Title: Malware inside Images Last modified: September 1, 2016 --- # Malware inside Images * [JustinF](https://wordpress.org/support/users/justinfeldman/) * (@justinfeldman) * [9 years, 10 months ago](https://wordpress.org/support/topic/malware-inside-images/) * I am working on trying to restore a site that was hacked. I’ve cleaned all the WP files, database and .hta access files. The only files that WordFence is still saying contains malware are a handful of image files. * What is the best way to go about cleaning these? Or even just checking if they really do contain malware? The website owner does NOT have backups of the original images. * Is it possible that WordFence is incorrectly identifying these as containing malware? Where do I go from here? * Any help is much appreciated. Thanks! * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/) Viewing 6 replies - 1 through 6 (of 6 total) * [BenSucuri](https://wordpress.org/support/users/rngdmstr/) * (@rngdmstr) * [9 years, 10 months ago](https://wordpress.org/support/topic/malware-inside-images/#post-7671195) * What is the warning generated from WordFence, can you supply a sample? * It’s not uncommon for attackers to insert backdoors into images. Usually in the form of EXIF data which can be removed without hurting the source of the image. * I think this link should help: * [http://www.howtogeek.com/203592/what-is-exif-data-and-how-to-remove-it/](http://www.howtogeek.com/203592/what-is-exif-data-and-how-to-remove-it/) * [BenSucuri](https://wordpress.org/support/users/rngdmstr/) * (@rngdmstr) * [9 years, 10 months ago](https://wordpress.org/support/topic/malware-inside-images/#post-7671196) * Also, if you head over to [http://archive.org/web/](http://archive.org/web/) you might be able to find old, cached versions of the images before the hack occurred. * Thread Starter [JustinF](https://wordpress.org/support/users/justinfeldman/) * (@justinfeldman) * [9 years, 10 months ago](https://wordpress.org/support/topic/malware-inside-images/#post-7671203) * Thanks for replying! * The error reads: * **Post contains a suspected malware URL: Choosing the right Point of Sale (POS) system** * > This post contains a suspected malware URL listed on Google’s list of malware > sites. The URL is: [http://www.retailandrestaurant.co.za/wp-content/uploads/2013/11/IronTree.jpg](http://www.retailandrestaurant.co.za/wp-content/uploads/2013/11/IronTree.jpg) * [BenSucuri](https://wordpress.org/support/users/rngdmstr/) * (@rngdmstr) * [9 years, 10 months ago](https://wordpress.org/support/topic/malware-inside-images/#post-7671220) * Oh I see. That WordFence flag is generating because your website is blacklisted by Google 🙁 The image itself is fine, there’s no exif data or script code in it from what I see here. * Once the infection is removed from your website and blacklist removal request submitted to Google, that will fix the WordFence warning. But it seems there are much bigger issues here, unless you’ve already removed the malware. * SiteCheck doesn’t seem to be flagging the malware itself: * [https://sitecheck.sucuri.net/results/www.retailandrestaurant.co.za](https://sitecheck.sucuri.net/results/www.retailandrestaurant.co.za) * So it’s hard to say what the root of the problem is. I’d suggest taking a look here and follow this guide: * [https://codex.wordpress.org/FAQ_My_site_was_hacked](https://codex.wordpress.org/FAQ_My_site_was_hacked) * [BenSucuri](https://wordpress.org/support/users/rngdmstr/) * (@rngdmstr) * [9 years, 10 months ago](https://wordpress.org/support/topic/malware-inside-images/#post-7671223) * Hmm I forgot to ask, is retailandrestaurant your website, or is that image being grabbed from another domain? If the latter, you can just host that image on your server instead of loading it from external site. * Thread Starter [JustinF](https://wordpress.org/support/users/justinfeldman/) * (@justinfeldman) * [9 years, 10 months ago](https://wordpress.org/support/topic/malware-inside-images/#post-7671251) * Can you tell me what you are basing your assessment of the images on? You say“ here’s no exif data or script code in it from what I see here” … How exactly did you inspect them? I’m only asking because I struggled to find a means of checking them for malware, so I would love to know for future. * I have removed the major malware from the site. There were some .php files hiding in the wp-content folders and there was one or 2 lines of unsavoury looking code in the .hta-access file. All of that is gone. * All the images are being hosted on the cloudflare server that the website is hosted on. But luckily a lot of them are stock images from the internet, so I can probably find them again. Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘Malware inside Images’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) ## Tags * [hacked](https://wordpress.org/support/topic-tag/hacked/) * [images](https://wordpress.org/support/topic-tag/images/) * 6 replies * 2 participants * Last reply from: [JustinF](https://wordpress.org/support/users/justinfeldman/) * Last activity: [9 years, 10 months ago](https://wordpress.org/support/topic/malware-inside-images/#post-7671251) * Status: not resolved