Malware Analysis - Does only WP installation file cleaning makes you secure?

June 2, 2014
Malware Analysis

One word answer “NO”. This is based on my experience w.r.t cleaning Wordpress (WP) sites against malware attack. Hackers mostly attack CMS based websites i.e. WP and Joomla by inserting malicious links on target website to redirect users to their sites and rank up in the google search results. You may want to call it as “Illegal SEO techniques”.

Hackers mostly target vulnerable plugins, themes installed on a WP website. They tend to include their malicious data in header.php or footer.php present under /wp-content/themes/<theme_name> as it loads up with every page of your website. It’s a smart way to infect full website with just one file. This is usually hard to detect as the malicious data might be encoded or hidden inside an image.

Ideally when a website is hacked there are few steps that need to be performed immediately:

  1. Replace your website folder with clean copy of website. This will save you from blacklisting by google
  2. Perform a sucuri malware scan i.e. http://sitecheck.sucuri.net/scanner/ to check if you are already blacklisted
  3. Inspect your plugins or themes folder for malicious code
  4. Remove the malicious code from infected file

Once cleaned, next step is to inspect and clean your WP database.

WP Database Inspection

It is equally important to inspect and clean your WP database after you clean WP website files. This is to ensure that the malicious code does not appear again and you have a fully cleaned website. WP database can be accessed using PHPMyAdmin console. Below is the quickest way to do a database inspection:

  1. Login to PHPMyAdmin console
  2. Click on database_name in use
  3. Export your complete database in a .sql format and open it in a text editor
  4. Do a search for malicious code

In most cases, you will find the malicious code in database. Perform below steps to clean:

  1. Identify the table and column in which malicious code exists
  2. Perform PHPMyAdmin search on the infected table and look for the malicious row
  3. Clean malicious code and click on Save
  4. Repeat steps 1-3 for every row in the table

Please note you can run a query on full database as well but this will be more time-consuming and effort will be as equal as performing above steps.

On a final note, the most important things to remember if you own a WP site are:

  1. Backup, backup, backup your website
  2. Keep your WP version up-to-date
  3. Have few of the security plugins installed for your WP website

Happy Reading!!!

Share this post
Wordpress Security
Malware Analysis
Tools & Techniques
Pentests
PTaaS
Cyber Security
Technology
Subscribe to our newsletter

Join our newsletter today and enhance your knowledge with valuable insights. It's quick, easy, and free!

Be a Team Player
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Latest blogs

Latest updates in cybersecurity services

View All
Blacklock Blog Image
General
Introducing BugBait: Hack & Learn
October 30, 2024
General
Wordpress CMS Security
Managing Wordpress and Joomla Security
June 9, 2016
Wordpress CMS Security
Pentests
Data Validation Framework – HDIV at a Glance
July 12, 2013
Pentests