19 {{ upvoteCount | shortNum }}
19 {{ upvoteCount | shortNum }}

How to Scan and Remove Malware from Wordpress?

by nofearman
19 replies
My Wordpress sites keep getting Malware . I uninstall WP , do a fresh install and couple days later the Malware comes back. This may be related to installed plugins or themes.

I have tried a few of the Anti Malware WP plugins like Wordfence and Bruce Force but they have proven useless. They dont even see the Malware identified by Norton and Sucuri scan,

?
#malware #remove #scan #wordpress
  • Profile picture of the author Jeff Burritt
    Banned
    Login to your control panel, and go to file manager. Then go to wp-content and find your header.php file. If you see some funny code in there, delete it. You might see a lot of weird long strings of random characters and a url. That's a big clue. You can copy some of that code snippet in google and usually it will pull up as malware.
    {{ DiscussionBoard.errors[10519042].message }}
  • Profile picture of the author Dan Riffle
    You said "sites" plural, so there's probably an ongoing infection somewhere you're not looking, maybe at root level.

    Have you scanned your computer?

    How are you doing fresh installs? Where are you getting the install? Could it be infected?

    Also, contact your webhost and ask them to take a look. The entire server could be infected.
    Signature

    Raising a child is akin to knowing you're getting fired in 18 years and having to train your replacement without actively sabotaging them.

    {{ DiscussionBoard.errors[10519049].message }}
  • Profile picture of the author hardworker2013
    Normally your webhosting service should scan all files uploaded to to your website automatically or you can do it manually from cpanel. Recently my hosting automatically blocked a wp plugin i was uploading for containing malware. So it depends on the quality of the hosting service you are using.
    Signature
    CLICK HERE TO LEARN HOW TO MAKE MONEY ONLINE FAST
    >>GET YOUR PIECE OF THE TRILLION DOLLAR AMAZON PIE!<<
    {{ DiscussionBoard.errors[10519071].message }}
    • Profile picture of the author nofearman
      Hostgator doesn't do any Malware scanning or protection. They refer you to Sitelock who quoted me $300 to remove Malware form ONE WP site....
      {{ DiscussionBoard.errors[10519242].message }}
      • Profile picture of the author John Hocking
        You might try this plugin
        https://wordpress.org/plugins/gotmls/

        I left host gator because I kept getting malware from other site on the shared server
        Signature
        {{ DiscussionBoard.errors[10519269].message }}
        • Profile picture of the author nuliknol
          Originally Posted by John Hocking View Post

          You might try this plugin
          https://wordpress.org/plugins/gotmls/

          I left host gator because I kept getting malware from other site on the shared server
          And what hosting provider do you use? (if it is not secret, of course)
          {{ DiscussionBoard.errors[10519632].message }}
      • Profile picture of the author NewLifestyleMentor
        Originally Posted by nofearman View Post

        Hostgator doesn't do any Malware scanning or protection. They refer you to Sitelock who quoted me $300 to remove Malware form ONE WP site....
        Yeah, I got the same quote from SiteLock. I refuse to pay that kind of "ransom".
        Signature
        >> BRAND NEW! Click Here To Discover This Advanced Tactic
        That Stuffs My Bank Account With $200-300 Daily! <<
        {{ DiscussionBoard.errors[10519568].message }}
      • Profile picture of the author nuliknol
        Originally Posted by nofearman View Post

        Hostgator doesn't do any Malware scanning or protection. They refer you to Sitelock who quoted me $300 to remove Malware form ONE WP site....
        Malware in WP ??? Hosting with Hostgator is PHP, what malware ???
        Sorry, I have 25 years in computing industry developing software, and don't get it, what malware can exist in PHP scripts ??? This is not possible. Or, are you talking about the files that are being uploaded? Well, anyone can upload anything, but that' would not affect your site. PHP isn't going to be inffected if the files have malware.

        Please give more details, I don't understand.
        {{ DiscussionBoard.errors[10519629].message }}
        • Profile picture of the author HostStage
          Originally Posted by nuliknol View Post

          Malware in WP ??? Hosting with Hostgator is PHP, what malware ???
          Sorry, I have 25 years in computing industry developing software, and don't get it, what malware can exist in PHP scripts ??? This is not possible. Or, are you talking about the files that are being uploaded? Well, anyone can upload anything, but that' would not affect your site. PHP isn't going to be inffected if the files have malware.

          Please give more details, I don't understand.
          There are many malwares PHP based which are targetting the most popular CMS.
          They are generally coming from a nulled plugin or a nulled theme that includes a backdoor.
          Generally, it involves mail spam but it can also rewrite some content or insert cloaked link.
          Some system can detect some corrupted plugins but it can also go through.
          It isn't coming from the web hosting provider but more likely a corrupt WP installation. We too, have on the fly scans, daily malware detection, some tight security rules server side, but sometimes the malwares are still going through.

          Here is a guide to secure your WP websites :

          HostStage - Knowledgebase - How to secure your wordpress based website
          Signature
          {{ DiscussionBoard.errors[10519766].message }}
          • Profile picture of the author nuliknol
            Originally Posted by HostStage View Post

            There are many malwares PHP based which are targetting the most popular CMS.
            They are generally coming from a nulled plugin or a nulled theme that includes a backdoor.
            Generally, it involves mail spam but it can also rewrite some content or insert cloaked link.
            Some system can detect some corrupted plugins but it can also go through.
            It isn't coming from the web hosting provider but more likely a corrupt WP installation. We too, have on the fly scans, daily malware detection, some tight security rules server side, but sometimes the malwares are still going through.

            Here is a guide to secure your WP websites :

            HostStage - Knowledgebase - How to secure your wordpress based website
            thanks!
            Actually this triggered my attention, and I have subscribed to the security advisory for Wordpress. I did not believe what I saw. I am getting one vulnerability notification every two days!!! Sometimes they come twice a day!! I have not seen a software package more insecure, but I know what is happening. It is not because it is corrupt or it is some other exception. No, it is a rule. The problem is not with WordPress itself, but with the plugins. The plugins are written by people who have very little knowledge about security. Plus, they have bugs. This is a paradise for hackers. Let me tell you how they work. A hacker (a good hacker of course, not a script kiddie) will dedicate a lot of his time, to look for vulnerabilities. They download the source code and they look for bugs. But they just don't report it, they exploit it or sell it. A vulnerability that affect lots of systems can be sold up to 100k. They also share it in private hacker groups where you can get in only if you pay 5 figure membership. Compromised servers then are sold for small fee to novice hackers, traffic redirection services or DDoS. Many hackers use (craked) commercial tools to find bugs and vulnerabilities, many of them, have their own bug scanners which even commercial tools do not cover. Expert hackers also look for processor bugs, the bugs that are present in hardware, to exploit it as DoS (denial of service). A guy in Britain discovered a backdoor in an FPGA integrated circuit, imagine that!
            This is how this business works, and if you are a user of WordPress, you should really get into the "other" side to see why are you all getting hacked and how.

            The original poster of this thread is probably suffering from this vulnerability:
            "Backup Guard <= 1.0.2 - Arbitrary File Upload"
            which arrived to my mailbox today. It allows uploading any file and then you can take the server with user_id of php and do whatever you like, probably install a daemon using exec() , and who knows what else.

            So, what can you do about it?
            - Remove all the plugins and run WordPress as it comes originally "from factory". The chance that you will be hacked is low. Upload the files yourself and post them manually. Subscribe to vulnerability notification.
            - Subscribe to the vulnerability notification and after that, reinstall WordPress and all plugins you have installed. But you still have a high probability of being hacked, since most plugins are not written by security experts or checked for bugs extensively.
            - Find an alternative to Wordpress, explore their vulnerability list and if it is smaller to Wordpress, migrate. Vulnerabilities are not rule, it is possible to write a software package that has 0 vulnerabilities and an example of this is QMail server. It will soon be 20 years in use and it had no vulnerability registered, only few race conditions which are very difficult to create.

            Good luck
            {{ DiscussionBoard.errors[10544882].message }}
  • Profile picture of the author nuliknol
    Originally Posted by nofearman View Post

    My Wordpress sites keep getting Malware . I uninstall WP , do a fresh install and couple days later the Malware comes back. This may be related to installed plugins or themes.

    I have tried a few of the Anti Malware WP plugins like Wordfence and Bruce Force but they have proven useless. They dont even see the Malware identified by Norton and Sucuri scan,

    ?
    is is this a common trend of getting WP hacked? I have seen 2 messages today about this, I hope this is not the same user asking ...
    {{ DiscussionBoard.errors[10519617].message }}
  • Profile picture of the author HostStage
    I left host gator because I kept getting malware from other site on the shared server
    That is also possible but it means that the server is heavily corrupted to its core.
    One of our user experienced this situation on one VPS and after throurough investigation the problem came from his own computer which had a virus scanning for the filezilla XML file including all the passwords. The virus picked up the root password of his VPS, and injected some malicious encrypted code (self replicatating) in all his index.php files. (including PHPmyadmin, and cPanel based indexes.)
    Signature
    {{ DiscussionBoard.errors[10519771].message }}
  • Profile picture of the author vishwa
    You can use plugins like Wordfence, All in one security for scanning your WordPress sites for malware and viruses. You can also ask your hosting provider and make sure that you have checked your files, themes and plugins which are vulnerable to infection.
    Signature
    Techbizmasters.com- Blogging, Technology, and Digital Marketing
    {{ DiscussionBoard.errors[10519811].message }}
    • Profile picture of the author CurtisSWN
      I have had the very same issue. I have had sites with Hostgator for 15 years and hardly ever a problem.

      Suddenly my sites are getting blacklisted because of malware. I implement All in One WP security and it makes no difference at all.

      However FOR A FEE Hostgator in association with SiteLock will clean the site. Call me suspicious but I find that all to convenient to be just coincidence. Feels like HG has become the equivalent of the Mafia, making me pay for "protection money"

      I'm probably going to go over to WP Engine hosting very soon.

      Anyone else with the same problem?
      Signature
      Simple Two Step Formula
      Earns Me Over $146.72 in 12 Hours. This is Weird, But it Works!
      {{ DiscussionBoard.errors[10521236].message }}
      • Profile picture of the author NewLifestyleMentor
        Originally Posted by CurtisSWN View Post

        I have had the very same issue. I have had sites with Hostgator for 15 years and hardly ever a problem.

        Suddenly my sites are getting blacklisted because of malware. I implement All in One WP security and it makes no difference at all.

        However FOR A FEE Hostgator in association with SiteLock will clean the site. Call me suspicious but I find that all to convenient to be just coincidence. Feels like HG has become the equivalent of the Mafia, making me pay for "protection money"

        I'm probably going to go over to WP Engine hosting very soon.

        Anyone else with the same problem?
        I hear ya on that one. I find it just a little too coincidental that since HG doesn't do site scans that they've let this company from Phoenix to do their "dirty work". I feel the same exact way ... I hate feeling like they're holding a gun to my head & they're saying, "Go ahead ... pull the trigger!". It's like we're playing a game of Russian Roulette!
        Signature
        >> BRAND NEW! Click Here To Discover This Advanced Tactic
        That Stuffs My Bank Account With $200-300 Daily! <<
        {{ DiscussionBoard.errors[10521463].message }}
      • Profile picture of the author ijohnson
        Having the same issue ... all of a sudden, 5 or more of my sites are hit with malware when I've only had a problem with one or two sites over the past several years. Then I receive a call from SiteLock and numerous emails about "cleaning" my sites for an astronomical fee!!!!

        I contacted HostGator tonight and got absolutely no assistance. They referred me to SiteLock. I spent over two hours on the Live Chat session and got absolutely nothing resolved. Got a few snarky remarks, though, from the initial responder and the Service Admin I requested to speak with! They claim everything was done as a "courtesy" ... malware scanning and backups. And stated that they have to feed their families! Well, so do I!!!!!

        I am hotter than fish grease right now!!!!!!!!!!!! They are all driven by GREED!!!! We are getting fewer and fewer services for the same or more money. They hide behind their Terms of Services that they change constantly to suit their needs and for their benefit.

        It really frustrates me when they try to claim, "It's in our TOS!" Yeah, NOW it is but it wasn't a part of it when I had this issue a year or two ago.

        In addition to the malware issue on my sites, they told me that they haven't done any "courtesy backups" because I had exceeded my quota due to the bloated files! Well, I'll be damned! And nobody felt it was necessary to notify me of that fact?!?!? I guess they don't put that requirement in their TOS?!?!?

        I've been with HostGator for over 10 years and never felt so unappreciated and devalued as a customer. I'm ready to move on to a new hosting service. But first I need to find a solution to clean this crap off my sites ASAP!

        I also feel that there's some under-handed dealing going on with our sites with SiteLock at the root of it all and HostGator holding the door open for 'em. Just pisses me off.

        I will try one of the solutions shared in this thread to clean the malware and malicious viruses off my sites. I wish there was a way to know for sure if the malware is originating from my PC.

        What malware/anti-virus software do you recommend for this type of job, other than MalwareBytes and Avast???

        Thanks!


        Originally Posted by CurtisSWN View Post

        I have had the very same issue. I have had sites with Hostgator for 15 years and hardly ever a problem.

        Suddenly my sites are getting blacklisted because of malware. I implement All in One WP security and it makes no difference at all.

        However FOR A FEE Hostgator in association with SiteLock will clean the site. Call me suspicious but I find that all to convenient to be just coincidence. Feels like HG has become the equivalent of the Mafia, making me pay for "protection money"

        I'm probably going to go over to WP Engine hosting very soon.

        Anyone else with the same problem?
        Signature
        Make every day count!
        {{ DiscussionBoard.errors[10542777].message }}
  • Profile picture of the author mycleanhouse
    did you try succuri, they will give you free results after a malware scan on your site.
    {{ DiscussionBoard.errors[10521319].message }}
  • Profile picture of the author Nexstair
    Plugins may not do the trick.You need to contact hosting server provider to get it fixed " Properly" or restore a backup and change all passwords.
    Signature
    Custom Website design | Affordable Theme Development | Special Discount for Warriors
    {{ DiscussionBoard.errors[10521594].message }}
  • Profile picture of the author Zachary S
    No plugins can help you in this case.

    Speaking about Wordfence, they have a specialized team that cleans and fixes hacked websites and for $150 they'll clean and make sure your website is completely free of malware, also on top of that they'll add in a one year premium subscription key for Wordfence plugin. For more info..

    https://www.wordfence.com/wordfence-site-cleanings/

    Before you make a payment you need to contact them and explain your situation.

    Also in RARE OCCASIONS your local PC might be infected and thus being the cause of it all, in that case you can see this article here for help on Malware Removal: https://www.mrguidee.com/scanning-yo...moving-malware

    Even if it's not your local PC causing your website to be infected, it might be a good idea to scan it and check for any malware before you attempt fixing anything else.

    Good luck!
    {{ DiscussionBoard.errors[10521601].message }}

Trending Topics