Finding Malware In A WordPress Website

What types of malware are most commonly found in WordPress websites, and how do they get there? SQL injection, JavaScript insertion and .htaccess hacks are all common ways to alter the content of your WordPress website. Some malware scripts redirect users to another website, others insert malicious links and others use the .htaccess file to steal your website’s Google ranking.

Common Types Of WordPress Hacks

If you suspect that you have been hacked, here are some common signs to search for in your website code:

An Altered .htaccess File

The .htaccess file is always in the root directory of your WordPress site. This file lets you write rules to control how the server handles website requests, such as Google crawler access or URL redirects.

Hackers who gain access to the .htaccess file insert a few lines of code that redirect search engines. The malware detects the “user agent” value, which is passed from a web browser or search engine to the WordPress server. If the user agent is “Google,” the hacked .htaccess file redirects Google to the hacked website.

This hack is completely invisible to your WordPress readers, and it only affects your Google ranking. The following code is an example of hacked .htaccess code:

RewriteCond%{HTTP_REFERER}.*google.*[OR]

RewriteRule^(.*)$ http://hackedsite.com/index.php [R=301,L]

In the above example, if a Googlebot crawls the website, the crawler is redirected to the hacker’s website. You must delete these lines of code from the .htaccess to remove the malware.

Inserted JavaScript or PHP Code

Two functions exist that help hackers mask and hide inserted malware code: the JavaScript “eval” function and the PHP “base64_decode” function. A simple Windows “Find” procedure on all of your web pages can be used to find these functions in your code.

The “eval” function lets a hacker inject JavaScript code that looks like normal code, but the hacker inserts links or uses a redirect that runs after a few seconds on the website.

The PHP “base64_decode” function is more popular, because it allows the hacker to encrypt malicious coding statements. The “base64_decode” function decrypts the code upon execution, so it is only seen when the code is opened in a web browser. This PHP function is typically used to include hidden links to malicious websites.

Usually, the hacker places the malicious code several lines below the main content, so the webmaster misses the statements. Make sure you scroll all the way to the bottom to find the malicious statements. The following code is a random example of obfuscated PHP malware you can find on hacked web pages:

eval(base64_decode($_SERVER57F))%32%5E|.+)

All of the code after the “_SERVER” statement is encrypted code. In this instance, you must delete the entire line of code to remove the malware.

SQL Injection Hacks

SQL injection is the most difficult for a webmaster to understand, because you must know the SQL coding language to understand how the hack works. SQL injection works using database commands against the WordPress database.

The exploit is available on any website that does not use a process called “scrubbing” in the inline SQL code. The best way to avoid a SQL injection malware on a WordPress site is to update the software to the latest WordPress version. However, this does not protect the SQL injection on WordPress plug-ins. Make sure your plug-in code is up-to-date, and only download plug-ins from the official WordPress.org website.

Protect Yourself From Malware

After you find and remove malware from your site, you must be sure that you know how the hacker was able to inject the malicious code. Change all passwords, update virus definition files and run a virus scan on all computers that have access to the website code. Part of protecting the site from future hacks is understanding how the hacker obtained access to your website. If you simply change the code, you run the risk of being hacked in the future.

For assistance cleaning a website that has been infected with malware, or to take preventative measures to protect your site from being attacked in the first place, SiteLock is here to help. Contact us at 855.378.6200 to talk with one of our website security consultants to put together a custom security plan.