A few months ago I noticed that a lot of my WordPress websites were “flaking out”. When I would go to the public interface or the admin interface, I couldn’t reach it; or there was a bizarre message stating something like:
Cannot modify header information - headers already sent by (output started at /path/blog/wp-config.php:34) in /path/blog/wp-login.php on line 42,”
I couldn’t understand how anything could have changed when I manually performed my own updates and only I was allowed to upload the sites.
So, I decided to backup all of my WordPress sites (and we are talking about 34 different sites). To perform this backup, I connected to my primary server and FTP the contents down to a backup folder on my computer. Almost immediately my antivirus popped up stating that there were viruses in the files. I was baffled. I had never heard of a website getting corrupted with viruses, especially when it has no input method.
Why Are People Doing This?
Typically the reason is simple. Money. The hacker really doesn’t care about your site nor are they trying to be malicious to you personally, they just want to use your server’s resources. Sometimes they are using it to process commands from their own websites, sometimes they are trying to steal processing and memory power, sometimes they simply want to have a space to store files that they would rather you get caught with instead of themselves.
The fact is there are over 74 million WordPress websites out there and that’s a lot of power that potential hackers can scrape.
How to Remove WordPress Viruses
There are a few options when it comes to removal.
There are tools out there (plugins) that you can install that do a very good job of not only removing but also preventing it from happening in the future. Two I have personally used are WordFence and NinjaFirewall. They both have a free version that will help you clean your site and keep it that way, but the paid version adds a lot more functionality.
Although I like the tools out there, I tend to be a little hard-headed at times and like to know 100% that everything was truly removed. So for most of my sites, as time-consuming as it was, I did the following:
- I replaced all of the core WordPress files (it’s very important you make sure you’re replacing them with the same version that you have installed)
- I looked through every directory and sub-directory for files that didn’t make sense (like upload.php in an upload folder when you don’t need that there). This is a little trickier because knowing what should be there and what shouldn’t comes from experience. It’s worth noting that most of the time there should be NO PHP or HTML files in any of the upload folders as uploads are typically just pictures, videos, and documents. If you’re unsure if it’s malicious, open the file in text editor and see if the nasty little JS Injection Code (I mentioned above) is in the file.
- Once I was sure I had removed everything that was malicious, I ran a virus scan on the entire site to be safe and finally uploaded it back where it belonged.