We will explain how to identify and deal with the three causes of WordPress malware that can resurface after a certain period of time even if it is removed: malicious processes, mu-plugins, and hidden administrators.
What are rogue processes that cause malware to resurface? How to deal with it
Once a hacker is allowed to enter your site via a vulnerability, the hacker may have planted a malicious process that keeps executing code in the server’s memory that will keep reinfecting itself indefinitely.
This rogue process is the cause of repeated reinfections.
The rogue process can be stopped by executing the following command on the server
Investigate the rogue process
ps auwwx | grep -v grep | grep -i php
Stopping a rogue process
kill -9 process ID (number)
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal] allows you to investigate and stop unauthorized processes from the WordPress administration screen.
Causes of malware resurrection 2 mu-plugins
mu-plugins is a program that is always executed at the topmost point when WordPress is run. This program does not appear in the admin panel, so a hacker may have installed a malicious program on your server as mu-plugins. (mu-plugins is not used in early WordPress).
The site is reinfected with malware via this rogue mu-plugins.
To check for the presence of rogue mu-plugins, connect to the server with FTP software and visually inspect the mu-plugins folder in the wp-content folder for the presence of rogue programs.
It is also possible to use a plugin that performs a comprehensive malware scan to inspect the mu-plugins folder and remove the malware.
Causes of Malware Resurrection 3: Hidden Administrators
Hackers may know the password for administrator privileges or add an unauthorized administrator user to log in to WordPress as an administrator and reinfect it with malware.
In this case, log in to WordPress and go to Users > User List to see if an unidentified administrator user has been added.
If there is an administrator user that you do not remember, either change the password of that user to disable login, or delete that user (we recommend that you backup your database if you delete the user).
We also recommend that you change the administrator’s password, as hackers may have the existing administrator’s password.
We recommend that the password be a random string of at least 12 single-byte alphanumeric characters.
We hope this helps.
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
