NetCrafted

6 Steps to Check WordPress for Malware

Scott — Fri, 12 May 2017 14:19:37 +0000

With over a quarter of all Internet sites running on WordPress, it’s a common target for malware scripts and hackers. Mix in thousands of open source plugins and themes (some coded better than others), poor shared hosting practices and weak password management, and you have the perfect recipe for an insecure site.

Here are six steps to check your WordPress site for a malware infection. These are ordered from easiest to hardest.

1) Online Malware Scanner. For a free, quick and easy check, you can’t beat Sucuri’s Malware and Security Scanner. Just enter the URL of your site and you’ll get an online report of your site’s status along with a blacklist report. There’s a little upsell of their Website Firewall product (the “Medium Risk” you’ll see) but otherwise this is a great tool for a quick check.

2) Check the Search Engines. An infection that’s been lingering for a while is likely to have already been picked up by one or more of the big three search engines: Google, Yahoo and Bing. The search engines will display a warning to users that your site is infected and dangerous to visit.

You can perform a site specific search by using the site operator. Simply prepend the operator site: before your domain name. For example, I could check my site with site: netcrafted.com. Check for a message below one or more of your search listings. While you’re looking for the message, take a look at the content that’s been indexed; if you see unusual characters or content that clearly doesn’t belong, it’s a good sign you have an infection.

3) Google Search Console. If your site isn’t setup in Google’s Search Console, it should be. Not only will you will be able to check the malware status of your site, it also helps you monitor and maintain your site’s presence in Google Search results. It’s completely free and a no-brainer for any serious website owner.

Once logged into Search Console, you’ll find the status of your site under Security Issues. If there are notices here, you likely have issues. After you fix them, this is where you’ll return to in order to submit your site to Google for reconsideration.

4) Scan with Wordfence. The Wordfence Security plugin is one of my favorite security plugins. I use Wordfence as a basic line of defense on my own site and sites I manage for others.

Before you run a scan, go to the Scans to Include options section and check every checkbox except for the ‘Scan images, binary, and other files’, ‘Enable High Sensitivity’ and ‘Use low resource scanning’ options.

Keep in mind that relying solely on an internal scanner on an already compromised site is foolish; however, if Wordfence does find malware it’s a sign you have much bigger problems.

5) Visit from search, social media & mobile. Some malware infections are designed to only show themselves when being referred to your site from another source. For example, visiting from Google or Facebook. The possibilities are vast, but I find it most useful to test the most popular search engines and social media platforms.

Before you start, I recommend loading a new browser window that isn’t logged into your site. Clear all cookies and your browser’s cache. Chrome’s Incognito mode is especially useful for this testing.

For search engines, do a site specific search using the site: operator just as before. Click on a link to your site. If anything appears abnormal, there may be a problem.

Do the same for Facebook, Twitter, Instagram or any other social media platform you might find your site linked from.

The key here is to click to your site from another site. The web server hosting your site will receive the refering URL information and this is what some malware infections use to determine whether or not to “show” themselves.

Finally, load your site in mobile and check it. With mobile browser usage on the rise, malware authors are now selectively targeting these views.

6) Examine your files. This is the going to be the hardest way to inspect your site, but if you know what you’re doing, you can spot active and inactive infections. Your host’s file manager is usually the easiest way to do this, but an FTP client will also work.

Look for unusually named files and inspect the contents of some commonly infected files. Malware code is often found in files such as .htaccess, index.php and wp-config.php. Compare your core WordPress file list to those found in the original release package. If you have shell access to your host, you can grep for commonly used functions in malware such as eval(base64_decode.

What Next?

If your site is clean, now’s a good time to make sure it stays that way. Harden WordPress, keep it up to date and have a sound backup plan in place. Consider WordPress management or managed WordPress hosting if you want to offload these worries.

An infected site should be cleaned as soon as possible. Refer to my step-by-step guide on how to remove a WordPress malware infection or consider my professional WordPress malware removal service.

The post 6 Steps to Check WordPress for Malware appeared first on NetCrafted.

How to Repair WordPress Malware Infections (Step-by-Step Guide)

Scott — Wed, 03 May 2017 15:24:08 +0000

Over the years I’ve cleaned many, many WordPress malware infections for customers. The following steps are the same steps I use when hired to clean a site. To be successful, you should be familiar with WordPress core files, FTP and your hosting control panel. If your host provides access to the command shell and you’re familiar with Linux, even better. Let’s get started!

Step 0: Backup your site. Before you even start, if you have a working backup, consider restoring that backup to a time before the malware infection occurred. Your site may still be in a vulnerable state, but it may not be the mess it is right now.

If you don’t have a backup, or you need to get your site working with minimal loss since your last backup, you should backup your site before proceeding. I am not responsible for any damages you might cause your site by following this guide. When in doubt, hire a professional.

Step 1: Record plugins and themes. Make a note of everything you’re using, including the URL and author, if available. If it’s not active and/or necessary, consider deleting it. Pay special attention to the active plugins; malicious plugins are often installed with seemingly innocuous names such as, WordPress Dictionary.

Step 2: Download WordPress You’re going to need a fresh copy of the latest version of WordPress.

Step 3: Remove unknown users. Especially user with Administrator access. If they have content associated with them, assign it to a known user.

Step 4: Reset your password. Make it something strong; I just let the auto-generator suggest something.

Step 5: Secure FTP accounts. This is back in your hosting control panel and is actually two steps in one. Some panels give you the option to delete the files under the user as well, but I would not suggest this unless you have a backup and know what you’re doing. Reset the passwords on any remaining FTP accounts to something strong.

Step 6: Reset any other logins. Reset any other control panel, billing or additional logins your hosting account might have.

Step 7: Take website offline. I typically do this by renaming the folder, but you could do it with permissions as well. This is one that’s tempting to skip over to minimize downtime. However, if you leave your site up with any active infection, you leave the door open to re-infection while you work. The short downtime will be worth the hassle of having to start over from scratch.

Step 8: Check .htaccess. A commonly targeted file by malware infections. Remove malware redirects manually if you know what you’re doing. If you’re unsure, another option is to delete the file (backup first!) then recreate it through WordPress after you’re done. This is as simple as re-saving the Permalinks settings.

Step 9: Archive core WordPress files. Basically you’re going to backup the old files on-site temporarily. I usually create a temp folder and move the core files there. This does not include the /wp-contents/ folder or wp-config.php.

This is a list of the latest WordPress core files at time of publication:

/wp-admin/ /wp-includes/ index.php wp-activate.php wp-blog-header.php wp-comments-post.php wp-config-sample.php wp-cron.php wp-links-opml.php wp-load.php wp-login.php wp-mail.php wp-settings.php wp-signup.php wp-trackback.php xmlrpc.php

Step 10: Install fresh plugins and themes. Things start to get tricky here for most people. I like to start with a fresh /plugins/ and /themes/ folder and upload new copies of the plugins straight from WordPress. If you’ve made changes directly to your theme files, re-installing the theme may not may possible. If you have a premium theme or plugin, you will have to retrieve that the source again.

Step 11: Remove malware. This is where the dirty work happens, and subsequently, where most people fail. Basically you need to remove files which contain only malware and clean files containing malware snippets.

Unfortunately, this is where real expertise and experience with Linux, WordPress and php becomes necessary. If you’re lucky, you’ll encounter only a couple obvious malware files to delete. In most cases though, malware files will be dispersed throughout your directory structure. Worst case, you’ll have a highly custom theme with malware embedded in every theme file.

I have years of experience and have developed many tools and scripts that I use for malware removal, both with and without shell access. If you’re in over your head at this point, consider hiring me to get it done.

Step 12: Create new wp-config.php. Use the existing wp-config-sample.php file as your template. Copy the database server and user from the old file. In your host’s control panel, reset the database password for the correct database to something strong and copy it into the file; do not re-use the existing password.

Set the authentication keys and salt values, too. Use the WordPress API to generate them instead of typing in your own random strings.

Finally, check your old wp-config.php for host specific settings. Copy these over into the correct place. Be sure you are not copying over malware here; the wp-config.php file is a common malware target and you’ll typically see code inserted at the beginning of the top of this file. Again, know what you’re doing or get an expert. Quick tip, take care not to insert blank space before or after the opening or closing php tags. They should be the first and last things in this file. Doing so usually leads to a WordPress site with just a white screen.

Step 13: Upload WordPress Wait! This is the fresh installation you downloaded earlier. You want to upload everything except the /wp-content/ folder.

Step 14: Set file/folder permissions. The default permissions for WordPress are 755 for folders and 644 for files. Your host may require different permissions; check with them if necessary.

Step 15: Reactivate site. Your site should be functioning now. If not, try accessing just the dashboard and re-save Permalinks, check plugins and the active theme. If it’s still not working, go back carefully through the steps.

Step 16: Reset accounts, again. Repeat steps 3 through 6. This is probably unnecessary, but once the site is clean and running, I like to double-check just in case.

Step 17: Remove old core files. These are the files you archived in Step 9. If they are in your active web folder and they are infected, there’s a small chance any call to them could re-infect everything. If they’re above your active web folder, in a folder inaccessible to web visitors, this is less of a concern. Either way, you don’t need them anymore.

Step 18: Use Wordfence. The Wordfence Security plugin is a great anti-malware plugin that also has a scanner built-in. If you’ve missed anything, there’s a great chance Wordfence is going to find it. If you plan on keeping Wordfence installed long-term, which I highly recommend, I would turn off the Live Traffic Option under the Basic Options menu. It consumes a lot of resources and isn’t necessary for protection.

Before you run the initial scan, go to the Scans to Include options section and check every checkbox except for the ‘Scan images, binary, and other files’, ‘Enable High Sensitivity’ and ‘Use low resource scanning’ options. This will give you a thorough scan. Warnings aren’t generally infections, but you’ll have to use your own judgement here. Critical errors mean you missed something. Fix it and go back to Step 3. Sorry.

Step 19: Use Sucuri. The Sucuri Security plugin is a good second line of defense. I like this plugin for monitoring changes to WordPress core files, users, theme changes via the editor and things like that. It also has a Hardening section to quickly lock down some parts of WordPress.

(Optional) Step 20: Blacklist check. If you’ve been harboring a malware infection for very long, there’s a good chance you’re being flagged in the search listings by Google and possibly blacklisted by other search engines or mailing blacklists. Submit your site for reconsideration.

Summary

If you’ve successfully cleaned your site following these steps, congratulations! Going forward, it will be important to keep your site up to date and monitor the security plugins you’ve installed. If you don’t already, have an off-site backup plan in place for your files and database.

Did you try and fail? Or do you have a stubborn infection that keeps coming back? If this is simply beyond your capabilities, consider hiring a professional to clean your site. I have a WordPress malware removal service for a reasonable flat fee with a 30 day guarantee. I also provide ongoing site monitoring and off-site backup with my WordPress management service.

The post How to Repair WordPress Malware Infections (Step-by-Step Guide) appeared first on NetCrafted.