Infected website repetitive clean-up

Hello everyone,
This is the first time we have a recurring infection on a WordPress website. It's easy to clean-up, but it gets infected a few days later and our host suspends the website until it's cleaned again.

We just cleaned the site once more and blocked many PHP functions after reading the malicious files' code.

We'd like to know if anybody had any experience related to these kinds of infections and how they handled it for good? (we want to learn and maybe this is out of the support's scope)

If someone wants to give it a shot, let us know and we will post the detailed information (lots of it). Otherwise, any reference for a one-time clean-up with a guarantee of finding the source would also help us out. :slight_smile:

  • Ash
    • WordPress Hacker

    Hello Vince

    There are some scanning services like Sucuri which offers to check your site and clean the code. But I think they charge based on the number of pages which could be very expensive.

    About the malicious code, do you have plugin and themes from the trusted sources? You told that you cleaned the malicious code, was that code inside any plugin? Also, if you have a premiere plugin, please make sure your developer bought the plugin from the original vendor, rather than using any nulled version. Nulled version of the plugin can have malicious code and that affect the site in certain interval.

    Also, do not use any weakly developed plugin which may accidentally have a backdoor.

    Here is a list of some services which offer clean up service: https://geekflare.com/website-malware-removal/

    Hope it helps! Have a nice day :slight_smile:

    Cheers,
    Ash

  • Vince
    • Flash Drive

    For general information, we did a lot of trial and error. It's not an optimal solution, but since we don't know where the infection keeps coming back from, we're comfortable with the outcome.

    To make it short, add this to your php.ini:
    disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode, file_put_contents, chmod"

    Be aware that file_put_contents is a major function and will prevent multiple plugins from working (internally), but in most cases, it'll allow the website to work as usual (since most transactions are done with the database).

    We did check all plugins and themes and everything was updated when the infection came back for the fifth time. We suspect that it creates a backdoor through obfuscation since it generates lots of "harmless" files and then one file that includes them all into a malicious script.

    There aren't many accessible options for cleaning up a WordPress website without paying the big bucks apparently.

  • Nithin
    • Support Wizard

    Hi Vince,

    Hope you are doing good today. :slight_smile:

    Sorry to hear about the issues you were facing repetitively. Since I don't see you mention about Defender, I suppose you have already tried testing the "File Scanning" feature in Defender too?

    Defender Pro, helps with listing out any files in your root directory which isn't part of WordPress core, and also list out any know vulnerabilities from wpvulndb .

    If you haven't tested Defender Pro, would highly recommend you to give that a try too, to double check everything is safe. You can run a file scan, in the plugin side, under Defender Pro > File Scanning page.

    Thanks for sharing the solutions what you finally got around which resolved in your side, disabling php functions are one of the methods to improve security within the server side, and many hosting provider does that, you could also notice similar steps done in our WPMU DEV Host too:
    https://premium.wpmudev.org/docs/hosting/sftp-ssh/#chapter-3

    Regards,
    Nithin

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.