We will explain how to decontaminate malware using the WordPress:Malware Scan & Security plugin [Malware and Virus Detection and Removal], which was created by WordPress Doctor based on his experience with numerous malware removal requests.

IntroductionPrecautions for Normalware Removal

Malware removal requires specialized knowledge. Inadvertent cleanup of malware can result in the worst case scenario, such as a site not displaying. If you do it by yourself, please pay special attention to the following points.

1 If the malware is a parasite that lives in the original WordPress files, only the tampered parts need to be carefully removed.

2 If the file is not a legitimate WordPress file, it is unlikely to cause a problem even if you delete the file itself, but in rare cases, the tampered file may be loaded by another tampered file.

In this case, deleting the tampered file may cause an error in the caller file, and at worst, the site may not be displayed. If an error occurs, it is necessary to investigate the source file and delete the tampered file as well.

3 Database infections are often Javascript code embedded in posts or widgets. It is often possible to detoxify the malware by removing only the malware part of the content, without deleting the entire line.

Scan for malware and tampering

Install the WordPress:Malware Scan & Security plugin [Malware and Virus Detection and Removal] and click the “Start Scan Now” button.

Once malware is detected, a detection list will appear.
The detection list shows two types: pattern match and confirmed diagnosis. If malware is indicated by confirmed diagnosis, it is almost certain that the site has been defaced.

We will now explain how to get rid of the malware from this malware example.

Actual plug-ins to get rid of malware

Step 1 Check if this file is one of the files originally included in WordPress or in the plugin

Malware may be contained in the form of a parasite in a legitimate WordPress or plugin file.
If this is the case, deleting the file will likely cause problems with your site.

Most commonly, this type of malware infects wp-config.php and index.php.
This is because wp-config.php and index.php are convenient for hackers to have the malware run automatically, since it is executed every time the page is viewed.

How can I be sure that the files are legitimate?
It is possible to get a rough idea of whether a file is legitimate or not by checking the following points

If the file is not legitimate
1 No “wp-” mark
2 It does not have class-.
3 Not index.php
4 Files with meaningless random strings and .php or .ico extensions
5 File name that looks like a misspelling of a legitimate WordPress file, e.g. xmlrrpc.php

Otherwise, you can also check if a file is legitimate by actually downloading the core WordPress file or plugin and see if it is in the detected file name and path.

Step 2: Eliminate parasitic-type malware

View the file from the View Edit File button.

Malware code is obfuscated and reduced to a single unique line of code to make it difficult to detect and understand its structure, so in many cases it is easy to tell from one line of code to the next whether or not it is malware.

In the case of the above code, if you delete the @include ~ ; and press the Save Changes button, the malware will be removed.
The /*e4f70*/ part is a kind of flag for hackers to check if malware remains in the comments. You may delete it.

Be sure to understand the style of PHP code before removing it!
If you break the structure of the PHP code when removing malware, errors may appear in the file. Please understand the following points before you perform the removal process to reduce the number of accidents.

1 PHP programs are contained in <? > The PHP program is contained within the <? Please note that if you forget to close this tag or if it does not start with <?

If malware is embedded in the form <? > If the malware is embedded in the form <? >Remove the malware only from the PHP start tag <?

2 /**/ is a comment, a part of the PHP code that appears but is not executed (harmless). Sometimes malware will include multiple /**/’s in the malware code to check if they are still present, or to avoid detection.

3 The Malware Detection Plug-in only detects lines that match the malware detection pattern; other lines may also be part of the malware code. (Even if only the highlighted lines are removed, it is possible that the malware is not fully removed.)

If it is difficult to distinguish between legitimate files and malware, you may want to download the bare code from the official WordPress website and compare it to see where the malware comes from.

Step 3: Eliminate stand-alone type malware

Standalone malware that is not a legitimate WordPress or plugin/theme file can often be removed without causing any problems.

However, in some rare cases, malware files may be loaded or loaded with other malware files through include or require, which is a process specific to PHP programs.
In this case, removing the malware file may cause another malware to cause an error that may prevent the site from displaying.

In some cases, the code may be so obfuscated that it is impossible to tell if the malware contains such a process or not.

Recovery and decoding of PHP obfuscated code

Related Posts:

  1. If WordPress may be infected with malware (virus or tampering), use the plugin for quick malware inspection and removal.
    When WordPress may be infected with malware (virus or tampering), you can easily use a plugin to inspect and remove malware. The following is a list of the main types of malware behavior on websites and malware scanning and disinfection plug-ins....
  2. Five types of malware embedded in WordPress
    Here are some of the types of malware embedded in WordPress that are common these days. If similar code is included in the site’s program, we suspect that WordPress has been hacked and tampered with....
  3. What is a WordPress injection attack?
    There are various methods by which WordPress can be hacked, the most common of which is called an injection attack. This section describes these injection attacks....
  4. How to find hidden malware (tampering) in WordPress
    If WordPress redirects you to a different site or disables some features of the administration panel, you may have been infected with malware. In this case, if the malware has been removed and the site keeps re-infecting itself, it is possible that a backdoor, or malicious program, remains somewhere on the site....
  5. Redirect hack that takes you to another site when you click on a link on a WordPress site.
    A redirect hack is a type of tampering in which a hacker alters site data or theme files to force users to go to a page that the hacker wants them to go to instead of the page they originally wanted to see. The following is an explanation of a common example of a redirect hack, in which clicking on...
  6. Free WordPress:Best Malware Scan & Security Plug-in, made in Japan [Malware and Virus Detection and Removal].
    24-hour protection for your WordPress site. Plug-in that checks (detects and confirms) and removes defacement, hijacking, hacking, malware, backdoors, and virus infection of your WordPress site, and restores your WordPress site. Plug-in that checks and detects WordPress site code from patterns of malicious code (malware, viruses, defacement, hacking damage) ranging from patterns from sites restored by WordPress Doctor. WordPress Doctor...