We will explain how hackers hide malware when WordPress has been defaced and no malware is found.
Where is WordPress tampering hidden?
Hackers want to keep malware in effect for as long as possible, so they try to hide it in places that are not obvious at first glance.
These locations are many and varied, and since WordPress contains on average more than 10,000 program files, etc., it is difficult to visually search for every single one.
However, in the case of tampering that sends users to another site (redirect hack), the tampering is often written in a file that is executed on every page when WordPress is displayed.
This file will look like the following file.
index.php
wp-config.php
index.php of the theme
header.php of the theme
Theme functions.php
Theme footer.php
Single.php post.php in theme
Find the malware body written in the include statement
If you find the following tampering in index.php or wp-config.php, this code is loading the malware body from elsewhere.
This code is obfuscated, so you cannot see where it refers to just by looking at it, but if you un-obfuscate it at an un-obfuscate site, the following string will appear.
@include("/var/www/wp-admin/aaa.jpg");
In the above case, the file aaa.jpg in the folder /var/www/wp-admin/ on the server is the malware itself.
Other malware files with suspicious names
Other malware files can be found in a wide variety of locations, but there are often cases of malware files with slightly different names from the original WordPress file names.
wp-login.php → wp-l0gin.pjp
Files with random meaningless strings (e.g. htyjdur6.php) are also often malware.
Reference
File names commonly seen in WordPress malware these days
The malware detection and inspection plugin developed by WordPress Doctor can also easily scan your site for hidden tampering in bulk.
[Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
