We will explain why a site is infected with malware in WordPress and moves itself to another site, and why the malicious code comes back after a while, no matter how many times you remove it.
Examples of WordPress malware that resurface again and again
Here is one case of repeated reinfection.
**/**Around noon
Redirect hacking damage was discovered. Symptoms include redirection to an unauthorized site on the first access (after reloading or returning once, normal browsing is possible thereafter).
*Around the evening of */***.
Malcare” security plugin was installed and scanned and repaired.
**/**
Similar event occurred in the evening, so a scan and repair was performed.
*Nothing in particular happened on */**.
**/** recurred as above. We found an illegal code in some php files that loaded a file to redirect, so we removed the code.
**/**
Although the above redirects no longer occur, there are currently three occurrences of redirects with malicious scripts embedded in header.php. Delete the script when it occurs.
Status.
We have installed the SITEGUARD plugin and changed the login URL, ID, password, etc., but looking at the FW logs that can be checked with “Malcare,” there are traces of user information being accessed and logged in, and it is possible that a back door has already been set up, We do not know what to do about it (we block IP addresses that behave improperly on a case-by-case basis, but it seems to be a game of “we’ll try again and again”).
Why the illegal redirect code is quickly coming back?
In our experience, the following are the five most common reasons why malformed redirect codes are quickly resurrected after removal.
1.The malware itself that embeds malicious code on the site has not been removed, and the malicious code is embedded in the site header or index.php again every time the site is accessed.
2.Malicious users are being created, and hackers are logging in and repeatedly embedding malicious code.
3.The code that embeds the malicious code in the site is not in a file, but is residing and running in the server’s memory (process).
4.Malware-infected sites on other domains within the server repeatedly embed malicious code.
5.The vulnerability of the site that allowed the hacker to enter has not been resolved.
What to do if reinfection occurs repeatedly
1 Remove all malware
Please use a malware scanning plugin with a high detection rate to find the malware itself that is the source of re-infection.
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
If found, the malware body will be removed.
If you have multiple sites on your server, we recommend that you use the above plug-in to scan and remove malware from all sites on your server.
2 Remove unauthorized users
If there is an administrator user in WordPress that you do not remember creating, delete that user or change the password to a strong one so that he/she cannot log in again.
We recommend that you also change the password of the existing administrator user.
3 Elimination of process-resident malware
This is a generally more difficult task, as it requires the execution of special commands on the server, which may cause PHP to go down, making it temporarily impossible to view the site, and requiring a restart of the server’s PHP.
Please note that the following commands are to be executed on the server.
ps aux | grep -i php | awk {'print $2'} | xargs kill -9
4 Squashing Existing Vulnerabilities
Update WordPress itself and plugins as much as possible to close the vulnerabilities that allowed hackers in the first place.
Plugins and other vulnerabilities can also be investigated at the following locations
WordPress Vulnerability Database
For basic WordPress security measures, please refer to the following reference pages
Five free WordPress security measures
