How to remove the malware attack in wordpress?

[moria]

Hi do you know how to remove malware attack on wordpress sites?

[stephenj141]

Sorry, I don't know about that but I am sure their must be some option about this in Wordpress. But can I know how and when malware attack on your website?

[moria]

what I mean is like this site http://4ghblogs.com/ that site has been infected by some malware.. do you have any idea how to remove that?

[James Andy]

Well, you should protect it with antivirus.

[nancy29]

Well, you should protect it with antivirus.

if that is the kind of answer you will give for removing malware from a site, who will your php dev brand which you have added in your signature.

The better way to remove the malware or any malicious code is to either recover/restore your site to an older date or save the database and then install a fresh wp porting the db on the new wp

[nicole_powell]

Here is some info to help you locate and remove a malware infection on your site (it's generic as we give it out to anyone that's been infected):

Can’t find malware what do I do? If you don’t feel comfortable and don’t have a backup, I suggest that you just completely wipe your server and start over; otherwise you may continue to have problems.

1) First, do you have a “clean” back-up of your site? By clean, I mean a backup that occurred at LEAST 1 week before you were notified of the issue. If so, just restore it from that (Make sure you DELETE everything from your server first or you may leave a backdoor on there).

2) If #1 doesn’t apply, do the following, check all .htaccess files, index.php files and any include files or theme files you may be using. This will depend on if you are running wordpress, joomla, osCommerce, etc. for anything out of the ordinary (see #5 below). If you don’t find anything in your .htaccess file or .php files, start checking your .js files and directories. I would recommend using SSH/Grep for this but if you don’t have any experience with this or don’t have access, you can do it using FTP and opening the files – you CAN NOT do this using your site admin tools.

3 ) If you have access to your server logs, it may help to look at those, but unfortunately most hosting companies rotate the logs every 24 hours so by the time it’s detected, all evidence is long gone.

4) Check above your main web directory (usually above public_html, httpdocs, html, etc) for an .htaccess file that will override anything in your web directory.

5) Remove any code that you find in your “legitimate” files that matches any of the following (Note – this isn’t an all exhaustive list, it’s the most common issues I’ve seen):
a. “eval(base64_decode(…..”
b. “edoced_46esab…”
c. “getMama…”
d. “115,99,114,105,112,116….”
e. “document.write(‘<iframe…..”

6) Look for any php files in any image, css, upload, download, etc directories that would not normally have a php file in them. Check the file contents for base64 strings and thing that point to it being a php shell such as “FilesMan”, “c999sh”. If you find files like this, DELETE THEM.

7) UPGRADE your site immediately if you are not running the latest version to remove any possible publicly available vulnerability.

8) Also I would recommend checking permissions; files should be at 644 and directories at 755 (this depends on your hosting company/server – this is the most common setting). Change your cPanel and FTP passwords. I would also recommend password protecting any administrative access to your site – password protect the directory for an extra layer of protection.

9) After you have completed all those steps, go to google . com/webmasters and if you don’t already have an account create one (Obviously if you have one – skip this step).

10) Once you’ve created your account, add your site, then on the left hand side, click on “Health”, “Malware” . If they have you flagged, and you have cleaned your site, submit it for re-evaluation. This usually will take between 24-48 hours before you are cleared.


Hope this helps,

Regards,

[Dam Ponting]

1. To start with and most critical advance is – make your PC/work station secured. This incorporates – having a decent antivirus/Internet security framework. Get one (Kaspersky, Bitdefender, AVG, Norton … bla) in the event that you don't have it yet. Influence a full framework to examine and dispose of any dangers (infections, Trojans).
2. Download the WordPress site in your PC (utilizing FTP or Control board File Manager). To lessen the time – you may Zip (pack) the full site in the event that you have a control board in your facilitating and on the off chance that it permits compacting. 3. Concentrate the envelope – in the event that you've downloaded a zip duplicate. Keep the compress record as reinforcement and don't erase it – with the goal that you can utilize it on the off chance that anything turns out badly when you endeavor to settle the site. Take a reinforcement of your database as well. Presently, go into the removed WordPress envelope.
4. The following part is cleaning the pernicious code.

[ORLOVA]

TAC is a WordPress plugin which scans every WordPress theme source code for malicious code such as hidden footer links and Base64 codes etc. If detected, it shows the exact path to that particular theme and destructed code, so that the admin can easy find the suspicious code for correction.

[Servers Base]

1. Identify Hack
1.1 Scan your site
1.2 Check Core File Integrity
1.3 Check recently modified files
1.4 Check diagnostic pages
2. Remove Hack
2.1 Clean Hacked Website Files
2.2 Clean Hacked Database Tables
2.3 Secure User Accounts
2.4 Remove Hidden Backdoors
2.5 Remove Malware Warnings

[Lewis-H]

Visit the SiteCheck website.
Click Scan Website
If the site is infected, review the warning message.
Note any payloads and locations (if available).
Note any blacklist warnings.

If the remote scanner isn’t able to find a payload, continue with other tests. You can also manually review the iFrames / Links / Scripts tab of the Malware Scan to look for unfamiliar or suspicious elements.

If you have multiple WP sites on the same server we recommend scanning them all. Cross-site contamination is one of the leading causes of reinfections. I would encourage every website owner to isolate their hosting and web accounts.

Regards,
Lewis