Menu
homeTelephone

How to check WordPress for malicious code. We use our brains and hands to analyze files on the hosting. Installing AI-Bolit antivirus

WordPress is one of the most popular content management systems, used for a variety of purposes: from blogging to ecommerce. There is a wide selection of WordPress plugins and themes. It happens that some of these extensions fall into the hands of webmasters after some attacker has worked on them.

For his own benefit, he could leave advertising links or code in them with which he will manage your site. Many WordPress users do not have much experience in web programming and do not know how to act in such a situation.

For them, I reviewed nine of the most effective tools for detecting malicious changes in the code of a running website or installed add-ons.

1. Theme Authenticity Checker (TAC)

Theme Authenticity Checker (TAC) is a WordPress plugin that scans every installed theme for suspicious elements like invisible links or Base64 encrypted code.

Having detected such elements, TAC reports them to the WordPress administrator, allowing him to independently analyze and, if necessary, correct the source theme files:

2. Exploit Scanner

Exploit Scanner scans the entire source code of your site and the contents of the database WordPress data for the presence of doubtful inclusions. Just like TAC, this plugin does not prevent attacks or combat their consequences in automatic mode.

It only shows detected symptoms of infection to the site administrator. If you want to delete malicious code, you will have to do it manually:


3. Sucuri Security

Sucuri - good known solution in WordPress Security. The Sucuri Security plugin monitors files uploaded to a WordPress site and keeps own list known threats, and also allows you to remotely scan a site using free scanner Sucuri SiteCheck Scanner. Behind subscription fee You can further strengthen your site’s security by installing a powerful firewall Sucuri Website Firewall:


4. Anti-Malware

Anti-Malware is a plugin for WordPress that can find and remove Trojan scripts, backdoors and other malicious code.

Scanning and deletion settings can be customized. This plugin can be used after free registration on gotmls.

The plugin regularly accesses the manufacturer’s website, transmitting malware detection statistics and receiving updates. Therefore, if you do not want to install plugins on your site that monitor its operation, then you should avoid using Anti-Malware:


5. WP Antivirus Site Protection

WP Antivirus Site Protection is a plugin that scans all files uploaded to a site, including WordPress themes.

The plugin has its own signature database, which is automatically updated via the Internet. It can remove threats automatically, notify the site administrator by email, and much more.

The plugin is installed and functions for free, but has several paid add-ons, which are worth paying attention to:


6. AntiVirus for WordPress

AntiVirus for WordPress is an easy-to-use plugin that can scan your site regularly and notify you of security issues via email. The plugin has a customizable " White list"and other functions:

7. Quterra Web Malware Scanner

Quterra's scanner checks a website for vulnerabilities, third-party code injections, viruses, backdoors, etc. The scanner has such interesting opportunities, like heuristic scanning, external link detection.

Basic scanner features are free, while some additional service will cost you $60 per year:


8. Wordfence

If you are looking comprehensive solution security problems for your site, take a look at Wordfence.

This plugin provides constant WordPress protection from known types of attacks, two-factor authentication, support for a “black list” of IP addresses of computers and networks used by hackers and spammers, scanning the site for known backdoors.

This plugin is free in its basic version, but also has premium functionality, for which the manufacturer requests a modest subscription fee:


9. Wemahu

Wemahu monitors changes to your site's code and searches for malicious code.

The database on which malware is detected is replenished using the crowdsourcing method: users themselves replenish it by sending the results of scanning infected WordPress installations to the website of the plugin author. The plugin also supports sending reports by email and other useful features:


Translation of the article " 9 WordPress Plugins To Detect Malicious Code In Your Site"was prepared by the friendly project team.

I will pay more attention to WordPress, but many of the tips will be useful for people working on other engines.

People often contact me with questions about cleaning a WordPress site and how to determine that the site has been hacked. I will tell you what viruses are and how difficult it is to fight them.

Symptom one. Google message "This site may have been hacked"

Very common story when a client comes to a company, or contacts directly through a blog and says that having found his website in google results, he comes across the message “This site may have been hacked.”

This message appears if Google suspects, or rather is almost sure, that your site has been hacked. What to do and where to run in such cases? There are not many actions, only 5:

  1. Clean the site from shells and different viruses , more on that later;
  2. update WordPress and all plugins from old versions to the latest ( );
  3. configure site protection, I’ll also tell you a little about this later;
  4. check how good the hosting is and transfer to a more reliable one, I advise as before;
  5. check if they are lying viruses in the database;

Do not forget to make a backup before each action, and also after all 5 stages, also make a backup in case you were unable to clean it the first time and need to look for more sophisticated methods of scanning the site.

If you have cleared everything, but the error “This site may have been hacked” remains

I would suggest going to Webmaster Google and requesting a re-review of the site. The speed of Google's Webmaster verification will depend on the degree of infection.

There are 2 degrees of infection complexity:

  1. If they uploaded malicious code to you through which they gain access to the site, they publish links... In general, they only break you and harm only you.
  2. If your site has been hacked and they are trying to send spam or break others.

In the first cases Google employees They don’t even check the site, since the system can do this automatically (it took me from 10 minutes to several hours).

In the second case in order to make sure that there are no threats from your site that could harm other sites, Google sends a special person who verifies the site. In the second case, the verification may last 1-2 weeks.

I advise you not to delay cleaning the site, since the longer you delay, the worse your position in search engines.

Symptom two. The virus redirects to another site

Such viruses are found all the time. You need to look for such viruses in the htaccess file at the root of the site; if it is not there, then you can look for the htaccess file in other folders of the site. You can also go through the redirect functions that can be used on different languages programming. I would advise scanning the site for backdoors, since this code was somehow injected into you. Get started scan WordPress for viruses, clean, and change passwords.

Hidden redirect from Google or Yandex

A more complex redirect virus. Often a redirect is placed under a specific search engine, so it is less noticeable to the administrator, but users who come from search queries they end up on a website of some kind of nonsense that they are trying to sell.

I came across a virus on the WordPress website that tried to determine by topic approximately what the user needed and substituted an affiliate program for one of the requests large resource, which has a bunch of different types of products.

Redirect from mobile device iPhone or Android this is an even cooler hidden redirect that redirects only mobile traffic. Fortunately, search engines see this well in their webmasters, but in any case, sometimes it’s useful to go to the site from any mobile device and see how it works.

Redirect from all links This is another simple wooden, but very harmful symptom. First of all, it is harmful for website promotion. This happened before at the dawn of the Internet, when hackers broke a lot and then often didn’t really know what to do with the hacked sites. The first thing that came to mind was to simply redirect all the traffic to some kind of affiliate program or try to sell a product, in case someone buys something. The problem they had was that the traffic was not targeted and sales were extremely rare, I, as an SEO specialist, can assure you of this.

Substitution of Google and Yandex contextual advertising

It was generally difficult to see such a virus; the client accidentally clicked on his advertisement and ended up on some fraudulent site. He was very surprised and asked me to remove all threats.

The symptoms of the virus seemed complex, but after looking into it in more detail, I saw that the code was simple. The hacker turned out to be a brilliant programmer. Having removed the virus, I still had to find a bunch of encrypted code that was scattered throughout all the files on the site. It’s difficult, but everything has already been fixed.

Symptom three. The hosting company complained that the site was constantly sending SPAM

Oh, this spam, it gets on people’s nerves, but you can’t expect much return for hackers from this type of advertising, since the audience is most often not the target.

What problems arise when a site is constantly infected and spam is sent?

  • For hosting providers, this is a headache with the load on the servers,
  • sites subsidence in search engine results.

Everything is bad, but it can be treated. Simple Methods, such as updating all plugins and WordPress will not help here, everything is more complicated. There is no point in putting plantain on the screen and waiting for it to heal! :-). Use all the tips for identifying and neutralizing viruses described in the first symptom. By the way, probably most hosting sites do not provide adequate protection; infection can occur through their services, and if infected, such hosting sites will swear at the owners (you can’t blame yourself!). We'll talk about hosting a little later.

By the way, when mass mailing spam, your website may simply display a 503 error because the server is down. I advise you to look at what the server writes in the logs and what file is being processed. By the way, spam that constantly comes to your site can also be the first sign that your site is poorly protected or the protection has not been updated for a long time.

Symptom three. The virus inserts code into every blog post

It turns out to be fun, for example, you paste in the admin panel in new article a picture or some kind of media file, and with it a code is inserted that hiddenly substitutes the infected file. To remove such a virus, I had to go through the pieces of code that the virus inserted, find similar places in the code, use them to find all the fragments of the virus in the database and remove it. In general, cleaning was fun and exciting; all the employees sitting nearby learned a lot of new words.

How to protect a website from viruses with WordPress, this is exactly how I do it

  1. Choose only those that differentiate rights between domains, so that by hacking one site on a hosting, an attacker cannot reach the others.
  2. Lock down user logins so that they cannot be found. Often all sorts of WordPress plugins for forums, social networks, and stores display them very well.
  3. Use only proven plugins and themes; I would recommend downloading from the official repository. You can also buy themes on well-known marketplaces that have code quality control. I usually use the marketplace when I buy.
    If the topic is old and there is no way to get it from a reliable source, then it is better not to even use it and choose another one. As an alternative, you can have the topic cleaned by a specialist, but the price may be almost the same as buying a new one.
  4. Bought hosting, created a website and set it up complex passwords This is the key to protection from at least 90% of hacks. Impressive, isn't it?
  5. Place captcha wherever there are forms. Login, registration, password recovery form, comments. This way you can weed out some of the robots that can try passwords.
  6. Block requests in the address bar that may lead to errors.
  7. Hide error output on the server.
  8. Hide the engine version and the engine itself as well as possible.
  9. From time to time, make a manual copy of the site to an external storage device.
  10. Update all plugins in a timely manner after creating a database dump and a copy of the files (if you haven’t updated it for a long time, it’s better to update version by version).

If your WordPress site is constantly infected with viruses it means you missed a hole or a backdoor

  1. If the site has been infected, then do only .
  2. Remove all inactive plugins and themes, all junk that could contain viruses.
  3. Clean any malicious codes you find.
  4. Only when you have cleaned everything, start installing protection.

It is impossible to protect against all hacks; everything that was done by a person can be hacked, but good protection Such a hack could delay it for 100 years.

All types of viruses worsen a site’s search performance, and the owner may not even know about them until a hacker simply starts processing his site. In general, I really wish all hackers to find their niche, since people who make such wonderful and cool code could do it for the benefit of others and themselves, not make money by hacking sites, but offer cool services that would bring them a constant income.

I can remove a virus from a WordPress site and set up protection

If it so happens that your site was infected and its performance was impaired, then write to me and I will try to help you.

Skype: maxix2009
Mail: info@site



How to check a site for malicious code.

Sometimes there is a situation when you need check the site for viruses. This may be needed, for example, if you for a long time search on the Internet for the answer to the question you are interested in and in the end you found it, but suddenly in a search engine you come across a warning that the site may threaten your security. Those who spend a lot of time on the Internet understand what I'm talking about. For the rest of you, I'll try to explain in more detail what this might mean.

And so, all search engines regularly scan and check all sites for viruses and malicious code. When search robot finds such code on the site, it automatically displays a warning in the search that this site may threaten your computer. But this is not always true, since these robots can make mistakes and it happens that they can even accept normal code, for example, social buttons or JavaScript for malicious. In such a situation, a natural question arises. Is it even worth visiting this site?

If it is possible to find the information you are interested in on another site, then such a site has a warning that it may distribute malicious code or virus, naturally it’s not worth visiting. But when you have been looking for information you really need for a long time and finally found it, what should you do in this case?
This is on the one hand, but on the other hand, if you are the owner of a website and one fine sunny day, in your Yandex or Google account, you will find a warning that your website has malicious code? I think such a warning will not improve your mood. And what to do in this case, How to find this malicious code or virus? Conventional antivirus programs are unlikely to help you here. For this case there is special programs And online service s that can scan a site and check sites for malicious code. Naturally, there are probably a lot of such programs and online services on the Internet. And I’m not going to talk about them all here, and of course I don’t know them all. Here I will talk about some services that I know about and have used myself.
If you are a webmaster, then you can do this through your account in Yandex, Google, etc. although this also does not always help. For example, as it happened to me. One day, a friend of mine tells me that when he visits my website, he antivirus utility tells him that there is a virus on my site. Naturally, I immediately check all accounts in search engines where my site is registered. And everywhere there are messages saying that there are viruses on my site or suspected malicious code No. It turns out that according to search engines, my site is clean and there are no malware or viruses. But my friend’s antivirus program found something somewhere. And such a program is probably installed not only by him, but may also be installed by many other Internet users. And it turns out that everyone who has such a program installed will bypass my site, and it is not a fact that they will subsequently return to this site after such a warning.
That’s when I started looking for various programs and online services to check a site for malicious code. As I already wrote above, there are many such services on the Internet, but mostly they simply show information about presence of malicious code on the site. That is, whether there is suspicion or not, that’s all. For example, like this service.

There is a suspicion of a virus here and it says that they were found on the site, iframe inserts. But if you look at the code of the page, you can understand that this is just an embed code for a video from YouTube.

The second online service for checking a website for malware

Antivirus Alarm— to scan the site you specify, the service uses antivirus databases from the world's largest antivirus companies. Full scan lasts up to 10 minutes and does not stop even if you close the page. There is also a link here where you can view the results at any time. Another good thing about this service is that it contains a list of the most frequently detected viruses on websites. For example, this is what the virus code looks like: iframe asqyt.in:

There is also a list of NOT viruses. This prevents you from rushing to panic when one of the antivirus programs mistakes the code for a virus.
For example, here, according to Google, he doesn’t even trust himself.

Therefore, we draw a conclusion. And my opinion is that all these services are, of course, undeniably useful and really bring great help in finding malicious code on a website. But as they say, trust but verify, so you need to check every information provided by these services yourself. And of course, the final action remains only up to you.

WordPress Platform is gaining more and more popularity among bloggers due to its convenient and fast process creation and management of a website. Separately, it should be noted great amount free plugins and widgets available for this system. On the basis of this platform you can build not only regular blog, but also whole online store, news portal or online cinema.

But most Web sites built on this free CMS, have certain security vulnerabilities. WordPress developers, of course, try to quickly close them and release updates not only for the platform itself, but also for standard themes and plugins. However, it is not always possible to protect yourself from hacking.

Based on the latest research presented on the official website of the platform, one can get a clear idea of ​​the infection mechanisms, since a site built on WordPress can be hacked mainly through third-party plugins or modified themes.

If hacked, most inexperienced Web administrators tend to panic and make irreversible mistakes that can lead to the loss of the entire database or files. In this article we will try to tell you how to “cure” a Web site and return it to the state it was in before the hack.

Backup

There are two ways to back up a Web site: copying source files site and copying the database (DB). For WordPress there is standard tool for backup, but it only creates a copy of the database.

To back up files, you can use third-party plugins or use full automatic backup, tools for which are usually available on the hosting. Setting up a full backup on a specific schedule is not very difficult, but later this process can save the administrator’s nerves and save a significant amount of time. If you cannot set up a full data backup mechanism yourself, it is strongly recommended that you contact your hoster to resolve this important issue. Beginning Web administrators may be advised to perform manual backups on a regular basis.

If a copy of the site and database is stored on a flash drive, then this is a one hundred percent guarantee that you can easily restore the Web site at any time.

Recovery or treatment

Almost all Web sites are designed to generate income for their owner. Therefore, a mandatory requirement for a Web site is to operate 24x7 (24 hours a day, 7 days a week) with minimal shutdown periods for technical work.

Therefore, if a Web site is infected, administrators strive to recover information from it as quickly as possible. backup copies. But since the problem does not go away, and the Web site still has a “gap” in the security system, a second hack will happen very soon and will not take the attacker much time.

This situation will happen again and again, especially for popular websites, so the right decision The problem will be an urgent closure of the vulnerability. If you limit yourself to only constant restoration of the Web site, then you can lose all indicators in search engines and even fall under their filter due to the spread of malware.

How to detect malware

How can you tell if a website has been hacked and identify the first symptoms of infection? In fact, it is very simple, failure of traffic statistics, redirects to unfamiliar Web sites, excessive traffic consumption - all these are signs of infection and the presence of malicious links that lower the rating of the resource. Not to mention obvious situations when search results Yandex or Google will indicate that your website is “infected”.

When you visit an infected site in the Opera, Chrome or Firefox Web browsers, a warning window about the infected resource will be displayed, since these browsers have their own bases for identifying infected sites. After all, a local antivirus may determine that a Web site has been infected when you try to navigate between internal pages, you will see a corresponding message. It may turn out that the website has been hacked and is being used to send advertising spam. You can find out about this when notifications about mass spam mailings begin to arrive at your hoster's address.

How to act in similar situations? First, you need to determine where the virus or advertising link is hiding, and how it got to the site, since the themes, database, or core of the site may be “infected.”

The easiest, but also the longest way to search for a virus is to try to track the modification dates of files. Let's say that the bulk of the files are in the most important directories ( wp-includes, wp-admin etc.) have the same creation date, but there are one or two files with later creation dates. Check these files and compare them with the files from the WordPress distribution. You can also compare files by size in Total program Commander. All that remains is to compare the contents suspicious files and find out what the found extra code fragments are for.

How to check the rendered HTML code

Perhaps for some reason you were unable to detect the problem using the method described above. Then you can try to find the source of infection in another way.

You will need to open the “infected” website in a browser (preferably Opera or Firefox) and select context menu paragraph " Show site source code"If you know HTML, you will probably be able to spot suspicious strings. These could be unfamiliar links to sites, pieces of “compressed” or encrypted (base64) code, or it could be an unknown fragment of Javascript, which will probably also be encrypted. Identify it you can use the command included in the fragment code eval. This usually means that someone tried to hide the true Javascript code, which should raise some suspicions. Figure 1 shows an example of suspicious code.

Rice. 1 Fragment of suspicious HTML code

By the way, if the website uses free template from a third-party manufacturer, then using this method you can find advertising links embedded by the template authors. Usually such links are harmless, i.e. are not viruses. However, they can negatively affect a Web site's ranking in search engines and redirect traffic to a third-party resource.

When malicious code on website pages cannot be detected using the methods described above, you can use third-party online tools. For example, you can set WordPress plugin Exploit Scanner, which will regularly check a website and detect malware. The plugin provides a detailed report and highlights rows that should subsequently be deleted.

In addition, you can scan a Web site with the online scanner Sucuri SiteCheck - this service is absolutely free, and for a fee you can order a complete treatment of the resource.

How to check plugins and themes for malicious code

As for themes, you can manually track malicious code in them or install the TAC plugin, which works with theme files, checking them for extraneous links and virus code. With this plugin you can check how already installed themes, and new ones.

It is very easy to detect the presence of a virus in a theme or plugin code. If the active theme is based on one of the official themes, then you just need to compare original code with the code of the topic being checked. To do this, download the default theme that is included in the WordPress distribution, change its name and switch the design to it. All that remains is to check the HTML code generated by the server for the presence of a virus, and if it is detected, then the problem clearly does not lie here.

If malicious code was found in the files of the active theme, and additional themes were installed but not activated, then you will have to check each of them, since a virus may be infecting certain files from the catalog themes. It is best to use only one theme and remove all inactive ones.

Finding viruses in plugin code is also not particularly difficult. You should consistently disable plugins and check the generated HTML code. Thus, you can identify an infected plugin, remove it and reinstall it from the depository.

Best Ways to Protect Wordpress Plugins and Themes:

  • download and install themes and plugins only from trusted websites;
  • do not use “hacked” paid plugins and themes;
  • remove unused plugins and themes;

How to Find Malicious Code in WordPress Core Files

If you have checked your plugins and themes but are still unable to determine the source of the infection, then it may be located directly in the WordPress core files. Kernel infection may mean that an attacker gained access to the administrative part of the site by guessing or intercepting the password to access the Web site via FTP.

First of all, scan the computer from which you accessed the FTP or administrative interface of the Web site for viruses. The password may have been stolen from your computer using Trojan virus, who transferred confidential data to the attacker.

Often, attackers embed in a file .htaccess redirect codes, encrypted links to malicious scripts located on remote servers, so the first thing you need to do is compare this file with the original one from the distribution. Particular attention should be paid to lines like this:

RewriteCond %(HTTP_REFERER) .*yandex.* RewriteRule ^(.*)$ http://unknownsite.com/

If such lines are found, you should not immediately delete them. First, request logs from your hosting provider for the period of approximate file modification .htaccess and analyze from which IP address and when this file was sent. It is possible that other files were changed at the same time.

If only this file was changed, then you should change the passwords for FTP and the administrative interface. If changes were detected in *.php, *. html files, then most likely a PHP script was uploaded to the site, through which an attacker can gain access to all available information.

Preventing this type of threat is quite simple and does not require any special costs. It is important to remember the following rules:

  • do not store passwords in FTP managers or in email messages;
  • regularly update the WordPress core;
  • update plugins and themes;
  • Don't use simple passwords.

It is quite possible that you initially followed all these rules, and the point is not the vulnerability of the Web site, but the insufficient protection of the server itself on which the resource is located. In such cases, please send a detailed description of the problem to technical support hosting provider and work together to find a solution to the problem.

How to Find Malicious SQL Injection in WordPress

So we've already looked at various ways infection and treatment of a website based on free CMS WordPress. But one of the popular methods of penetration and hacking is SQL injection(sql injection). This method of infection is based on making a request to the database, in which the password from the administrative interface is stolen or another confidential information. With regard to WordPress, we can say that the currently known last update"gaps" in the database security system and in query filtering have been eliminated.

To protect yourself from website hacking using SQL injection, you should carefully select plugins, since they work with the database, and therefore an insufficiently conscientious developer could leave a loophole for attackers. Perhaps some free plugins intentionally integrate such a hidden input. When choosing a plugin, you need to be guided not only by its capabilities, but also by its popularity, as well as the number of installations made. It is also worth studying the reviews left on the developer's page. If you have the slightest doubt, or find negative review regarding security, it is better not to risk it and install another plugin with similar functionality.

Most CMS are built in such a way that a user with minimal programming skills can install it, configure it, enable one of the proposed design types, and begin filling the Web site with the necessary information. Therefore, Web sites are often in the hands of inexperienced administrators who cannot recognize such an intrusion using SQL injection.

But the WordPress Exploit Scanner plugin mentioned earlier can also work with the database, and in some cases it can find foreign functionality embedded in the database. You just have to delete it manually using special SQL commands in the PHPMyAdmin database administration program. Such actions must be performed very carefully, since an incorrect query or command can damage the structure or contents of the database. To prevent this from happening, you should take care in advance of the process of creating database backups. By the way, Exploit Scanner itself can provide recommendations for correcting SQL queries.

Practical Ways to Protect WordPress Websites

You can find a lot of advice on the Internet on how to secure and protect a website running on the free WordPress CMS. Below is a list of the most effective recommendations:

  • You should change and never use standard names for users with administrative rights, for example, admin, administrator, etc.;
  • it is necessary to install a captcha, which significantly reduces the risk of hacking by brute-forcing passwords;
  • To enter the administrative interface, a complex alphanumeric password of at least 8-10 characters must be used;
  • The password should not be stored in the Web browser, text files etc., offline storage on a piece of paper is much more reliable;
  • password must also be protected mailbox, which was specified when installing WordPress;
  • Perform regular backups manually or using special plugins or third party programs, and the resulting backup copies must be stored in several places;
  • do not install plugins from unknown sources, hacked paid plugins and themes;
  • you should install plugins responsible for the security of WordPress files and databases, and regularly check the status of the site using an antivirus;
  • update the core, plugins and themes on time (be sure to make a full backup before each update);
  • file admin.php it should be renamed to make it difficult to identify;
  • register your website with Yandex or Google to be aware of problems related to site security and indexing;
  • you need to check the permissions for the directories and WordPress files: permissions are set for directories 755 , for all files 644 , separately for the catalog wp-content there must be rights 777 ;
  • if there is no need to register users, then it is better to disable this function completely;
  • You can also disable the ability to comment and leave only the form for commenting via social networks;
  • file should be deleted readme.htm, located in root directory, which stores information about installed version WordPress (this must be done after each CMS update);
  • also mention of the used WordPress versions should be removed from the file functions.php by adding the line there: remove_action("wp_head", "wp_generator");

What to do if the problem still cannot be solved?

There are no hopeless situations. It may seem that you have tried absolutely every method to neutralize virus code or hidden advertising links. It is possible that the website has stopped working due to unsuccessful virus treatment, and you are no longer able to restore it. Do not despair, but try to contact specialists who, for a fee, will help restore your Web site and give advice on how to improve its security and performance. You can write to WordPress technical support and find the answer in WordPress Codex or ask a question on the official forum.

If you got rid of viruses, correctly configured the plugins responsible for security, changed passwords, and after some time the situation repeated itself again, then you should consider changing the hosting provider. Most likely, the servers on which the Web site is located are poorly protected or configured incorrectly.

Conclusion

Most of the tips presented will remain relevant for a very long time, since they apply not only to WordPress, but to any Web site, regardless of the platform used. The Internet is developing rapidly, new updates are constantly appearing and new viruses are being written, security gaps in CMS and various services. Keep up with the times, regularly upgrade and update your Web site, and then you can avoid such emergencies.

Malicious code gets onto the site through negligence or malicious intent. The purposes of malicious code vary, but essentially it causes harm or interferes with normal operation site. To remove malicious code on WordPress, you must first find it.

What is malicious code on a WordPress site?

By appearance, most often, malicious code is a set of letters and symbols of the Latin alphabet. In fact, this is an encrypted code by which this or that action is performed. Actions can be very different, for example, your new posts are immediately published on third party resource. This is essentially stealing your content. Codes also have other “tasks,” for example, placing outgoing links on site pages. The tasks can be the most sophisticated, but one thing is clear: malicious codes need to be hunted and removed.

How do malicious codes get onto a website?

There are also many loopholes for codes to get into the site.

  1. Most often, these are themes and plugins downloaded from “left” resources. Although, such penetration is typical for so-called encrypted links. Explicit code does not end up on the site.
  2. The penetration of a virus when a site is hacked is the most dangerous. As a rule, hacking a site allows you to place not only a “one-time code”, but also install code with malware elements ( malware). For example, you find a code and delete it, but it is restored after some time. There are, again, many options.

Let me note right away that the fight against such viruses is difficult, but manual removal requires knowledge. There are three solutions to the problem: first solution– use antivirus plugins, for example, a plugin called BulletProof Security.

This solution gives good results, but takes time, albeit a little. There is a more radical solution, getting rid of malicious codes, including complex viruses, this is to restore the site from previously made backup copies of the site.

Since a good webmaster does this periodically, you can roll back to a non-infected version without any problems. Third solution for the rich and lazy, just contact a specialized “office” or an individual specialist.

How to Look for Malicious Code on WordPress

It is important to understand that malicious code on WordPress can be in any file on the site, and not necessarily in working topic. He can come up with a plugin, a theme, or “homemade” code taken from the Internet. There are several ways to try to find malicious code.

Method 1. Manually. You scroll through all the site files and compare them with the files of an uninfected backup. If you find someone else's code, delete it.

Method 2. Using WordPress security plugins. For example, . This plugin has a great feature, scanning site files for the presence of other people's code, and the plugin does an excellent job of this task.

Method 3. If you have reasonable support hosting, and it seems to you that there is someone else on the site, ask them to scan your site with their antivirus. Their report will list all infected files. Next, open these files in text editor and remove malicious code.

Method 4. If you can work with SSH access to the site catalog, then go ahead, it has its own kitchen.

Important! No matter how you search for malicious code, before searching and then deleting the code, close access to the site files (turn on maintenance mode). Remember about codes that themselves are restored when they are deleted.

Search for malicious codes using the eval function

There is something like this in php eval function. It allows you to execute any code on its line. Moreover, the code can be encrypted. It is because of the encoding that the malicious code looks like a set of letters and symbols. Two popular encodings are:

  1. Base64;
  2. Rot13.

Accordingly, in these encodings the eval function looks like this:

  • eval(base64_decode(...))
  • eval (str_rot13 (...)) //in internal quotes, long, unclear sets of letters and symbols..

The algorithm for searching for malicious code using the eval function is as follows (we work from the administrative panel):

  • go to the site editor (Appearance→Editor).
  • copy the functions.php file.
  • open it in a text editor (for example, Notepad++) and search for the word: eval.
  • If you find it, don’t rush to delete anything. You need to understand what this function “asks” to be performed. To understand this, the code needs to be decoded. For decoding there is online tools, called decoders.

Decoders/Encoders

Decoders work simply. You copy the code you want to decrypt, paste it into the decoder field and decode.

At the time of writing, I did not find a single encrypted code found in WordPress. I found the code from the Joomla website. In principle, there is no difference in understanding decoding. Let's look at the photo.

As you can see in the photo, the eval function, after decoding, did not output a terrible code that threatens the security of the site, but encrypted copyright link, the author of the template. It can also be removed, but it will come back after updating the template if you don't use .