This section explains what to do if you do not know the location of infected malware or if you cannot find it.

I have symptoms of malware, but I don’t know or can’t find where the site has been tampered with.

When WordPress is tampered with and malware (malware) is embedded, the following symptoms often occur.

  • When you visit the site, you are redirected to a different sweepstakes site, a fake login page, or a fake software distribution site.
  • When you click on a link, you are redirected to a different site.
  • Virus detection software indicates that the site is infected.
  • When I visit the site from a smartphone or Google search results, I am redirected to another site without my permission.
  • Unable to log in to the administration screen, or unable to access some of the administration pages even if able to log in.
  • Unnecessary advertisements are embedded in the page, or links are inserted in the page that I don’t remember adding.

However, hackers may cleverly hide the malware themselves, and it can be very difficult to find the source of these symptoms (where in the HTML or WordPress PHP program is it located?) ).
Here is how to deal with these cases.

Solution 1: Search for malware by using malware scanning plug-ins.

Check for malware mechanically with a plugin that performs an internal inspection of malware from the code.

[Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

The free version of the above plugin can detect malware embedded in files and databases up to the point of plugin installation on WordPress. (To keep your malware detection patterns up-to-date, you need to purchase the paid version.)

However, since malware is constantly evolving to avoid pattern detection, the plugin alone may not be able to detect all of them.

Solution 2 Update

Updating WordPress and plug-ins replaces the files with legitimate files, which may result in the overwriting of malware parasitic on legitimate files.

We also recommend that you update to a version that closes the vulnerability that allowed the malware to enter the system.

However, updating will not eliminate malware that exists independently of legitimate files or malware in configuration files (files that are not replaced by updates).

Solution 3 Visual inspection of susceptible files

Visual inspection of files in which WordPress malware is commonly embedded is also an effective method of disinfection.
When hackers tamper with WordPress, they most often target a group of files that are executed whenever WordPress is run.

Examples.

wp-config.php
index.php
.htaccess
wp-blog-header.php
Theme functions.php
header.php footer.php in theme
single.php in your theme
.js (JAVASCRIPT files) included in the theme

and so on. Download these files via FTP, open them with a text editor, and visually inspect and remove them.

Solution 4: Check for malware infection on other sites on the server.


Many of today’s malware reads the structure of all files on the server and spreads the infection to folders on other domains hosted on the server.

If the malware resurfaces soon after the infection has been removed, it is possible that the malware (backdoor) described above has been installed on another site.
In such cases, we recommend that you implement measures 1-3 on all sites.

Solution 5: Consult an Experienced Expert

We recommend that you get professional help to get rid of WordPress malware.