We will explain what kind of malware (programs that perform malicious behavior) can be embedded in a site when WordPress is defaced by hackers.
Characteristics of malware embedded in WordPress
Hackers who gain unauthorized access to the server through a vulnerability in an older program included in WordPress or by stealing administrative privileges embed a variety of malware in various files.
Malware code, much of it, has certain characteristics.
1 Numerous comments, Unicode characters, Base64 due to obfuscation process
Malware code is often obfuscated to prevent people from knowing what the code is doing or to prevent detection of malware.
For this reason, they often contain a large number of comments (enclosed in /*), a special notation called Unicode (slashes and numbers), and Base64 encoding (characters converted to hexadecimal numbers).
The code shown in the image below is such a case.
2 One long line
Because obfuscation software is often used to obfuscate 1, and because that software often reduces the output to a single line, files with embedded malware often contain very long single lines of code.
3 eval is included in the final process.
eval is a function in a PHP program, an instruction that interprets a string as a program and executes it. This function is rarely used in WordPress itself or in theme plugins, but in the case of malware, it is highly likely to be included in the final process to execute an obfuscated string.
4 @include
The include statement is used to load another program. This include statement is used to load the malware body from various files. It may also be an @include.
5 Meaningless string filename or $ variable
General programs are named in such a way that it is easy to understand what the file or included program is doing, with maintainability in mind.
Malware, on the other hand, is intended to keep it secret so that it cannot be recognized at a glance, so many random string file names or functions are often used in the code.
What if the site contains files that contain strings like the above?
If the above code is included in a site’s program, it is most likely malware, but even legitimate code may be obfuscated for some reason, or the way the code is written may look like malware at first glance.
For this reason, we recommend that you do not delete it immediately, but rather check if it is determined to be malware by using a plug-in that detects malware.
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].