How to Fix WordPress PHP Execution Hidden Malware in Plugins
Updated on: February 18, 2022
Sreenidhi
4 mins read
Recently, we discovered sites where hackers have hidden malicious files with filenames and contents similar to those created by popular WordPress plugins such as WP Super Cache, Akismet, or Elementor. This code in these files can cause redirection hack, creation of unknown files on the server, spam your contact page or newsletter, or even cause your site to be suspended by your hosting provider. To know more about this hidden malware in plugins and how to remove it, read on.
WP Super Cache is a widely used free caching plugin for WordPress users with over 2 million active installs. Normally, this plugin creates a file at the location wp-content/advanced-cache.php. You can find the code of this file here.
However, on a site that our engineers recently cleaned – which was using version 1.2 of the plugin – they found a file called wp-includes/ms-advanced-cache.php, which looked like this:
The code in that file is very similar to the genuine plugin file, wp-content/advanced-cache.php. Here’s a comparison of the two files:
The hacker is trying to intentionally confuse the people scanning and fixing this site! The malicious code is disguised as a legitimate file. This code also does not get flagged by most free malware scanners as it is very similar to the genuine plugin code. However, the hacker has commented out most of the genuine code. The only code that is uncommented and active in this is malicious.
This hidden malware in plugins allows the hacker to write malicious code onto a file on the hacked site server which is then executed. This way, the hacker can run any malicious PHP script on the server similar to a Remote Code Execution (RCE) vulnerability.
Here are some signs your site may be affected by this malware:
- Your website’s visitors are being redirected to spammy sites (WordPress redirection hack)
- The contact & newsletter forms on your website are being spammed
- You find unknown files on the server
- The hosting provider has suspended your site
- Your site is very slow
To know more about this, check our article on PHP Code Execution in WordPress. What’s more, the malicious code is immediately deleted after execution. This means that there’s no trace of it!
If you find this hidden malware in your site, it is highly likely that there are more infected files which can open up your site to attacks. So the best course of action is to remove the malware as soon as possible and work on preventing such infections again.
1. Take a backup.
Before starting with the malware cleanup process, it may be a good idea to take a backup of your current site along with its database. In case something goes wrong, you can restore this version. Make sure to take the backup in a compressed format like a .zip file.
2. Remove the affected files.
Since this is a kind of malware hidden in plugins, a good place to start would be to take a look at the original version of the plugin from the WordPress plugin repository and compare the two. If you find any suspicious files, delete them. You can also replace plugin files by downloading fresh and updated versions and deleting the old ones.
Related Guide – WordPress Malware Removal
3. Scan your web server for malware and malicious files.
This step is to make sure you haven’t missed out anything. You can use the ‘Virus Scanner’ tool in the cPanel provided by your web host, a malware scanner, or get guaranteed malware cleanup with Astra’s WordPress Website Cleanup. We help you find and fight any security threats you may face, including SQL injections, credit card stealing malware, phishing attacks, password hacks, and plugin vulnerabilities – even hidden malware!
How can you prevent further attacks?
1. Update frequently.
Hackers are known to adapt and change their methods very frequently, so cleaning your site just once isn’t as effective as doing it regularly. To mitigate this, developers often release updates where such vulnerabilities are patched. So, the quickest way to make sure you stay on top of these attacks is to regularly update your plugins.
2. Scan for malware regularly.
Another way to prevent your site from getting infected by malware is to routinely schedule malware scans and get security audits for your site from time to time.
3. Use a firewall.
The best option to prevent such infections is to use a firewall. A Web Application Firewall (WAF) like Astra when installed, essentially scours for any new/deleted/modified files being created on the server and also routinely scans for malware. Our Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from reaching your website. This means that you don’t have to worry about malware or getting hacked again!
About Astra Security Suite
Astra is the must-have web security suite that fights hackers, internet threats & bots for you. We provide proactive security for your websites running popular CMSs like WordPress, OpenCart, Magento etc. Our security team is available 24×7 throughout the year to help you answer all your questions.
Sreenidhi
