Skip to content

How to deal with repeated hacking (malware / virus infection) in WordPress


0 Reasons for getting re-infected soon after removing viruses and malware

There are four main reasons why your site re-infected soon after removing viruses and malware.

1 A hacker has been hijacked to log in to the site as a admin
2 The vulnerability of the site remains
3 A backdoor that hacker-initiated to your site has not been removed
4 Another WordPress in the server is infected

We will introduce a method to prevent reinfection for these reasons.

1 Change the password of the administrato

If a hacker has hacked your site password and is able to access the WordPress administration screen, the hacker can easily tamper files from the administration screen.

If you’ve cleaned WordPress malware, change the password for all users with administrator privileges.
The password can be changed from Admin screen> User List> Edit. We recommend using strong passwords automatically generated by WordPress .

2 Set the folder and file write permission to disable

Hackers falsify files remotely, so it is effective to connect to the server with FTP software and make all files except the wp-content / uploads folder unwritable.
Using software such as FileZilla, uncheck the write permission and change the folder and file permissions.

3 Detect backdoor

A backdoor is a program that allows hackers to easily rewrite site programs. Although the backdoor is harmless by itself, it is very dangerous to leave it as it can generate tampered files on the site.

The following code is a backdoor as an example.

eval($_POST["mycode"]);

In many cases, hackers obfuscate and hide code.

Obfuscated code example

${"G\x4cO\x42\x41L\x53"}["\x64\x7aa\x77h\x78\x78\x5f\x5f\x5f\x6c_\x62y\x62t\x63o\x68h\x6dx\x67y\x64\x62\x65q\x61q"]

The backdoor can be detected free of charge with WordPress Doctor / Malware Scanner . Please use it.

4 Update vulnerable plugins and themes

Vulnerabilities in the code of the program could allow hackers to send code to the server and falsify the site.

The easiest way to fix the vulnerability is to update WordPress, themes, and plugins and keep them updated.

You can use WordPress Doctor / Malware Scanner to find out if there are any vulnerabilities in the plug-ins or themes on your site, so if there are high-risk vulnerabilities, you should be able to update them immediately.

5 Let’s suppress brute force attack so that you can not lose administrator authority

One of the most common methods used by hackers to gain administrative privileges is a brute force attack.
Repeatedly log in to the site mechanically with a list of tens of thousands of passwords to find passwords.

WordPress Doctor / Malware Scanner has a function to suppress this brute force attack, it is possible to greatly improve security by being enabled.

6 Detect and block hacker in real time

WordPress Doctor / Malware Scanner plug-in has the world’s first ability to block hacking before it gets infected.

Once a hacker finds a vulnerability, he will be able to alter the site again as soon as it removes malware by embedding a back door. With this feature, you can capture and block the moment a hacker sends malware code and log it with IP.
It is also possible to completely block the hacker’s IP with the IP blocking feature so that the hacker can not access the site.

#This feature can be enabled by subscribing to the latest malware pattern.

7 Find out if other websites in the server have been tampered with

If there is more than one site in the server, even if you clean up a specific WordPress site directory, if another folder’s WordPress has been tampered, malware may jump over that folder .

You can find out if other sites on the server are infected, such as Sucuri Site Check.
https://sitecheck.sucuri.net/