Malicious software detection for WordPress

The article describes the procedure for harmful software detection and removal for websites powered by WordPress. It also gives recommendations on how to protect your website from being infected.

How to detect malicious software?

  • there is an abrupt drop in your website’s traffic;
  • there is redirection from your website to third-party resources;
  • Yandex and Google flag the website as not recommended for visiting;
  • Opera, Chrome or Firefox explicitly notify on infected website;
  • and last but not least, you receive an automatic notification from us saying there’s some harmful software detected on the website.

Detection of harmful software

  1. check your account for harmful software using the Maldet scanner: How do I check my website for viruses?
  2. install plugin named ‘TAC’ and test your themes for harmful links. This plugin checks the files of installed themes for signs of harmful code. If it detects such code, it shows you the path to the theme file and indicates the line number along with listing a short fragment of the malicious code. How to install the plugin: download an archive containing the plugin and extract it to /wp-content/plugins/ directory. Activate the plugin in the administration section of WordPress;
  3. check out .htaccess file for redundant code. Pay close attention to the RewriteCond and RewriteRule rules. These have to be the same as in the standard .htaccess file, unless you changed them by yourself. You should also mind fragments of code encrypted with base64, if any, and remove them, unless it’s something that you or the website developers have written;
  4. install the Exploit Scanner plugin. It will check the database for SQL-injections and for plugins with suspicious names. This plugin will not delete anything automatically but it will give you a notification instead. Download an archive from the page and extract it to the plugin directory; then, activate the plugin via the administration section of the website.

Precautions

  • regularly update your CMS to the latest stable version;
  • update plugins and themes; install only safe, proven plugins and themes from official sources;
  • use complex passwords (with the length of 8 characters or more, containing both uppercase and lowercase letters and special characters);
  • do not store your passwords in FTP clients or browsers;
  • assign correct rights for files (644) and directories (755);
  • use custom names for super-users as opposed to standard Admin or Administrator;
  • when you install a CMS, specify a non-standard database prefix.