displayed, automatically reinfect the malware, or send malicious code to be executed by the server This is an advantage for hackers because they no longer need to target specific files to execute malicious code.

A few years ago, index.php and wp-config.php were the main target of parasitic files, but in recent years, malware is now parasitizing a wide variety of other files that are always executed in the core WordPress files.

Finding and Removing Malware Parasitized in WordPress Core Files

The core WordPress file consists of thousands of program files, and it is not easy to open each and every file to find malware.

We recommend the use of a malware scanning plug-in that provides a comprehensive scan for malware.

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

When removing malware parasites from legitimate files, please be careful to remove only the malware part. If you delete the entire legitimate file, or if you delete critical code in the legitimate file, it will cause the site to malfunction, for example, the site will not display properly.

If you are unsure of the extent of the malware to be removed, you can download the data of the core WordPress files of the same version and replace them with the legitimate files that are not infected with malware using FTP software.