A most recent and common attack on WordPress websites that surfaced past week is redirecting website users to a malicious advertisement web page. Many WordPress sites have reported to be affected by this malware. If you are among those unlucky website owners that are victim to this attack, then worry not because most often it can be completely removed from you website within a few minutes, just bear with me here.
A word of caution before we proceed further. To resolve this issues with your website, you will need to alter a few WordPress files and data. This post is a suggestive guide for debugging the problem and is in no way a professional solution for the same. Reader discretion is advised before running any commands on the website server. Make a backup of all your data on the website server before proceeding with this guide. Author of this post and Eternal Geeking (Website) will not be responsible for any losses (data or monetary) caused due to any of the steps mentioned below.
– Eternal Geeker
What it looks like for your users?
A user visiting you website will be redirected to a new malicious/ads filled web page which has no relation to you website what so ever. For your end users your website is gone.
If your users are using any anti-malware plugin or ad blocker plugin there is a very high chance that you users will see a warning message before entering the malicious web page. To them your website is the malicious website now and this might also affect your Google indexing scoring.
What should you do if your website is affected?
The first and foremost thing you can and should do is reach out to your users via other communication mediums. They your most valuable assets after your content. Keep the users posted on what’s happening? Communication is the key here. Now to solve the issue with your website you need to follow the steps below:
- If you have access to the web hosting server i.e., if you have set up the WordPress yourself then I am assuming you know your way around things. The commands shared in the step below are for a Linux server and might not work on a Windows server, but the steps to identify and rectify the problem will remain the same.
- Yes, I know my way around!
- Log into the hosting server of the affected website.
- Traverse to the root directory of your website. For a website, root is the outermost directory from where the content is served. If you WordPress is installed in
/var/www/html/wp
then the directory ‘wp‘ is your root directory. You can simply write:cd </path/to/your/website/root>
Replace </path/to/your/website/root> above, to the actual absolute path to your website root. - Once in the root directory, simply look into the ‘index.php‘ file for something that doesn’t belong there in our case it is a script tag in the beginning of the file containing a URL with domain ‘ws.stivenfernando.com’ . since we get the identifier we will now run the following commands to identify all the affected files.
grep -rnw ./ -e "ws.stivenfernando.com" > infected.txt
The above command will write a list of files affected/infected by this malware. As a pattern you will notice that the infected files are all named index. So this malware only affects/infects file with name index and simply appends a malicious script tag in the beginning of the file to redirect to the malicious web page. - Now comes the hard part. Removing those script tags from each of the files listed in the infected.txt file. You can either manually going through each file and remove the script tag, or write a script to perform this operation. The former can take you forever to complete depending on your installation and number of files in your installation. You can always remove a few of the affected plugins and themes to remove its files and reinstall to get malware free code from source.
- When you think you are done with removing the malicious code. Run the command in Step 3 above to make sure that there are no files missed.
- One last step here would be to log into the MySQL server and in your website database look into wp_options table. If the entry for Site URL is changed to the malicious URL above (ws.stivenfernando.com) change it back to your own website URL.
- No, I haven’t set up the WordPress myself!
- Contact the person who has set up the website for you.
- Tell them about the exact issue. If required share this post with them.
- Let them handle it, as they know their way around.
- Yes, I know my way around!
- If you do not have access to the web hosting server. Contact your hosting service provider with a request to restore a previous backup without the malware code considering that your hosting provider makes regular backups of your website. The best you can do in this case is to get in touch with the technical support of your hosting provider to resolve the issue.
WordPress issue link: https://wordpress.org/support/topic/hacked-138/
If this guide was helpful and you were able to resolve your problem, don’t forget to like, share and give a shout out to EG! Comment below for any suggestion and edits related to this post.