We will explain how to decontaminate malware using the WordPress:Malware Scan & Security plugin [Malware and Virus Detection and Removal], which was created by WordPress Doctor based on his experience with numerous malware removal requests.
IntroductionPrecautions for Normalware Removal
Malware removal requires specialized knowledge. Inadvertent cleanup of malware can result in the worst case scenario, such as a site not displaying. If you do it by yourself, please pay special attention to the following points.
1 If the malware is a parasite that lives in the original WordPress files, only the tampered parts need to be carefully removed.
2 If the file is not a legitimate WordPress file, it is unlikely to cause a problem even if you delete the file itself, but in rare cases, the tampered file may be loaded by another tampered file.
In this case, deleting the tampered file may cause an error in the caller file, and at worst, the site may not be displayed. If an error occurs, it is necessary to investigate the source file and delete the tampered file as well.
3 Database infections are often Javascript code embedded in posts or widgets. It is often possible to detoxify the malware by removing only the malware part of the content, without deleting the entire line.
Scan for malware and tampering
Install the WordPress:Malware Scan & Security plugin [Malware and Virus Detection and Removal] and click the “Start Scan Now” button.
Once malware is detected, a detection list will appear.
The detection list shows two types: pattern match and confirmed diagnosis. If malware is indicated by confirmed diagnosis, it is almost certain that the site has been defaced.
We will now explain how to get rid of the malware from this malware example.
Actual plug-ins to get rid of malware
Step 1 Check if this file is one of the files originally included in WordPress or in the plugin
Malware may be contained in the form of a parasite in a legitimate WordPress or plugin file.
If this is the case, deleting the file will likely cause problems with your site.
Most commonly, this type of malware infects wp-config.php and index.php.
This is because wp-config.php and index.php are convenient for hackers to have the malware run automatically, since it is executed every time the page is viewed.
How can I be sure that the files are legitimate?
It is possible to get a rough idea of whether a file is legitimate or not by checking the following points
If the file is not legitimate
1 No “wp-” mark
2 It does not have class-.
3 Not index.php
4 Files with meaningless random strings and .php or .ico extensions
5 File name that looks like a misspelling of a legitimate WordPress file, e.g. xmlrrpc.php
Otherwise, you can also check if a file is legitimate by actually downloading the core WordPress file or plugin and see if it is in the detected file name and path.
Step 2: Eliminate parasitic-type malware
View the file from the View Edit File button.
Malware code is obfuscated and reduced to a single unique line of code to make it difficult to detect and understand its structure, so in many cases it is easy to tell from one line of code to the next whether or not it is malware.
In the case of the above code, if you delete the @include ~ ; and press the Save Changes button, the malware will be removed.
The /*e4f70*/ part is a kind of flag for hackers to check if malware remains in the comments. You may delete it.
Be sure to understand the style of PHP code before removing it!
If you break the structure of the PHP code when removing malware, errors may appear in the file. Please understand the following points before you perform the removal process to reduce the number of accidents.
1 PHP programs are contained in <? > The PHP program is contained within the <? Please note that if you forget to close this tag or if it does not start with <?
If malware is embedded in the form <? > If the malware is embedded in the form <? >Remove the malware only from the PHP start tag <?
2 /**/ is a comment, a part of the PHP code that appears but is not executed (harmless). Sometimes malware will include multiple /**/’s in the malware code to check if they are still present, or to avoid detection.
3 The Malware Detection Plug-in only detects lines that match the malware detection pattern; other lines may also be part of the malware code. (Even if only the highlighted lines are removed, it is possible that the malware is not fully removed.)
If it is difficult to distinguish between legitimate files and malware, you may want to download the bare code from the official WordPress website and compare it to see where the malware comes from.
Step 3: Eliminate stand-alone type malware
Standalone malware that is not a legitimate WordPress or plugin/theme file can often be removed without causing any problems.
However, in some rare cases, malware files may be loaded or loaded with other malware files through include or require, which is a process specific to PHP programs.
In this case, removing the malware file may cause another malware to cause an error that may prevent the site from displaying.
In some cases, the code may be so obfuscated that it is impossible to tell if the malware contains such a process or not.