How to find malicious code and hidden links in a template.

WordPress is one of the most popular content management systems (CMS) used by people either for simple blogging or for other purposes like building an online store. There are many plugins and themes to choose from. Some of them are free, some are not. Often times, these themes are uploaded by people who have customized them for their own benefit.

1. Theme Authenticity Checker (TAC)

Theme Authenticity Checker (TAC) is a WordPress plugin that scans the source files of every installed WordPress theme for hidden footer links and Base64 codes. Once detected, it displays the path to a specific topic, line number, and a small piece of malicious code, which allows the WordPress admin to easily analyze this suspicious code. [Download ]

2. Exploit Scanner

Exploit Scanner can scan your site's files and database and is able to determine the presence of anything questionable. When using Exploit Scanner, remember that it will not help prevent a hacker attack on your site, nor will it remove any suspicious files from your WordPress site. It is needed to help identify any suspicious files uploaded by the hacker. If you want to remove them, you will need to do it manually. [Download ]

3. Sucuri Security

Sucuri is a well-established malware detection and security plugin in general. The main features of Sucuri are monitoring files uploaded to your WordPress site, blacklist monitoring, security notifications, and more. It also offers remote malware scanning with the free Sucuri SiteCheck Scanner. The plugin also provides a powerful website firewall addon that can be purchased and activated to improve the security of your website. [Download ]

4. Anti-Malware

Anti-Malware is a WordPress plugin that can be used to scan and remove viruses, threats and other malicious gizmos that may be present on your site. Some of its important features offer custom scan, full and quick scan, automatic removal of known threats. The plugin can be registered for free at gotmls. [Download ]

5.WP Antivirus Site Protection

WP Antivirus Site Protection is a security plugin to scan WordPress themes along with other files uploaded to your WordPress site. The main functions of WP Antivirus Site Protection are scanning every file uploaded to the site, updating the virus database on an ongoing basis, removing malicious code, sending notifications and alerts by email and much more. There are also features that you can pay for if you want tighter security for your site. [Download ]

6. AntiVirus for WordPress

AntiVirus for WordPress is an easy-to-use protection plugin that helps you scan WordPress themes used on your site for malicious code. Using this plugin, you will be able to receive virus notifications in the admin panel. There is also a daily scan, according to the results of which you will receive an email if anything suspicious is found. [Download ]

7. Quttera Web Malware Scanner

The Quttera Web Malware Scanner will help you scan your site and protect it against the introduction of malicious code, viruses, worms, Trojans and other computer vermin. It offers several interesting features, such as scanning and detecting unknown malicious things, blacklisting them, an "artificial intelligence" scanning engine, detecting foreign external links and much more. You can scan your site for malware for free, while other services cost $ 60 / year. [Download ]

8. Wordfence

If you are looking for a way to protect your website against cyber attacks, then you should try the Wordfence plugin. It provides real-time protection against known attacks, two-factor authentication, blocks the entire infected network (when detected), scans for known backdoors, and many other things. The services mentioned are free, but other features are offered for a fee. [Download ]

I will pay more attention to WordPress, but many of the tips will be useful to people working on other engines.

Often people come to me with the question of cleaning a WordPress site and how to determine that the site has been hacked. I will tell you what viruses are and how difficult it is to fight them.

The first symptom. Google message "This site may have been hacked"

A very common story when a client comes to a company, or contacts directly through a blog and says that having found his site in the google search results, he stumbles upon the message "Perhaps this site has been hacked."

This message appears if google suspects, or rather is almost certain, that your site has been hacked. What to do and where to run in such cases? There are not so many actions, there are only 5:

1. Clean the site from shells and various viruses, more on that later;
2. update WordPress and all plugins from older versions to the most recent ( );
3. configure site protection, I will also tell you a little about this later;
4. check how good the hosting is and transfer to a more reliable one, I advise as before;
5. check if lie viruses in the database;

Do not forget to make a backup before each action, as well as after all 5 stages, also make a backup, in the event that you did not manage to clean the first time and you need to look for more sophisticated methods of scanning the site.

If you cleaned everything, and the error "This site has been hacked" remains

My advice would be to go to Google's Webmaster and request a site re-check. The scanning speed of Webmaster Google will depend on the degree of infection.

There are 2 degrees of complexity of infection:

1. If you are flooded with malicious code through which you gain access to the site, publish links ... In general, they only break you and harm only you.
2. If your site is hacked and trying to send out spam or break others.

In the first case Google employees do not even check the site, as the system can do it automatically (I had from 10 minutes to several hours).

In the second case in order to make sure that there are no threats from your site that can harm other sites, Google sends a special person who checks the site. In the second case, the check can take 1-2 weeks.

I advise you not to delay cleaning the site, because the longer you delay, the worse your position in search engines will be.

Second symptom. Virus redirects to another site

Such viruses are found all the time. It is necessary to search for such viruses in the htaccess file at the root of the site, if it is not there, then you can search for the htaccess file in other folders of the site. You can also iterate over the redirect functions that can be used in different programming languages. I would advise you to scan the site for backdoors, because you have somehow implemented this code. Get started scan WordPress for viruses, clean, and change passwords.

Hidden redirect from Google or Yandex

A more complex virus with a redirect. Often a redirect is placed under a specific search engine, so it is less noticeable to the administrator, but users who come from search queries end up on the site of some kind of nonsense that they are trying to sell them.

I came across a virus on a WordPress site that tried to determine approximately what a user needs by topic and substituted an affiliate program for one large resource under the request, which has a bunch of products of various types.

Redirect from a mobile device IPhone or Android it's even cooler than a hidden redirect that only redirects mobile traffic. By the way, search engines in their webmasters see this well, but in any case, it is sometimes useful to go to the site from any mobile device and see how it works.

Redirect from all links this is another simple, wooden, but very harmful symptom. First of all, it is harmful for website promotion. This happened before at the dawn of the Internet, when hackers broke a lot and then often did not really know what to do with hacked sites. The first thing that came to mind was simply redirect all traffic to some kind of affiliate program or try to sniff the product, suddenly someone buys something. The problem they had was that the traffic was not targeted and sales were extremely rare, as an SEO specialist I can assure you of this.

Substitution of contextual advertising Google and Yandex

It was generally difficult to see such a virus, the client accidentally clicked on his ad and got to some left-handed site. I was very surprised and asked me to remove all threats.

The virus seemed complex in terms of symptoms, but after looking in more detail, I saw that the code there was simple. The hacker turned out to be a genius programmer. After removing the virus, I still had to find a bunch of encrypted code that was scattered across all the files on the site. Difficult, but everything has been fixed.

Symptom three. Hosting complained that SPAM was constantly being sent from the site

Oh, this spam, it is a thrill for people, but the return for hackers from this type of advertising can hardly be expected, since the audience is most often not the target audience.

What problems arise with the constant infection of the site and sending spam?

• For hosting, this is a headache with the load on the servers,
• sites sagging in search engine results.

Everything is bad, but you can treat it. Simple methods like updating all plugins and WordPress will not help here, everything is more complicated. There is no need to put the plantain to the screen and wait for it to heal! :-). Use all the tips for detecting and neutralizing viruses described in the first symptom. By the way, probably most of the hosting sites do not provide adequate protection, infection can be through their services, and when infected, such hosting sites will swear at the owners (you can't blame yourself!). We'll talk about hosting a little later.

By the way, when sending mass spam, you may just have an error 503 displayed on the site, since the server goes down. I advise you to see what the server writes in the logs and which file is being processed. By the way, spam that comes constantly to your site can also be the first call that your site is weakly protected or that the protection has not been updated for a long time.

Symptom three. The virus inserts a code into every blog post

This is fun, for example, you insert a picture or some media file into a new article in the admin panel, and with it a code is inserted that in a hidden form substitutes the infected file. To remove such a virus, I had to go through the pieces of code that the virus inserted, find similar places in the code, use them to find all the fragments of the virus in the database and delete it. In general, cleaning was fun and perky, all the employees sitting next to them learned a lot of new words.

How to protect your site from viruses with WordPress this is how I do it

1. Choose only with differentiation of rights between domains, so that by hacking one site on the hosting, an attacker could not get to the rest.
2. Close usernames so that they cannot be found. Often all sorts of WordPress plugins for forums, social networks, stores display them very well.
3. Use only proven plugins and themes, I would advise you to download from the official repository. You can also buy themes from well-known marketplaces that have code quality control. I usually use the marketplace if I buy.
   If the topic is old and there is no way to get it from a reliable source, then it is better not even to use it and choose another one. Alternatively, you can give the subject for cleaning to a specialist, but the price can be almost the same as buying a new one.
4. Bought hosting, created a website and set up complex passwords is a guarantee of protection from at least 90% of hacks. Impressive, isn't it?
5. Place captcha wherever there are forms. Login form, registration, password recovery, comments. This way you can weed out some of the robots that can brute-force passwords.
6. Block requests in the address bar that can lead to errors.
7. Hide the error output on the server.
8. Hide the engine version and the engine itself as well as possible.
9. Make a manual copy of the site to external media from time to time.
10. Update all plugins in time after creating a database dump and a copy of files (moreover, if you haven't updated for a long time, it is better to update version by version).

If your WordPress site is constantly being infected with viruses means you missed a hole or a backdoor

1. If the site has been infected, then only do it.
2. Remove all inactive plugins and themes, all junk where there may be viruses.
3. Clean all found malicious codes.
4. Only when everything is cleaned, begin to put protection.

It is impossible to defend against all hacks, everything that was done by a person can be hacked, but good protection can delay such hacking by 100 years.

All types of viruses degrade the site's performance in search, and the owner may not even know about them until the hacker simply starts processing his site. In general, I really wish all hackers to find their niche, since people who make such a wonderful and cool code could do it for the benefit of others and themselves, not make money by hacking sites, but offer cool services that would bring them constant income.

Can remove virus from WordPress site and set up protection

If it so happened that your site was infected and its performance was disrupted, then write to me and I will try to help you.

Skype: maxix2009
Mail: [email protected] site

We have released a new book, “Content Marketing on Social Media: How to Get Into the Heads of Subscribers and Fall in Love with Your Brand”.

Malicious code is code that interferes with the normal operation of a website. It can be embedded in themes, databases, files and plugins.

More videos on our channel - learn internet marketing with SEMANTICA

The result of the work of malicious code may be the removal of some useful content, or its publication on a third-party resource. In this way, cybercriminals can organize theft of content. It is especially offensive if a young resource with copyright articles has been exposed to this. One might get the impression that it was he who stole the content from an older resource.

Also, malicious code can place hidden links to third-party pages available for search engines in a free theme. These links will not always be malicious, but the weight of the main site is guaranteed to suffer.

The general purpose of all malicious codes is to disrupt web pages.

Outwardly, the malicious code is a chaotic set of characters. In reality, this nonsense hides an encrypted code containing a sequence of commands.

How does the malicious code get to the site?

There are two ways in which malicious code can enter a website.

1. Downloading files and plugins from questionable and unreliable resources. Most often, encrypted links penetrate the site using these methods. Explicit code rarely enters a site this way.

2. followed by penetration. This method is considered more dangerous, because hacking a web page makes it possible to transfer not only "one-time" code, but also entire constructs with elements of a malicious program (malware).

Such code is very difficult to destroy, since it can recover after being deleted.

Checking the site for malicious code

Keep in mind that these insidious constructs can appear not only in the active topic, but also in any resource file. There are several ways to find them:

• Manually. To do this, you need to compare the contents of all current files with uninfected versions of the backup. Anything different needs to be removed.
• Using security plugins. In particular, WordPress offers the Wordfence Security plugin. It has the option to scan page files for extraneous code content.
• Using the hosting support. The site owner has the right to contact them with a request to scan the resource with their antivirus. As a result, they will provide a report showing the presence of infected files. These files can be cleaned of extraneous structures using a regular text editor.
• Through SSH access to the site. The search itself is carried out using the commands:

find / current page directory -type f -iname "*" -exek - "eval" () \; > ./eval.log

find / current page directory -type f -iname "*" -exek- "base64" () \; > ./base64.log

find / current page directory -type f -iname "*" -exek - "file_get_contents" () \; > ./file_get_contents.log

As a result of their execution, information about suspicious files will be obtained. The list of these files will be written to the log stored in the current directory.

• Checking a website for malicious code using the eval function. This php function launches any, even encrypted code for execution. As one of the arguments, the type of encoding is supplied to the input of this function (as a rule, it is base64_decode or str_rot13). It is thanks to the use of popular encodings that the malicious code looks like a meaningless set of Latin characters.

Open the page editor.

Copy the contents of the functions.php file to the clipboard.

Paste it into any text editor (notepad).

Find the eval command.

• Before removing the malicious code, analyze what parameters the function expects to enter. Because parameters come in encrypted form, they need to be decrypted using decoders. Having recognized the input parameter, you can decide on its further location in the text of the functions.php file.

Removing malicious code

After detecting malicious code, it simply needs to be removed as a regular line in a text file.

Protection against malicious code

In order to prevent the appearance of malicious code on the site, a number of preventive measures must be followed.

Use only proven software:

• Only download distributions from trusted sources.
• Run the server software update at the same time.
• Perform regular server security audits.
• Remove obsolete debug scripts.

Install strong passwords on the server software:

• Come up with a 12-character construction that includes numbers and letters in different cases.
• For each of the services, create your own unique password.
• Change your passwords every 3 months.

Control the data entered by users:

• Set up HTML markup filters in the input fields, the content of which will be included in the page code.
• Arrange a server-side validation of the input data against the valid interval.
• Use WAF. Web Application Firewall is a powerful tool to protect your website from hacker attacks.

Differentiate access rights to your resource.

Block or restrict access to the administration tools of your site's engine and its databases. Also, close access to configuration files and working code backups.

The sites that have the ability to download user files are most susceptible to such penetration of malicious code.

1. Organize protection from bots. For these purposes, many CMS are equipped with special plugins;

2. Configure validation of user-entered data:

• Prevent JavaScript from being inserted inside the t> construct.
• Maintain a list of safe HTML tags and filter out constructs not on this list.
• Analyze the links that users send.
• There are special services for this, for example the Safe Browsing API. It allows you to check the security of a document by URL.

How to prevent accidental placement of malicious code.

• Monitor the software you are using carefully:

Download CMS libraries and extensions only from trusted sources, and best of all from official sites.

Study the code of non-standard extensions that you are going to put on the engine of your site.

• Place your ads very carefully:

Publish on your site ads that only reliable advertisers offer.

Try to post static content on your page.

Beware of hidden block affiliate programs.

WordPress is the most popular engine for creating various informational websites and blogs. The security of your website is about more than the security of your data. This is much more important, because it is also the safety of all users who read and trust your resource. That is why it is so important that the site is not infected with viruses or any other malicious code.

We will look at how to protect WordPress from hacking in one of the following articles, and now I want to tell you how to scan a WordPress site for viruses and malicious code to make sure everything is safe.

The very first option that comes to mind is that you were hacked by hackers and embedded their backdoors into the code of your site in order to be able to send spam, put links and other bad things. This happens sometimes, but it is quite rare if you update the software in time.

There are thousands of free WordPress themes and plugins out there, and this is where the threat lies. It's one thing when you download a template from a WordPress site and quite another when you find it on the left site. Unscrupulous developers can embed various malicious code into their products. The risk is even greater if you download premium templates for free, where hackers can safely add some kind of security hole through which they can then penetrate and do what they need. That is why it is so important to check a wordpress site for viruses.

Checking a wordpress site for viruses

The first thing to turn to when checking a website for non-viruses is WordPress plugins. Quickly and easily, you can crawl your site and find suspicious sections of code that are worth looking out for, whether they are in a theme, a plugin, or the core of Wodpress itself. Let's take a look at some of the most popular plugins:

1. TOC

This very simple plugin checks all the themes installed on your site for malicious code. The plugin detects hidden links encrypted with base64 code insertion, and also displays detailed information about the problems found. Most of the time, the pieces of code found are not viruses, but they can potentially be dangerous, so you should pay attention to them.

Open up "Appearance" -> "TAC" then wait for all threads to be verified.

2. VIP Scanner

Very similar to TOC theme scanner, but displays more detailed information. The same capabilities for detecting links, hidden code and other malicious insertions. Just open the VIP Scaner item in the tools section and analyze the result.

Perhaps it is enough to delete unnecessary files, for example, desktop.ini. Or you need to look in more detail what happens in files using base64.

3. Anti-Malware from GOTMLS.NET

This plugin allows you not only to scan the themes and the core of the site for viruses, but also to protect the site from brute-force passwords and various XSS, SQLInj attacks. The search is performed based on known signatures and vulnerabilities. Some vulnerabilities can be fixed on the spot. To start scanning files open "Anti-Malvare" in the side menu and click "Run Scan":

Before you can run a scan, the signature databases must be updated.

4. Wordfence

It is one of the most popular WordPress protection and malware scanning plugins. In addition to the scanner, which can find most of the bookmarks in the WordPress code, it has constant protection against various types of attacks and brute-forcing passwords. During the search, the plugin finds possible problems with various plugins and themes, informs you about the need to update WordPress.

Open the tab "WPDefence" in the side menu and then go to the tab "Scan" and press "Start Scan":

The scan may take some time, but upon completion you will see a detailed report of the problems found.

5. AntiVirus

This is another simple plugin that will scan your website template for malicious code. The disadvantage is that only the current template is scanned, but the information is displayed in sufficient detail. You will see all the dangerous functions that are in the topic and then you can analyze in detail whether they pose any danger. Find the item "AntiVirus" in settings and then click "Scan the theme templates now":

6. Integrity Checker

It is also advisable to check the integrity of WordPress files, in case the virus has already registered somewhere. To do this, you can use the Integrity Checker plugin. It checks all core, plugin and template files for changes. At the end of the scan, you will see information about the changed files.

Online services

There are also several online services that allow you to check your wordpress site for viruses or check just a template. Here are some of them:

themecheck.org- you download a theme archive and you can watch all warnings about possible malicious functions that are used in it. You can not only see information about your theme, but also about other themes uploaded by other users, as well as about different versions of the theme. Anything that plugins find can find this site too. Verifying your wordpress theme is also very important.

virustotal.com is a well-known resource where you can check your website or template file for viruses.

ReScan.pro- Checking a WordPress site for viruses using this service is free, static and dynamic analysis is performed to detect possible redirects, the scanner opens the pages of the site. Checks the site against various blacklists.

sitecheck.sucuri.net- a simple service for scanning a site and themes for viruses. There is a plugin for WordPress. Detects dangerous links and scripts.

Manual check

Nothing can be better than manual verification. Linux has such a great utility, grep, which allows you to search for occurrences of arbitrary lines in a folder with files. It remains to understand what we will be looking for:

eval - this function allows you to execute arbitrary php code, it is not used by self-respecting products, if one of the plugins or a theme uses this function, it is almost 100% likely that there is a virus there;

• base64_decode- encryption functions can be used in conjunction with eval to hide malicious code, but they can also be used for peaceful purposes, so be careful;
• sha1- another method of encrypting malicious code;
• gzinflate- compression function, same targets, together with eval, eg gzinflate (base64_decode (code);
• strrev- flips the string backwards not in front, as an option can be used for primitive encryption;
• print- outputs information to the browser, together with gzinflate or base64_decode is dangerous;
• file_put_contents- WordPress itself or plugins can still create files in the file system, but if the theme does it, then you should be on your guard and check why it needs it, so viruses can be installed;
• file_get_contents- in most cases it is used for peaceful purposes, but can be used to download malicious code or read information from files;
• curl- the same story;
• fopen- opens a file for writing, you never know why;
• system- the function executes a command on a Linux system, if it is done by a theme, plugin or wordpress itself, most likely there is a virus there;
• symlink- creates symbolic links in the system, it is possible that the virus is trying to make the main file system accessible from outside;
• copy- copies a file from one location to another;
• getcwd- returns the name of the current working directory;
• cwd- changes the current working folder;
• ini_get- receives information about PHP settings, often for peaceful purposes, but you never know;
• error_reporting (0)- disables the output of any error messages;
• window.top.location.href- javascript function used to redirect to other pages;
• hacked- so, just in case, we check, suddenly, the hacker himself decided to tell us.

You can substitute each individual word in a command like this:

grep -R "hacked" / var / www / path / to / files / wordpress / wp-content /

Alternatively, use a simple script that will search for all words at once:

values ​​= "base64_decode (
eval (base64_decode
gzinflate (base64_decode (
getcwd ();
strrev (
chr (ord (
cwd
ini_get
window.top.location.href
copy (
eval (
system (
symlink (
error_reporting (0)
print
file_get_contents (
file_put_contents (
fopen (
hacked "

cd / var / www / path / to / files / wordpress / wp-content /
$ fgrep -nr --include \ *. php "$ values" *

Malicious code enters the site through negligence or malicious intent. The purpose of the malicious code is different, but, in fact, it damages or interferes with the normal operation of the site. To remove malicious code on WordPress, you first need to find it.

What is malicious code on a WordPress site

In appearance, most often, the malicious code is a set of letters and symbols of the Latin alphabet. In fact, this is an encrypted code by which this or that action is executed. Actions can be very different, for example, your new posts are immediately published on a third-party resource. Essentially, this is stealing your content. Codes also have other "tasks", for example, placing outbound links on site pages. The tasks may be the most sophisticated, but one thing is clear that you need to hunt and delete malicious codes.

How malicious codes get to the site

There are also many loopholes for getting codes to the site.

1. Most often, these are themes and plugins downloaded from "left" resources. Although, such penetration is typical for so-called encrypted links. Explicit code doesn't get to the site like that.
2. The penetration of a virus when a site is hacked is the most dangerous. As a rule, hacking a site allows you to place not only a "one-time code", but install a code with elements of malware (malicious program). For example, you find a code, and deletes it, and it is restored after a while. There are many options, again.

I note right away that the fight against such viruses is difficult, and manual removal requires knowledge. There are three solutions to the problem: first decision- use anti-virus plugins, for example a plugin called BulletProof Security.

This solution gives good results, but it takes time, albeit a little. There is a more radical solution, getting rid of malicious codes, including complex viruses, is to restore the site from previously made backups of the site.

Since a good webmaster does it periodically, it will be easy to roll back to a non-infected version. Third solution for the rich and lazy, just go to a specialized "office" or a specialist individual.

How to search for malicious code on WordPress

It is important to understand that malicious code on WordPress can be found in any file on your site, and not necessarily in a working theme. He can enter with a plugin, with a theme, with "homemade" code taken from the Internet. There are several ways to try to find malicious code.

Method 1. Manually. You scroll through all the files on the site and compare them with the files of an uninfected backup. Find someone else's code - delete it.

Method 2. Using WordPress security plugins. For instance, . This plugin has a great feature, scanning site files for foreign code and the plugin does an excellent job of this.

Method 3. If you have reasonable support for hosting and it seems to you that the site is "someone else's", ask them to scan your site with their antivirus. All infected files will be listed in their report. Next, open these files in a text editor and remove the malicious code.

Method 4. If you can work with SSH access to the site directory, then go ahead, there is a kitchen.

Important! Whichever way you search for malicious code, before searching and then removing the code, close access to the site files (enable maintenance mode). Remember about codes that are restored by themselves when you delete them.

Search for malicious codes using the eval function

There is such a php eval function... It allows you to execute any code in its line. Moreover, the code can be encoded. It is precisely because of the encoding that the malicious code looks like a set of letters and symbols. There are two popular encodings:

1. Base64;
2. Rot13.

Accordingly, in these encodings the eval function looks like this:

• eval (base64_decode (...))
• eval (str_rot13 (...)) // in inner quotes, long incomprehensible sets of letters and symbols ..

The algorithm for searching for malicious code using the eval function is as follows (we work from the administrative panel):

• go to the site editor (Appearance → Editor).
• copy the functions.php file.
• open it in a text editor (for example, Notepad ++) and search for the word: eval.
• if found, do not rush to delete anything. You need to understand what this function "asks" to perform. To understand this, the code needs to be decoded. There are online tools for decoding called decoders.

Decoders / Encoders

Decoders work simply. Copy the code to be decrypted, paste it into the decoder field and decode.

At the time of this writing, I have not found a single encrypted code found in WordPress. Found the code from the Joomla site. In principle, there is no difference in understanding decoding. We look at the photo.

As you can see in the photo, the eval function after decoding did not output a terrible code that threatens the security of the site, but encrypted copyright link, the author of the template. It can be deleted too, but it will come back after updating the template if you are not using