Removing malware from first line of WordPress PHP pages

Kudos to Carel van Wyk, for helping out with this one. I’m releasing it into the wild here to help other people who might have the same problem.

The problem

There are bots trying to gain access to websites, email and social media accounts, all the time. Don’t take it personally; they’re simply looking for (usually known) weaknesses to exploit and then once they’re in, they use your account to send out spam ads, on which the spammers earn referral revenue.

It’s not limited to things like email and social messaging accounts, if a bot gained access to a website, it could send spam emails and comments from that domain.

Since a giant chunk of the Internet runs on WordPress it is logical that there are many bots that look specifically for WordPress vulnerabilities. The main things that increase their odds of gaining access to your site are:

• Using an easy-to-crack password
• Using a password which is used on another site
• Using the standard “admin” username
• Not updating your WordPress version
• Not updating your plugins

Obviously, there’s a longer list, but that’s not the point of today’s post. Use something like iThemes Security or WordFence, review the bullets above and don’t use shitty hosting and you should be fine.

But let’s review a standard PHP malware issue I’ve seen on lots of sites.

Finding the injected malware script

If you find that things become unresponsive, the site breaks, you suddenly can’t update things or your hosting company calls you saying there are spam complaints coming from your domain, your site is probably infected.

If you look in your WordPress root or in any of the plugin or theme folders, you’ll see something like this in the first line of (usuall all) PHP files:

<?php if(!isset(...long line of crap’));?><?php

or

<?php eval(base64_decode('…long line of crap'));?><?php

What you should see on the first line is just the trailing <?php, the first bit of script, the long line of crap, got injected by the malware and is used to execute different spammy messages.

Fixing the mess

WordPress.org has this resource: https://codex.wordpress.org/FAQ_My_site_was_hacked

Sadly, it requires a backup and chances are if you’re reading this that you don’t have a backup (or that the backup might also include infected files).

The best way is to completely kill the site and do a fresh install, but failing that, here’s a step-by-step in removing the injected script from the .php files:

1.    Make a local copy of the infected folders

The infection might be restricted to your /plugins or /themes folder, but it could be in all folders throughout your entire website. Use something like FileZilla and save the folders to your computer (like: ~/desktop/plugins/). Make an extra local copy after you’ve downloaded the site or folders, in case you break things even furhter (like ~/desktop/plugins-backup/)

2.    Download this script

Save this file, unzip it and place it in the root of your local files (like ~/desktop/plugins/cleany.py).

 

3.    Run it

• Open Terminal on your Mac (command-space, type “terminal” to launch it)
• Navigate to the folder (“cd desktop” return, “cd plugins” return)
• Run it (type in “python cleany.py” and hit return)
• It will ask you if you’re sure you want to replace the top line of individual or all PHP files and replace it with <?php (the only line it should contain), hit y and return.

Et voila! Your php files should be back to normal. Now, all you need to do is reupload the folder(s) to the website.

Hope this worked for you.