We will explain various aspects of how to respond when a WordPress site you are maintaining is discovered to be infected with malware by a client.
What is the initial response when a malware infection of a maintained site is suspected based on a notification from a client or a suggestion from a site user?
In this case, the first thing to do is to ascertain the status of malware infection.
Typical symptoms of a malware-infected site will be as follows
– When you access the site, you are redirected to another site.
– Logging in is no longer possible (403 error on the login screen).
– Many invalid pages are registered in the search results.
– Browser turns red and warns of malware infection
– Unrecognized spam mails are sent from the same domain in large quantities.
– An administrator user is added to the system that I don’t remember adding.
If you are experiencing any of these symptoms, there is a high possibility that you are infected with malware.
We use a malware scanning mechanism to examine the site.
Use an online malware inspection system or a plug-in to inspect the site for malware.
Online Malware Screens
https://sitecheck.sucuri.net/
Malware scanning with plug-ins
WP Doctor Malware Scanner Pro
Mechanical malware scans (especially online malware scans) have limited detection power. We recommend that you do not declare to your clients that they do not have malware just because your malware scan did not find any malware. In fact, there have been cases where the cause was a new type of malware infection, and the site became inaccessible due to the spread of the malware infection without taking countermeasures, resulting in compensation for damages.
It is better to clearly identify the cause of the site problems that the client is pointing out and then politely inform the client that malware is not the cause of the symptoms, so that there will be fewer problems later.
FTP connection to check for malicious files on the server
Connect to the server with FTP software to check for malicious files or tampering with legitimate files.
Typical malicious files include the following
(1) index.php file contains obfuscated strings
(2) htaccess has writings that prohibit access to the php file
(3) A php file with a random alphanumeric name
(4) There is a file with a name slightly changed from the name of the regular file such as wp-confiq.php.
(5) Files with the same name, such as moon.php, are written in various folders (even outside the public directory), and the contents of these files contain obfuscated code.
What to do if you are sure that your site has been infected with malware
If we discover that a site is infected with malware, we will notify the client and inform them of what to do and how long it will take to restore the site.
The basic measures to be taken when a site is infected with malware are as follows
– Remove the malware infection
– Remove the vulnerability that allowed hackers to enter the site
– Provide security measures for your site
(When the browser turns red and warns of malware infection), we will request to be removed from the blacklist of malware-infected sites from Google and other sources.
Recent malware often spreads to multiple sites beyond the domain folder on the same server. We recommend that malware scanning and infection countermeasures be performed on all sites on the server. If there are a large number of sites on the server, malware infection may spread to all sites at once, so we recommend that you distribute the sites to different servers (different accounts).
Who is responsible for malware infection?
It depends on the content of the maintenance contract, but in general, most maintenance contracts do not include a clause for malware infection. In such cases, the responsibility for malware infection lies neither with the maintenance company nor with the client (see note), but with the hacker’s unauthorized access.
*Note There are also cases where the terms of the maintenance contract are flawed, such as neglecting to update the site, using a weak initial password, infecting the PC with malware, or unintentionally uploading malware from another site.
We recommend that basic site security measures be taken at the time of site creation and maintenance contract.
However, in the case of WordPress, it is often a case of hacking from another country to find out who hacked into the site and when, and WordPress is a system that is constantly being accessed by hackers from all over the world (regardless of whether the hack was successful or not), so it is very difficult to identify the hackers and hold them accountable in reality. It is very difficult to identify the hackers and hold them accountable.
Reference page
When WordPress is hacked, do you know the cause and date of the hack?
For this reason, if WordPress is infected with malware, it is of utmost importance to remove the malware as soon as possible, restore the site, and take security measures to prevent re-infection.
*Disclaimer
As a company of technical experts, we are not responsible for the content of this article regarding legal issues. Please consult an attorney regarding any legal issues.
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
