After WordPress has been tampered with, we explain why backups are dangerous.
Why reinfection is repeated after restoring a site from backup?
Restoring a defaced WordPress site from a backup may temporarily restore the site and make it appear that the malware symptoms have disappeared.
This section explains the causes and countermeasures.
1 Malware has not disappeared
If, at the time of backup, there was already a file of a type known as a backdoor, which is an entry point for hackers, that file has been restored as well.
This may have caused the hacker to repeat the tampering again via that file.
Also, if the file is restored by overwriting it from a backup, the type of malware that infects the legitimate file is removed from the server as is, but exists on its own.
Countermeasure: When restoring from a backup, it is necessary to carefully examine whether or not there is any malware infection at the time of the backup.
2 The login password has fallen into the hands of a hacker or an unauthorized user has been registered.
If a hacker already knows the login password for the site, or if an unauthorized user has been registered on the site, the hacker may be able to log in to the administration panel and continue to alter files on the server, install backdoors, add unauthorized plug-ins, etc. If a hacker is already registered on your site, he or she will be able to log in to your site.
Countermeasure: Changing the password for administrative privileges and removing unauthorized users are effective countermeasures.
3 Process is infected with malware.
If a server process (not a file, but a form of malware that keeps running in memory) is infected with malware, it cannot be erased even if restored from a backup site.
Countermeasure: It is necessary to investigate whether any malware continues to run on the server process and stop the malicious process if it exists.
Reference Word
How to stop and detect malware residing in a process in WordPress
How to check if malware is deployed in a process (memory) on a WordPress site
4 Vulnerabilities can also be restored
Restoring a site from a backup can restore the vulnerabilities in the site that allowed the hacker to get into the site in the first place.
If you restore from a backup, we recommend that you also take measures to plug the vulnerabilities, such as updating plugins and WordPress itself.
5 The site has been reinfected via another site on the server.
Many malware nowadays spread infection via another site on the server (a site that shares the root folder), going beyond the site folder for each domain.
For this reason, it is advisable to perform malware scanning and vulnerability countermeasures on all sites on the server, not just those that are showing symptoms of malware.
We hope you will take advantage of this free plugin developed by WP Doctor, which allows you to perform malware scanning and vulnerability scanning.
Free] WordPress: Malware Scan & Security Plug-in [Malware and Virus Detection and Removal
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
