How To Remove Virus / Trojan or Any Malware from WordPress Sites

I was shocked to hear that some of our Readers were facing problems accessing our site. The top antivirus programs namely Kaspersky and Avast! blocked certain webpages saying it contained HEUR:Trojan.Script.Generic and JS:Iframe-FI [Trj] respectively.

No Matter How much people trust in you or your site, it is never more than the Antivirus they use. Reliability of site is in question when such incident happens and remedial action to remove Virus / Trojan from WordPress has to be taken immediately.

Trojan Block on Avast!

So, here is how I tackled Trojan off my site and cleaned up completely.

How was Malware Script Injected?

Most common type of attack is XSS (Cross-site scripting) which enables attacker to inject malicious codes into webpage. In my case, there was a site which consisted of few static HTML pages and through which Attacker got access and did cross-site scripting.

Another attempt could be of Hacking so, it is recommended to contact with Host to investigate if your Password is stolen.

Detect Malicious code

Use Web Service called Unmask Parasites to find suspected malicious code on infected page. After scanning the page using it, you may get the idea where exactly the code exists (if any). Likewise, check theme files and Plugin files if you have already guessed the file.

Scanning service won’t tell where exactly the malware is injected but if you are wise enough and have some know-how about your WordPress installation then chances are that you will find it out.

Most Prone Areas are: Theme Functions or Plugin Files.

Nothing was detected. Site is Clean?

Sometimes, Antivirus Programs reports false-positives on certain webpage. It means, though, the page is clean but program detects some script or iframe on page as suspected malware.

If you are very much sure that no cross script attack or hacking was taken place then, you can report the specific antivirus company about it. Here is a list of Email IDs where you can report officially.

In my case, problem was only with Avast! Webshield and Kaspersky Internet Security so, I reported both of them. Kaspersky promptly replied with the malicious code which was said to be there according to their analysis and couldn’t be detected by Unmask-Parasites.

Kaspersky False Positive Email Reply

Now, you have to hunt down all elements of that page to find the malicious code and remove it.

How to Clean WordPress Site from Virus / Trojan

Still, couldn’t find the trojan code on any page element then only option left is to make full clean-up. This involved re-installation of WordPress site completely. It is because, sometimes, code is hidden in WordPress core files and investigating each one of them will take days and doesn’t guarantee success.

  1. Backup Database and Image directory.
  2. Write Names of List of Plugins installed.
  3. Delete Complete Site Directory.
  4. Make Fresh WordPress Installation.
  5. Download Theme from Official or Trusted source and Upload.
  6. Re-install All Plugins.
  7. Restore Database and Image Directory.

I used Automatic Backup Plugin to Backup Database and Restore it Faster Using Amazon S3. Benefit of using this plugin: Everything is done on server side, no downloading or backup of file on Local Computer. Site was up and running within 8-10 minutes.

Problem with above Plugin is: Cannot be used for large database (more than 64MB) due to Memory Limits by Host. Also, not everybody has Amazon S3 account. Alternatively, I recommend using MyBackupBox which lets you backup Database to Dropbox.

I hope, taking above actions will definitely help cleaning your blog and make it virus-free. Let me know if you are facing any trouble while cleaning Virus on WordPress site or Share your Experience.

Click Here to Leave a Comment Below 9 comments
Ankur - May 8, 2012

I was also infected with an iframe virus in my site. My hosting provider helped me clean it completely.

Reply
    Rohit Langde - May 8, 2012

    Which Host Ankur?
    In my case, they asked me to fill up a form which I did but no action was taken. So, I had to do it on my own.

    Reply
Ratnakar - May 9, 2012

How can we know that our blog is infected with viruses ?

Reply
    Rohit Langde - May 11, 2012

    Usually when Antivirus or Malware detection addon installed on Web browser warns you about it.

    Reply
Bharat Chowdary - May 9, 2012

Some malicious code is injected to index.php file in my WordPress installation folder, I figured it out and its because of outdated “Tim Thumb” script…

Reply
    Rohit Langde - May 9, 2012

    True that but I already had TimThumb Vulnerability scanner plugin installed and fixed by updating it. Anyways, that is common problem as many Themes use TimThumb for thumbnail generation.

    Reply
Bharat - May 27, 2012

Finally you caught hold of it 😉 great.
Now I am able to surf smoothly.. 😀 Thnx

Reply
lakshman - July 28, 2012

Post has been updated with your link. Keep Visiting

Reply
BIPLAB - December 21, 2015

Same problem here..
One of my blog showing infected by kespersky and it block my site. I am trying to apply your way. I don’t know what would be the result? After 2-3 day i will inform you

Reply

Leave a Reply: