How To Remove Virus / Trojan or Any Malware from WordPress Sites

I was shocked to hear that some of our Readers were facing problems accessing our site. Antivirus Programs namely Kaspersky and Avast! blocked certain webpages saying it contained HEUR:Trojan.Script.Generic and JS:Iframe-FI [Trj] respectively.

No Matter How much people trust in you or your site, it is never more than the Antivirus they use. Reliability of site is in question when such incident happens and remedial action to remove Virus / Trojan from WordPress has to be taken immediately.

Trojan Block on Avast!

So, here is how I tackled Trojan off my site and cleaned up completely.

How was Malware Script Injected?

Most common type of attack is XSS (Cross-site scripting) which enables attacker to inject malicious codes into webpage. In my case, there was a site which consisted of few static HTML pages and through which Attacker got access and did cross-site scripting.

Another attempt could be of Hacking so, it is recommended to contact with Host to investigate if your Password is stolen.

Detect Malicious code

Use Web Service called Unmask Parasites to find suspected malicious code on infected page. After scanning the page using it, you may get the idea where exactly the code exists (if any). Likewise, check theme files and Plugin files if you have already guessed the file.

Scanning service won’t tell where exactly the malware is injected but if you are wise enough and have some know-how about your WordPress installation then chances are that you will find it out.

Most Prone Areas are: Theme Functions or Plugin Files.

Nothing was detected. Site is Clean?

Sometimes, Antivirus Programs reports false-positives on certain webpage. It means, though, the page is clean but program detects some script or iframe on page as suspected malware.

If you are very much sure that no cross script attack or hacking was taken place then, you can report the specific antivirus company about it. Here is a list of Email IDs where you can report officially.

In my case, problem was only with Avast! Webshield and Kaspersky Internet Security so, I reported both of them. Kaspersky promptly replied with the malicious code which was said to be there according to their analysis and couldn’t be detected by Unmask-Parasites.

Kaspersky False Positive Email Reply

Now, you have to hunt down all elements of that page to find the malicious code and remove it.

How to Clean WordPress Site from Virus / Trojan

Still, couldn’t find the trojan code on any page element then only option left is to make full clean-up. This involved re-installation of WordPress site completely. It is because, sometimes, code is hidden in WordPress core files and investigating each one of them will take days and doesn’t guarantee success.

  1. Backup Database and Image directory.
  2. Write Names of List of Plugins installed.
  3. Delete Complete Site Directory.
  4. Make Fresh WordPress Installation.
  5. Download Theme from Official or Trusted source and Upload.
  6. Re-install All Plugins.
  7. Restore Database and Image Directory.

I used Automatic Backup Plugin to Backup Database and Restore it Faster Using Amazon S3. Benefit of using this plugin: Everything is done on server side, no downloading or backup of file on Local Computer. Site was up and running within 8-10 minutes.

Problem with above Plugin is: Cannot be used for large database (more than 64MB) due to Memory Limits by Host. Also, not everybody has Amazon S3 account. Alternatively, I recommend using MyBackupBox which lets you backup Database to Dropbox.

I hope, taking above actions will definitely help cleaning your blog and make it virus-free. Let me know if you are facing any trouble while cleaning Virus on WordPress site or Share your Experience.


About the Author

Rohit Langde is Founder and Editor-in-chief of Blogsolute. Tech Blogger by Passion & Profession | Mechanical Engineer by Qualification | Introverted Geek by Choice

8 Enlightened Replies

Trackback  •  Comments RSS

  1. Ankur says:

    I was also infected with an iframe virus in my site. My hosting provider helped me clean it completely.

  2. Ratnakar says:

    How can we know that our blog is infected with viruses ?

  3. Some malicious code is injected to index.php file in my WordPress installation folder, I figured it out and its because of outdated “Tim Thumb” script…

    • Rohit Langde says:

      True that but I already had TimThumb Vulnerability scanner plugin installed and fixed by updating it. Anyways, that is common problem as many Themes use TimThumb for thumbnail generation.

  4. Bharat says:

    Finally you caught hold of it 😉 great.
    Now I am able to surf smoothly.. 😀 Thnx

  5. lakshman says:

    Post has been updated with your link. Keep Visiting

Post a Reply

Your email address will not be published. Required fields are marked *