Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

Josh Yudell needs help to get rid of malware

Mar 27, 2013 6:20AM PDT

Hello guys,

My name is Josh Yudell and glad to be a part of cnet. I need help from the experts and senior members regarding malware at wordpress websites.

My wordpress sites seem to be constantly getting attacked and some malware scripts keep being embedded in my header file(header.php).

I am even running a few plugins that are supposed to stop it from happening and thats not working. I deleted the script from the header file but the malware warning still shows up when I scan it:

Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to: [ malware site redacted, you really don't need to share that link here ]

Any help or suggestions that any one of you can provide would be GREATLY appreciated.

Waiting for your responses.

Thanks
Josh Yudell

Discussion is locked

- Collapse -
Answer
If a website is infected...
Mar 27, 2013 7:17AM PDT

Unless you can be 100% sure of where the malware came from and what it changed, because you have an intrusion detection system (OSSEC), simply removing the damage you see (like code in header.php) doesn't actually solve the problem, because whatever put it there in the first place could still exist.

Take a look at this in terms of securing your WordPress in the future:
http://codex.wordpress.org/Hardening_WordPress

For now, I don't think you can get around completely reinstalling WordPress. You can export your data and then reimport it, but before you move the uploads folder back, make sure there are no script files in there e.g. something.php or something.js.

It is possible that something unwanted could be stored in the database, but in all my WordPress infections I've seen, the database was always clean, so there's hope.

~Sovereign

- Collapse -
Answer
Hacked Wordpress sites - Additional help
Apr 26, 2013 12:45AM PDT

Hey Josh - sorry to hear about your malware issues on WordPress!

I work with a community support department for a hosting company and we very often get involved in reviewing WordPress sites that have been hacked. The last one I reviewed was hacked through the theme. While I don't recommend a SINGLE solution, this one is very good in that it reviews ALL of themes that you have loaded and will note if one is showing up as hacked:

http://wordpress.org/extend/plugins/tac/

Other than that, if you don't trust the plugins, as long as you have access to your WordPress Admin dashboard, you can always go in and change themes to make sure it's not the source of the issue.

Finally, a very common hack that you might see is an .htaccess injection. Common examples of hacks in this file are additions of redirects (normally to a bad site) and base64 code (which are typically redirects). You can find a lot of information about this common hack here:

http://wordpress.org/tags/htaccess-redirect

If you want to see what a normal htaccess entry for WordPress, look here (it's a forum post in Wordpress, but it shows the correct default Wordpress htaccess):

http://wordpress.org/support/topic/i-destroyed-my-site-default-htaccess

Remember to make a BACKUP if you're not familiar with making changes to ANY of your configuration files. That way, if you do make change and it's not a good one, then you can revert back.

Finally, you mentioned SITES - instead of a singular WordPress site. From experience, I can tell you that sometimes there may be a single compromised site that can lead to your others becoming infected (especially if you're on shared hosting). Make sure that you enforce the cycling of the Admin and user passwords when you have a hack issue. For that matter - make sure you cycle ALL of your account passwords. It just good practice and should be a necessity when security issues are the issue.

I hope this helps you with your malware issue!

-Arnel C.

- Collapse -
Josh Yudell needs help to get rid of malware
Sep 11, 2013 9:40PM PDT

dr jason diamond reviews,

Hi Josh Yudell,

Nice Question you have asked here,I found pretty informatics InMotionHosting's answer, and I dr jason diamond reviews just would like to say thanks to josh yudell and InMotionHosting,


Thanks
dr jason diamond reviews