911 Hack Removal

How to remove the WordPress Backdoor: PHP/apiword malware from your WordPress website

Updated on: May 4, 2020

How to remove the WordPress Backdoor: PHP/apiword malware from your WordPress website

Lately, WordPress witnessed a perilous situation when it discovered a malicious code added to the top of the functions.php file, exploiting which the malware creator can unleash pretty much any damage he’d like. The injected code comes from the apiword malware which not only creates modifications in post.php and functions.php, but also creates a file containing a backdoor: /wp-includes/class.wp.php

The presence of the functions.php file is essential for any theme to be recognized by WordPress and therefore gets executed during each page view. This makes it a good target for malicious code.

Is your WordPress site hacked? We can help!

Astra has helped thousands of WordPress websites get rid of hack in no time.

About the Apiword Malware

In one of the instances, the culprit behind the injection of the infected code into functions.php is a malicious plugin called woocommerce-direct-download. This plugin contained a malicious script called woocp.php hosting some obfuscated PHP code which, on execution, injected the malicious code into all the functions.php files.

Once infected, the attacker can misuse the backdoor to add or modify arbitrary posts on the site. The backdoor PHP script can cause serious damage by:

  1. Infecting all WordPress websites on the server.
  2. Creating new PHP files on the server with code dynamically fetched from apiwords domain

The apiword malware adds code snippets to the wp-includes/post.php file. It then creates a file wp-includes/wp-cd.php . Given below is base64 decode:

Related Blog – How to fix wp-vcd malware in WordPress

How to remove the Backdoor: PHP/apiword malware from your WordPress website
Malicious code snippet – functions.php

On decoding, it looks like this:

Code, when the malicious code is base64 decoded

How to detect the Apiword Infection?

It is essential to know that the malicious code is added to the top of every functions.php file which is found within the root directory of each installed theme. For example, if the WordPress site has a theme called “MyTheme”,  then the malicious code would be added to the wp-content/themes/MyTheme/functions.php file.

The file path known to contain the malicious code is“@file_puts_contents($_SERVER[‘DOCUMENT_ROOT’].’/wp-includes/class.wp.php’,file_get_contents)”.

This code would essentially contain a signature in form of a variable by the name wp_cd_code. This can aid in identifying infected files.

Install code of malware in WP_CD_CODE

In case the user is running a Unix-based OS, you can extract the list of all infected files by running the following command in the root directory of your server’s web-root:

find -iname ‘*.php’ -print0 | xargs -0 egrep -in ‘wp_cd_code’

Executing this would begin a recursive search for the signature string “wp_cd_code” through all .php files. The output would then present the file path and the line number containing the search string.

Is your WordPress site hacked? We can help!

Astra has helped thousands of WordPress websites get rid of hack in no time.

What does the malware code in functions.php do?

In a layman’s language, the code injector configures the malicious code for each site, injects into the PHP file which will run on each user request, which is reported back to the attacker. This code checks for the variables action and password passed in the HTTP request. If the password matches the hard-coded hash (which is generated by the code injector) then the injected code executes an action based on the contents of the action variable.

The attacker can use the generated password to gain admin privileges without following the usual route of logging in. This provides the attacker with the privilege of certain actions like adding arbitrary content and modifying posts on the infected site. Also, check our article on PHP Code Execution in WordPress.

Removal of the PHP/apiword malware hack

Mitigation of this malware calls for thorough removal of all backdoor codes from each and every function.php file in the site’s themes directory. It is imperative to implement the following checklist:

  1. Check every functions.php file for the malicious code. The concerned code would be found within the first <? php ?> block in the PHP file, hence the necessity of removing this block entirely.
  2. Immediately remove the code injector, in case it still exists. For example, in the case of the woocommerce-direct-download plugin, the code injector was contained in a file called woocp.php. Hence, it needs to be deleted.
  3. Look out for the <wp_prefix>_datalist and <wp_prefix>_install_meta tables. Keep a note of its as this might help to find posts that have been modified. Thereafter, ensure to delete these tables.
  4. Scan all posts for the signature variable “wp_cd_code” and remove this DIV for each affected post.
  5. Check recently modified files on the server. Login to your web server via SSH and execute the following command to find the most recently modified files: find /path-of-www -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r

How to Prevent your functions.php from being hacked?

Get the ultimate WordPress security checklist with 300+ test parameters

  1. Update file users & permissions – Consider changing your file permissions to become more restrictive. The default permission scheme for folders and files should be 750 and 640 respectively. You can change permissions via an FTP/SFTP client. In case you want to change permissions via command line, run the following commands recursively: For Directories:
    find /path/to/your/wordpress/install/ -type d -exec chmod 750 {} \; 

    For Files:

    find /path/to/your/wordpress/install/ -type f -exec chmod 640 {} \; 
  2. Monitor new files being created on the server – A Web Application Firewall (WAF) like Astra when deployed, essentially scours for any new/ deleted/modified files being created on the server and routinely scans for malware presence.
  3. Avoid using nulled/pirated themes: It is advised to only rely on themes from authentic and official sources.
  4. Installing all WordPress updates: WordPress regularly releases updates and plugins to mitigate for any revealed vulnerabilities.  Astra’s WordPress Security ensures timely notifications of updates and plugins for your WordPress Site.
WordPress malware removal

To know about the latest happenings in the WordPress community or get notified about the update release, subscribe to our blog on WordPress Security.

Was this post helpful?

Tags: ,

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany