Your website has been infected. What’s next?

Published Estimated reading time: 0 minutes

What is malware?

You may often hear “my website has been infected” or “I have malware on my site”, but what does that mean? What is malware?

Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network. Malware (malicious software) is a blanket term for all types of malware like viruses, worms, trojans and other harmful computer programs hackers use to make the destruction or/and obtain access to sensitive information. 

This is a functional definition, meaning that software is recognised as malware based on its intended use rather than the particular technique or technology used to build it.

On the other hand, software that causes unintentional harm due to some deficiency is usually described as a software bug or error.

Image showing malware on the website

The most popular types of malware:

  • computer viruses, 
  • worms, 
  • Trojan horses, 
  • ransomware, 
  • spyware, 
  • adware, 
  • rogue software, 
  • wiper and scareware.

What to do when your website is infected?

The whole case can be jokingly summarised in two points:

  1. If you know how to do it, there’s no problem at all – you clean, patch, secure, and that’s it,
  2. If you don’t know how to do it, then contact us.

The most important do’s and don’ts.

Do not log in to the WordPress administration panel

If your website has an XSS vulnerability, it is possible that JS code has been injected. On its own, JS code itself isn’t necessarily dangerous because it works on the user’s browser side.

But when you log in as an administrator, the script can use your account to perform any actions (the script can pretend you are the one performing those actions).

Don’t restore a backup

If someone hacked the website and could modify it, it does mean there is a security gap (vulnerability). Restoring a backup will only remove the effects of the hack, but the exposure will remain unchanged. This means the attacker can easily break into the website again.

What is also crucial for the cleaning work, restoring the backup, will cover up the traces of the hack, making it impossible to identify the infection and analyse how it happened.

Don’t install plugins

If a malicious code on the website modifies its operation, it may also affect how plugins work. This means that after infection, you cannot trust what plugins show or how they work. 

Installing “malware scanning” plugins does not make any sense and will only make it harder to locate the infection because it will obliterate traces of the intrusion.

Secure the website

Block the malicious activity of the code on the page as soon as possible. For example, if it sends emails, block the sending of emails. If it redirects to other websites, block the website. 

Without a thorough analysis, it is often unknown what is happening on the website. The average user may be alerted by a single symptom, but in most cases they wouldn’t be able to know if there is more. 

It is best to enable maintenance mode or block the website from .htaccess. 

Additionally, it is also a good idea to block cron jobs on the server before you make sure that no malicious tasks can be executed within a specific time, often after the initial page block by the admin.

This can prevent sending spam emails using your website or other suspicious activity and, consequently, harm website SEO, such as indexing by Google hundreds of thousands of fake/spam pages or even listing the website on blacklists.

Clean the website

This part of the process is very problematic for many non-experienced “specialists”, so they use WordPress plugins. However, as we mentioned in the point above, it is strongly recommended not to use plugins. 

Generally, antivirus programs are not designed to search for malware (this is material for a separate article). To put it simply – they are based mainly on a limited and not very up-to-date database of signatures, and sometimes they detect something in the result code, but cannot detect anything in the source code.

In the end, there is no automaton capable of unambiguously determining whether something is good or bad – you still need a human brain to meet this challenge.

Before cleaning, it is worth analysing the website. Check blacklists, check the search engine index, e.g. “site: domain.com”, search engine cache – “cache: domain.com” (in the browser command line), and check server logs – an underestimated source of knowledge etc.

Clean the page. Clean up malicious code. Also, check the database and all files on the server. Locate the vulnerability. Usually, the easiest way to do this is by analysing the malicious code. Patch any security gaps on the page.

WordPress website’s infection cleaning is a challenging task without a good knowledge of HTML, JS, PHP, and SQL.

It is worth bearing in mind that, contrary to popular opinions, malware is not only eval() and Base64. There are many more code execution methods and obfuscation, and sometimes even relatively inconspicuous and unencoded parts of the code can do nasty things.

Secure the website for the future

Secure (harden) the page correctly. Make sure that access to files on the server is as limited as possible. It will make future break-ins more difficult for the attacker.

After cleaning and securing the page, check and remove the page from the blacklists, and fix indexing – deindex/remove pages from Google or other search engine index (if required from the SEO point of view).

What if I can’t do it by myself?

If you’re an inexperienced user and don’t have a dedicated malware-removal specialist, we strongly advise engaging our 360WebRescue services.

Related Articles

Critical vulnerability found in WooCommerce

Unlucky 13, a critical vulnerability found in WooCommerce.

Published Estimated reading time: 4 minutes

On July 13, 2021, critical vulnerabilities were detected in the WooCommerce and WooCommerce Blocks plugins. The vulnerability was reported under the HackerOne program. An amendment to the vulnerability was published on the same day. WooCommerce corrected the bug and swiftly…