How to Remove WordPress Viruses

WHS How to Remove Virus

JavaScript Injection Viruses

A few months ago I noticed that a lot of my WordPress websites were “flaking out”. When I would go to the public interface or the admin interface, I couldn’t reach it; or there was a bizarre message stating something like:

Cannot modify header information - headers already sent by (output started at /path/blog/wp-config.php:34) in /path/blog/wp-login.php on line 42,”

I couldn’t understand how anything could have changed when I manually performed my own updates and only I was allowed to upload the sites.

So, I decided to backup all of my WordPress sites (and we are talking about 34 different sites). To perform this backup, I connected to my primary server and FTP the contents down to a backup folder on my computer. Almost immediately my Javascript Injection Codeantivirus popped up stating that there were viruses in the files. I was baffled. I had never heard of a website getting corrupted with viruses, especially when it has no input method.

I discovered a little string of javascript code within hundreds of PHP files. Many of the PHP files I never even uploaded to the sites. The code was typically something like (only much longer):

SwzMywzMyxfMHg0NDcwWzNdW18weDQ0NzBbMl1dKF8weDQ0NzBbMV0pLDAse30pKTs

These are called “JavaScript Injection Code Viruses”. There are known POST commands within a lot of frameworks (such as WordPress and Joomla) that allow a person to upload the file to a server simply by posting to it. They upload that initial file and then query the file which allows them to access some or all of the site file structure, opening a massive hole.

javascript-injection-wordpress

Why Are People Doing This?

Typically the reason is simple. Money. The hacker really doesn’t care about your site nor are they trying to be malicious to you personally, they just want to use your server’s resources. Sometimes they are using it to process commands from their own websites, sometimes they are trying to steal processing and memory power, sometimes they simply want to have a space to store files that they would rather you get caught with instead of themselves.

Hacking Scripting Coding

The fact is there are over 74 million WordPress websites out there and that’s a lot of power that potential hackers can scrape.

How to Remove WordPress Viruses

There are a few options when it comes to removal.

TOOLS
ninjafirewallThere are tools out there (plugins) that you can install that do a very good job of not only removing but also preventing it from happening in the future. Two I have personally used  are WordFence and NinjaFirewall. They both have a free version that will help you clean your site and keep it that way, but the paid version adds a lot more functionality.

DIY
Although I like the tools out there, I tend to be a little hard-headed at times and like to know 100% that everything was truly removed. So for most of my sites, as time-consuming as it was, I did the following:

  • I replaced all of the core WordPress files (it’s very important you make sure you’re replacing them with the same version that you have installed)
  • I looked through every directory and sub-directory for files that didn’t make sense (like upload.php in an upload folder when you don’t need that there). This is a little trickier because knowing what should be there and what shouldn’t comes from experience. It’s worth noting that most of the time there should be NO PHP or HTML files in any of the upload folders as uploads are typically just pictures, videos, and documents. If you’re unsure if it’s malicious, open the file in text editor and see if the nasty little JS Injection Code (I mentioned above) is in the file.
  • Once I was sure I had removed everything that was malicious, I ran a virus scan on the entire site to be safe and finally uploaded it back where it belonged.
We love comments! Share your thoughts. They are more important than you might think.

      Leave a reply

      * Mandatory: Name & E-mail

      Web Hosting Sun
      Register New Account
      Reset Password