Worpress Sites are getting infected

Since some of our customers are getting their Wordpress website defaced we thought we should write this article explaining how to protect your Wordpress website.

First Thing to do is to backup your Malicious Website. Yes you heard it right backup the Infected Website.

To Backup your website headover to your cPanel account & log in & Navigate to Backup



Backup cPanel

Once Navigated click on Download a Full Account Backup

 

Download a Full Account Backup

 

Press on Generate Backup, You can select whether to get notifications or not. I have selected 'Do not send an email notification' option.

 


 

Let the backup run in the background.

 

backup cpanel

 

Once Completed download the generated backup .

 

Download Backup cPanel

 

Now let's move to the cleaning part. First we will scan the directory with ClamAV Virus Scanner for malicious content.

 

Virus Scanner cPanel

 

Select the Scan Mode I'm choosing Scan Entire Home Directory to scan the whole account. Click Scan Now to proceed.

 

Scan Mode cPanel

 

Scan will now start scanning the directory, Once Completed you will get the option to delete or quarantine. You can choose one of the either options.

Sometime the scan results can come as clean since the malware is new and ClamAV virus database signatures are not updated yet with the new one.

 


Scan cPanel

 

Let's Clean our Wordpress directory . You can start by looking for:

  • Strange named Files
  • Suspicious files
  • Newly Modified files
  • Plugin Directories

First check for modified date; check whether you see files/directories modified (not by you)

 

File Check cPanel

 

Let's make hidden files appear as well. To do that click on Settings

 

hidden files cpanel

 

and check the Show Hidden Files (dotfiles) and click Save

 

 

Now let's  check these directories as well and look for any unfamiliar files.

public_html/
public_html/cgi-bin
public_html/.well-known

public_html/wp-content/plugins
public_html/wp-content/themes
public_html/wp-includes/Requests/Response
public_html/wp-includes/Requests/Exception

public_html/wp-admin/includes/js

 

 

I found some malicious files in above mentioned directories. One of them were in the plugin directory called 'xaisyndicate' inside the folder there were some shell scripts that attempted to get access to the whole directory. I deleted the whole folder.

 

xaisyndicate malware

 

Check Skip the trash and permanently delete the files option and click confirm.

 

 

There were some other files as well on the public_html directory as well. We can identify them by their name the name was random & gibberish. I deleted that file as well. Make sure to check any suspicious directory or files including the above directories as well.

 

 

Now let's check our database as well. As the first option we will change our database password. You can change the password by clicking on MySQL Databases

 

 

Once navigated scroll down until you find the Current Users section. Click Change Password  on the user you want.

 

 

Now  generate a password by clicking on Password Generator copy the password and click Change Password

 

 

Now we have to change the password in Wordpress configuration. You can either edit and replace the password field with the above generated password  or continue with the following

 

Softaculous cPanel

wordpress cPanel

 

Once clicked you will be navigated to Softaculous Apps Installer. Once navigated press on All installations ( A small box icon on top right side) and click on the pencil icon to edit the installation of the website you want.

 

 

Now paste the password that you generated earlier in the Database Password field and to auto update Wordpress now on check the Upgrade to any latest version available (Major as well as Minor) option.

 

 

Once done scroll down and click on  Save Installation Details

 

 

Okay! Now we have to upgrade our Wordpress version.  You can upgrade it simply by clicking upgrade button in Softaculous

 

Upgrade cPanel wordpress

 

Always Select the latest version available to upgrade from the drop down menu and if you want to backup your configuration before the upgrade check on the Create Backup box. It's always recommended to have a backup.

 

 

Select the Full Backup option to get a full backup of your wordpress site and you can enable Loginizer to get notifications of logins.Once done click on Upgrade.

 

 

Give some time for it to complete the upgrade

 

 

Once upgrade completes navigate back to Softaculous All installations and check whether you can see the latest version.

 

 

Now the upgrade of Wordpress core has been completed upgrade all your plugins as well. You can do this by login into your Wordpress Admin Panel.

 

Let's check whether there are malicious users on our database that was created by the malicious script. To do that navigate to phpMyAdmin on your cPanel.

 

 

Select the database on the left pane by clicking on it

 

 

Once click all the tables of that database will list down. Click on the wordpress users. Prefix might change but it always end with _users

 

 

Now delete all the users except for the legitimate user/users by going into page by page and pressing the delete button and Change the Wordpress Password of Legitimate User/Users as well.

 

Now go and install  Wordfence Wordpress Plugin and Scan from that as well.

All done. It is always good to keep scripts upto date to avoid getting your website infected.

  • wordpress, hacked, infected, defaced, xaisyndicate
  • 4 Users Found This Useful
Was this answer helpful?

Powered by WHMCompleteSolution