Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware.
Random file names or file names that are slightly different from the core WordPress files
Some malware files infecting WordPress are embedded in legitimate files, while others exist on their own.
In the case of malware that exists by itself, it is often installed as a file with the following random string of characters that is not originally in the legitimate WordPress or plugin files.
hfyrju.php .7tyuguijs789.ico
They are also sometimes installed with slightly different file names from those included in WordPress to avoid detection.
wp-conflg.php ← The original file name is wp-config.php wp-signin.php ← original file name is wp-signup.php
Obfuscated
Obfuscation is a method of making PHP and Javascript source code difficult for humans to read so that they cannot quickly see what they are doing.
More than 99% of malware files are subjected to this process. (Some themes and plug-ins are obfuscated for security reasons or because they are licensed programs, so obfuscation does not necessarily mean they are malware.)
However, if the malware is of the type that parasitizes legitimate WordPress core files and is obfuscated, the possibility of infection is very high. (This is because WordPress core files do not contain obfuscated programs.)
Examples of obfuscated malware code
*Obfuscated program files may be unobfuscated with https://php-decoder.site/.
Contains the string base64,eval
The most common functions used in malware are the saw base64 and eval functions. base64 is often used for the obfuscation process described above, and eval is a function that executes text as a program, so it is often used to actually execute the strings in the obfuscated program.
If a program contains one or more of these two strings, it is highly suspected to be malware.
include statement that reads the file with the full path in one line
In this case, the malware would look like the following
@include("/var/www/...... /.da6t6gufjid79as.ico")
This string may be obfuscated. In general, WordPress is designed to work on all servers, so such a full-path include (read statement) is never included in the program. Therefore, if code containing the full path is found on the server, a malware infection is suspected.
Loading of external scripts that you do not remember being included in header.php or footer.php
Since header.php and footer.php included in the theme are loaded on every page of the WordPress site, they are often used to plant malicious code for redirect hacks that force users who access your site to an unauthorized site.
If your theme’s header.php or footer.php is loaded with external scripts that you do not recognize, it is possible that it has been tampered with and the malicious Javascript code has been embedded.
The above malware can be scanned for malware in the server at once with the plugin
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
You can use this plugin to scan your server for malware. Please try it.
