How To Remove Virus / Trojan or Any Malware from WordPress Sites
I was shocked to hear that some of our Readers were facing problems accessing our site. Antivirus Programs namely Kaspersky and Avast! blocked certain webpages saying it contained HEUR:Trojan.Script.Generic and JS:Iframe-FI [Trj] respectively.
No Matter How much people trust in you or your site, it is never more than the Antivirus they use. Reliability of site is in question when such incident happens and remedial action to remove Virus / Trojan from WordPress has to be taken immediately.
So, here is how I tackled Trojan off my site and cleaned up completely.
How was Malware Script Injected?
Most common type of attack is XSS (Cross-site scripting) which enables attacker to inject malicious codes into webpage. In my case, there was a site which consisted of few static HTML pages and through which Attacker got access and did cross-site scripting.
Another attempt could be of Hacking so, it is recommended to contact with Host to investigate if your Password is stolen.
Detect Malicious code
Use Web Service called Unmask Parasites to find suspected malicious code on infected page. After scanning the page using it, you may get the idea where exactly the code exists (if any). Likewise, check theme files and Plugin files if you have already guessed the file.
Scanning service won’t tell where exactly the malware is injected but if you are wise enough and have some know-how about your WordPress installation then chances are that you will find it out.
Most Prone Areas are: Theme Functions or Plugin Files.
Nothing was detected. Site is Clean?
Sometimes, Antivirus Programs reports false-positives on certain webpage. It means, though, the page is clean but program detects some script or iframe on page as suspected malware.
If you are very much sure that no cross script attack or hacking was taken place then, you can report the specific antivirus company about it. Here is a list of Email IDs where you can report officially.
In my case, problem was only with Avast! Webshield and Kaspersky Internet Security so, I reported both of them. Kaspersky promptly replied with the malicious code which was said to be there according to their analysis and couldn’t be detected by Unmask-Parasites.
Now, you have to hunt down all elements of that page to find the malicious code and remove it.
How to Clean WordPress Site from Virus / Trojan
Still, couldn’t find the trojan code on any page element then only option left is to make full clean-up. This involved re-installation of WordPress site completely. It is because, sometimes, code is hidden in WordPress core files and investigating each one of them will take days and doesn’t guarantee success.
- Backup Database and Image directory.
- Write Names of List of Plugins installed.
- Delete Complete Site Directory.
- Make Fresh WordPress Installation.
- Download Theme from Official or Trusted source and Upload.
- Re-install All Plugins.
- Restore Database and Image Directory.
I used Automatic Backup Plugin to Backup Database and Restore it Faster Using Amazon S3. Benefit of using this plugin: Everything is done on server side, no downloading or backup of file on Local Computer. Site was up and running within 8-10 minutes.
Problem with above Plugin is: Cannot be used for large database (more than 64MB) due to Memory Limits by Host. Also, not everybody has Amazon S3 account. Alternatively, I recommend using MyBackupBox which lets you backup Database to Dropbox.
I hope, taking above actions will definitely help cleaning your blog and make it virus-free. Let me know if you are facing any trouble while cleaning Virus on WordPress site or Share your Experience.