16 Feb 2013
Recovering from a malware attack
This is my first encounter in over 10 years of doing web design. There was a large site that started showing up in the Google search results with a subtitle showing “This site may harm your computer.” It was interesting to read up on the many forums and blogs giving advice to clean it. It wasn’t until we had an external security company check it out, that I discovered good articles that explained what had happened.
The security company said, it’s wp-count.php that is the problem. I deleted that file after downloading a fresh copy of WordPress and comparing the two directories. In addition, search results showed that the malware would also add a wp-apps.php file and affect many of the theme files, especially the footer.php.
I found a PHP script that pointed to wp-apps.php using DOCUMENT_ROOT. I found it in a few more theme files than just footer.php. And Wordfence Security and WordPress Firewall had indicated that our backups and caches were infected. After deleting several of them, we resubmitted our website to Google via the webmaster tools.
I’m not sure yet if this will eliminate the extra harmful pages found by Google but we’ve taken extra security measures. During the initial troubles, I ran several deep scans on the files and found one htaccess file to be corrupt. And after looking at Sucuri’s scan of the site, only Google complained about malware but other popular security programs didn’t see it. More security measures were to change out passwords, harden our system, block domains that had been noted in the warnings as having malware and securing our directories.
Thanks to this experience, I’ve learned more about security and what to look for when it happens again.