Thousands of WordPress sites infected with newly discovered malware

Thousands of WordPress sites infected with newly discovered malware

A new smalware is making the rounds on WordPress-based websites, seeking to exploit 30 known vulnerabilities in several outdated WordPress plugins and themes. The malware injects malicious JavaScript into target websites. It is designed to target 32-bit versions of Linux, but can work on 64-bit versions as well.

According to researchers from the security firm Dr.Web, the Linux-based malware, Linux.BackDoor.WordPressExploit.1, installs a backdoor that allows infected sites to redirect visitors to malicious sites. It is also capable of disabling event logging, going into sleep mode and shutting down. It installs by exploiting already patched vulnerabilities in plugins that website owners use to add features such as live chat or metrics reporting to the WordPress core content management system.

Plugins exploited include:

WP Live Chat Support Plugin
WordPress - Yuzo Related Posts
Yellow Pencil Visual Theme Customizer Plugin
WP GDPR Compliance Plugin
WordPress Access Control Log Theme (Vulnerability CVE-2016-10972)
Thim Core
Google Code Inserter
Total Donations Plugin
Post Custom Templates Lite
WP QuickBooking Manager
Facebook Live Chat by Zotabox
Blog Designer WordPress Plugin
WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
WP-Matomo integration (WP-Piwik)
WordPress ND Shortcodes for Visual Composer
WP Live Chat
Coming Soon page and maintenance mode
Brizy WordPress Plugin
FV Flowplayer Video Player
WordPress Coming Soon page
OneTone WordPress Theme
Simple Fields WordPress Plugin
Delucks SEO WordPress Plugin
Poll, Survey, Form & Quiz Maker by OpinionStage
Social Metrics Tracker
WPeMatico RSS Feed Collector
Rich Reviews Plugin

If one or more vulnerabilities are successfully exploited, the targeted page is injected with malicious JavaScript that is downloaded from a remote server. The injection is performed in such a way that when the infected page is loaded, this JavaScript is launched first, regardless of the original content of the page. At this point, each time the user clicks on the infected page, he is forwarded to the website the attackers want him to go to.

The researchers found two versions of the backdoor: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. According to them, the malware could be used for three years. Linux.BackDoor.WordPressExploit.1 is developed with additional features, including switching to sleep mode, automatic shutdown and pausing the recording of its actions. The malware is designed to target 32-bit versions of Linux but can also work on 64-bit versions.

Along with Linux.BackDoor.WordPressExploit.1, Dr. Web also came across a variant of the same backdoor. The difference is that Linux.BackDoor.WordPressExploit.2 has a different C2 server address, a different domain address from which the malicious JavaScript is downloaded, and targets 11 additional plugins.

WordPress plugins have long been a common way to infect sites. While the security of the main application is quite strong, many plugins are riddled with vulnerabilities that can lead to infection. Criminals use infected sites to redirect visitors to sites used for phishing, ad fraud, and malware distribution. People running WordPress sites should make sure they are using the latest versions of core software and plugins. They should update the plugins listed above first.

10 Steps to Fix Malware Infected WordPress

Step 1: Backup all your database and files

Use the web host's site feature to backup the entire site. As the site will be large, the download will take time.
You can also try the WordPress backup plugin if you were able to log in. 

Don't forget to save your .htaccess file and then upload it. You can locate this invisible file in the web host's file manager. You need this backup data to copy them to your own site. Sometimes the .htaccess file can also be hacked, so be sure to take a closer look.

Step 2: Download and analyze backup files

Once the backup of the files is done, download it then open the zip file and check for the following files in the malware infected WordPress repair process.

WordPress core files: Download WordPress from and match your downloaded files to your files on WordPress. You will need these files later to investigate the hack.
wp-config.php file: The most important file, as it contains your name, username and password for your WordPress database, which will be used for the restore process.
.htaccess file: Use an FTP program (ex-FileZilla) to view the backup folder or your invisible file.
wp-content folder: In this folder, you will find three folders including downloads, themes, plugins and uploaded images. This shows that you have an excellent backup of your site.
The database: For emergencies, you should keep an SQL file of your database export.

Step 3: Delete all files from the public_html folder

Once you've confirmed that your backup is complete, delete all of your files in the public_html folder using the host's file manager.
Leave the cgi-bin folder and other server-related folders (free of any hacked files).
Use File Manager instead of FTP to delete files as it is much faster than others. If you are able to use SSH, that will also work. (don't forget to delete compromised invisible files)

Note: If you use multiple websites on the same account, remember to follow the same steps for each site. Cross-infection is possible, so backup them all, download them, and clean them.

Step 4: Reinstall WordPress

Now is the time to reinstall WordPress. Whetherl was originally installed in the public_html directory, reinstall WordPress in the same location. If it was in the subdirectory, install it in an additional domain.
Take the reference from your backup and edit the wp.config.php file on the newly installed WordPress. This will help you connect the old database to the newly installed WordPress.

Do not re-upload the previous wp-config.php file, as the new file will be free of any pirated code. Additionally, the new installation will have new connection encryptions.

Step 5: Reset permalinks and password

Login to your new site > reset all usernames and passwords.
If you find unrecognized users, it means your database has been compromised. In this case, you should contact a professional to remove any unwanted code left in your database.

Step 6: Reinstalling plugins

Now you can reinstall all plugins from premium login developer or WordPress repository. Make sure you don't install previous plugins, this is how you fix malware infected WordPress.

Step 7: Reinstall Themes

Then install the themes from the new downloads. Users can customize theme files, take references from backup files, and reproduce new changes in the current file.

Note: Do not use the previous theme, as it will be difficult to recognize pirated files.

Step 8: Scan and download images from backup

Here is the tricky step in the process of repairing a malware infected WordPress, the user has to download images from the backup files. But you have to be careful not to copy pirated files to new WordPress content. For this reason, follow these steps:

Examine each record, year/month on them.
Open each folder and make sure there are only images inside and no H or JavaScript files or anything other than what you uploaded to your media library.
Once you are confirmed on your images, you can upload them to the server using FTP.

Step 9: Scan your system

Check your system for Trojans, viruses, and malware. When you have completed all the steps mentioned above, now is the time to protect your server for the future. To do this, follow the following steps in the process of repairing a malware-infected WordPress:

Install the Shield WordPress Security plugin from iControlWP and activate it. Go through all of its settings and run an audit function for a few months, to track every activity on the site.
Run Brute-Force firewall and anti-malware and scan your site thoroughly. Confirm everything is covered using Sucuri's Site check.
Once you have checked that the site is clean, disable the Anti-Malware plugin because you don't need two firewall plugins at the same time. This shield will notify you if there is a change in the core files.

Step 10: Install and activate security plugins

When you have completed all the steps mentioned above, now is the time to protect your server for the future. To do this, follow the following steps in the process of repairing a malware-infected WordPress:

Install the Shield WordPress Security plugin from iControlWP and activate it. Go through all of its settings and run an audit function for a few months, to track every activity on the site.