How to remove malicious code from WordPress website

1. Prevention

Numerous instances have been observed where malicious code is inserted into the WordPress directory, causing it to malfunction as intended and compromising the WordPress Security.

The following techniques are commonly employed by malicious codes:

  1. Utilizing the eval() function.
  2. Executing the curl_multi_exec() function.

It is important to disable access to such methods. To address this, one can disable these functions by modifying the php.ini configuration file. Locate the php.ini file, usually found in the /etc/ directory, and make changes to the designated line.

#Disable Functions
disable_functions=
#Disable Functions
disable_funtions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
# Remember to restart the webserver to ensure that the changes take effect.

2. Finding Malicious codes

Here is an instance of undesirable code that recurrently appears on one of the websites.

Malicious Codes

These files are not necessarily confined to a single folder; moreover, they can be scattered across numerous subfolders. Let’s explore methods to locate such files.

# Goto to the wordpress root directory
# Enter the following command
grep -r "chr(" *

Next, the result obtained will be similar to this.

Malicious Codes

And this,

Malicious Codes
# Or you just want to see the file list without the matched content, add "-l" argument to the grep command.
grep -r "chr(" * -l
# and see the following output
List of Malicious Codes

Furthermore, by employing the same approach, we can identify undesirable files by conducting a search using keywords such as "eval" and "curl_multi_exec".

3. Deleting the files

Once the file list is identified, it can be deleted using the following steps:

  1. Copy the file list into a separate file, such as “garbage.txt”.
  2. Then, open the file using the “vim” text editor: vim garbage.txt.
  3. Add “rm ” at the beginning of each line using the following vim command: Press SHIFT + :, then enter "%s/^/rm /g" (without quotes).
  4. Finally, run the command sh garbage.txt to remove all the files listed in the text file.
  5. Besides, if you have access to the webserver, consider restarting it, as this action will terminate any running processes associated with malware..

4. Setting up the right file permissions

Having the right file permission is equally important, execute the following command to apply the appropriate permissions.

cd /path/to/wordpress/install/
find . -type d -exec chmod 755 {} \;
find . -type f  -exec chmod 644 {} \;

5. General Checkup

  1. Lastly, ensure that all plugins and themes are up to date, and that you are utilizing the latest version of PHP.
  2. Verify that all contact forms are utilizing captcha and that the file upload functionality has proper validation in place. Ensure that it disallows uploading executables or PHP scripts.

6. Need Help

If you have any questions, feel free to utilize the comment box below for any help.

Leave a Reply

Your email address will not be published. Required fields are marked *