Malware is sneaky unless it wants you to know that it exists. So, we are going to have a look at how to assess a WordPress website and find malware.
Most website owners become aware that there is a problem because something seems ‘odd’. Usually, something doesn’t seem to function quite right, or something unusual is happening. Of course, these things could just be bugs in a recently installed update, or someone could actually be working on the website legitimately at the time. It always pays to make sure though.
There are two ways to detect malware. The first is the manual way. The second is the automatic way. There are pros and cons to each, and it’s important to know how to find malware manually before using any automated processes. This way, the automated software will actually work better for you since you have an understanding of what is going on in the background. Let’s get started on manual malware detection.
Step 1. Take a backup
I can’t emphasise this enough. Back your entire site up. Backup the database and the files. Even though we are just attempting to confirm the presence of malware it is still important to make sure you have a backup in case something goes wrong. If you don’t have a backup solution, I recommend Updraft Plus or BackWPup as free options with paid upgrades that give you the ability to backup your WordPress site to both local and remote destinations. We will be covering backups in more detail later in this guide.
Step 2. Ask questions
Always ask questions. If something doesn’t seem right, ask yourself: Does the behaviour your website is exhibiting seem like malware? Remember, malware is malicious software, so it is doing something bad for someone else’s gain. Think about what is happening. Does it seem like someone could be gaining something from what is occurring? Could they be getting paid for ads? Could they be skimming user data? Could they be spreading more malware? Think about the types of malware and malware distribution I discussed in this blog post. Does the behaviour you are seeing seem to fit the description of malware? Sometimes it is blatantly obvious, and sometimes it isn’t.
If you can say that it seems like malware, jump straight to step 4.
If not, consider if you have any updates been installed or recently done any work on the website that might have contributed to the odd behaviour? Have you installed new plugins? A new theme? Edited some code directly? Moved your widgets around? If you don’t manage your website yourself, then you should ask your web people, and chances are they can deal with the problem for you.
If the answer is yes to any of these questions, then you want to troubleshoot. If the answer is no, you can skip step 2 and go straight to step 4.
Step 3. Troubleshoot your changes
Identify exactly what you changed and undo it. You took backups, right? If you made a few changes, undo them one by one until the site seems to be normal, or until it is back to the state it was in before you made changes. If the problem is gone after you have undone the recent changes, chances are it is just a bug that has been introduced and could be associated with any number of other issues. Troubleshooting changes is outside the scope of this guide, but it is unlikely you have malware, so you will need to figure out what change is causing the problem and resolve it. Generally speaking, this means redoing your changes one by one until the unusual behaviour reappears.
If the questionable behaviour still exists after rolling back your changes, then it is likely that an infection exists, or that the problem was introduced in previous changes and went unnoticed.
Step 4. Look closely at what is actually happening
If payments don’t seem to be processing correctly, follow the process on both the front and back-end. If ads seem to be appearing, look at your source code to see where they are and then check your theme template files as well as any relevant widgets, plugins or other theme customisations. The idea is to confirm that something is not as it should be. Sometimes we have seen ads on a website only to discover extras are displaying due to an incorrectly placed widget. Sometimes it’s just a typo in a PayPal email address leading to payment failures. If there is something clearly malicious though, it will stand out, like an unknown email address in your PayPal settings.
Step 5. Check your core files
Malware that targets WordPress will often hide in plain sight. The majority of malware I’ve seen adds new files with names that sound legitimate inside core folders you don’t normally touch, such as the wp-admin directory or even in the root WordPress directory. However, it is necessary for the malware or hacker to somehow run their malicious program. This means either sending traffic directly to it or, modifying a WordPress file to run it. A good place to look is in wp-config.php. This is your WordPress configuration file and defines really important settings for your website, including your database password. Another common place for malware to hide is in your index.php file. These two files both run in order for your site to load, so they are common files for malware to hide in.
You will find both of these files in the root directory of your WordPress installation. Scan the contents of these two files and look for anything that is not humanly readable. I know PHP doesn’t necessarily look readable to someone who isn’t a programmer, but it still has real words in it that you can read. Malware has become increasingly sophisticated and is frequently encrypted. That means there will be a block of gibberish text, like this one:
The example above shows an encrypted piece of code that I found in wp-config.php on one website. The first section is actually the command to decrypt the malware and then uncompress it. You can see they’ve attempted to hide what it is doing by breaking the command, “base64_decode” into three parts as well as “create_function” and “gzuncompress”. This is sneaky and no legitimate code for your website would need to hide itself in this way. A simpler version of this malware that I’ve seen leaves the functions intact without breaking them up. The point is though, that if you find code like this in any WordPress file, it is malware.
When looking for files that shouldn’t exist at all, you should always compare them against the official WordPress Codex here to see what core files should be present. Keep in mind that the wp-content directory is where all the things you upload are saved. This includes pictures, PDF’s, themes, plugins and any other files created that are not part of the core installation such as cache files.
Step 6: Move to automated assessment tools
At this point, you should have a good understanding of where and how malware hides and how you can assess if it is present on a WordPress site the manual way. This gives you a good foundation to move onto using automated tools. Once you start using these tools, you will likely use them for most threat assessments, it’s important to have the manual understanding though as it can help with treating an infected website and finding elusive malware that has learned how to bypass the automated methods.