Support » Fixing WordPress » Malware detected

  • Hello everyone,

    I have a problem with my website because he is recognized as hacked due to a malware.

    I have a list of infected pages but i don’t know how to erase the bad javascript code.

    How can i fix this problem ?

    Thank you

Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator cubecolour


    J’ai déjà utilisé l’avant dernier lien que tu me proposes, mais il me donne des noms de section et donc je ne sais pas à qu’elle page cela peut provenir …

    Par exemple :

    Dans quel fichier php, javascript, etc … je pourrais trouver le code qui fait que ça déconne ?

    I had a similar problem a few months ago. In my case, all I needed to do was remove the bad code from the .htaccess file. I would try that first since it’s only take a few minutes.

    Sorry, I just forgot that was an english forum.

    I just said that I already checked the last but one website. I just have some url to check with the code but I don’t which url page correspond to the file.

    For example :

    In which file can I found the code ?

    Thanks for your answer Gabe, I will try to do that ;).

    Which bad code that was Gabe ?

    Because I have that the following code in my file :

    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

    <Limit GET POST>
    order deny,allow
    deny from all
    allow from all
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    SetEnv no-gzip dont-vary
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    You will often find a malware script inserted into the HTML of the index.php page and surrounded by <script> tags like this:

    echo(gzinflate(base64_decode("<random characters here>")));

    where <random characters here> is a long list of seemingly random characters.

    The easiest option may be to reinstall WordPress using the Dashboard but backup your wp-content directory first and any other custom files. Then check your custom files for those script tags above (or similar) and delete the tags.

    Then I strongly suggest changing your FTP passwords to prevent further infections.

    You will then need to let Google know you have removed the malware so your website is not reported as malware any longer.

    Hope that helps.

    Thanks for your help.

    I just have a question, if i reinstall WordPress, I will loose all of my articles or not ?

    If you have a backup of your .htaccess file, you can just compare.

    You may be able to go back a few days and get it from your host provider.

    When in doubt, feel free to save a copy of the current file now and just remove anything that’s iffy looking. Based on recollection, my file doesn’t have anything that you just posted.

    Your articles are stored in the database so you shouldn’t lose your content. To be on the safe side, do a database backup and your entire wp-content folder (which you can check for malware scripts after downloading them – a good A/V package should detect anything unusual).

    You can also back up your wp-config.php file – it shouldn’t be replaced by a new WordPress installation but there’s no harm in being cautious.

    Back up .htaccess to if you have made any changes to it. Then compare with the new one and re-add any changes you previously made to the old one (making sure they aren’t malicious changes added by the hacker of course).

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Malware detected’ is closed to new replies.