WordPress Security and Malware

Serbia is a country in which security is not a thing that is being taken seriously. Security of the country, its citizens, their health, social status, or businesses, are not things which were given much of a second thought. And security is a serious thing.

Let us assume that your business is online-based. So the first thing your new clients see is your website. And if your website is powered by WordPress, not paying enough attention to its security is exactly the same like not thinking about the security of your business.

WordPress security is a serious topic indeed. We have seen so far how one infected WordPress website can compromise a large number of other websites through cross-site scripting. As with any CMS, the more popular it gets, the more security issues appears. WordPress is sort of an exception, since there are rarely significant security problems with the WP’s code – mostly the plugins and themes are the ones to blame. The WordPress team is focused on solving any security issues that appear in their code; unfortunately, the same could not be said for plugins and themes authors.

We have decided to show you four most common WordPress security issues, how to bypass them, how to prevent them, and what to do when the problem happens. We will explain how breaches are made, for which security flaws are WP users most vulnerable, and what are they doing to a WordPress website. In this blog post, we will also cover backdoor scripts, malicious downloads, pharma hacks, and malicious redirections.



In the past two years malware has grown by 140%. At the same time, WordPress has achieved its peak, and is currently powering over 25% of websites on the whole Internet. In the world of security, this means that there are more WP malware than ever before.

What makes WordPress vulnerable?

It’s quite simple: an unattended WordPress installation running some of the previous, unpatched versions, together with security holes in plugins and themes. If you add end user ignorance on top of that – you have a perfect formula for a vulnerable website. So let’s go one thing at the time.

The first problem is not running the updated version of WordPress. Whenever a new update for WordPress is released, website administrators receive a notification. The problem is that a lot of website owners simply ignore the message, and chooses not to update their WP installation. We have mentioned before that WordPress itself is often not the problem, but every new version comes with some security fixes in it. You can check it out through differences in versions 4.4.1 and 4.4.2. As you can see there is some risk, but WordPress authors are so fast in solving those issues and releasing new versions, so mass disasters just doesn’t happen. All you have to do is to remember to update your WordPress installation. It shouldn’t be such a big deal since WordPress authors have made the whole operation happen in a single click. An excellent example of how can an outdated version of WordPress can compromise a serious business is the recent hacking of Reuter’s website.

Safety issues are most often hidden in plugins and design themes. There are over 20.000 plugins for WordPress. And almost the same number of themes available online. Some of the plugins have malicious code embedded in them, or a security vulnerability, while others are just left without any updates and patches for a while. The WordPress community has posted a notification over every plugin that hasn’t been updated for more than 2 years.

Sometimes, the biggest security threat are the users themselves. There is a common belief with website owners that the hardest part is to create a website. You just pay some agency to create it and when it’s done – just leave it that way. If we were still in 1995 that would may still be the case, but today the rules of the game have changed.

According to the authors at Smashing Magazine, here are some of the most often WordPress issues:

  • Outdated WordPress installation Poor password and logon management
  • Poor system administration
  • Unprotected servers
  • Lack of system’s inner working knowledge
  • Inadequate troubleshooting – lack of systematic approach

Just a little time and education is all that is needed for these problems never to appear. And once you learn how it’s done, don’t stop – learn another person – because there are a lot of people who just don’t have a clue about this, since it is not their area of expertise or interest.

The evolution of malware

As Internet grew, malware grew also. Back in the old time, hacking and malware infections were used to show supremacy over the site’s webmaster. The idea was to show who was better and stronger. Today, things have changed – it’s all about the money. We all remember recent DNSChanger infection, which has brought its hacker authors over 14M USD until they were finally stopped by the FBI. There are still malnets networks operating today, distributed networks of infected computers which are used for stealing of data, DDoS attacks, malicious downloads, and spam distribution. Alongside with them, there are malware bots, which operate automatically by scanning for vulnerabilities on websites and automatically inserting malicious code which leaves the bot’s author enough time to focus of system’s vulnerabilities. These bots can be purchased for a very affordable price.

Most common WordPress vulnerabilities

In this post we will focus on the four most common WordPress vulnerabilities. Those are:

  • Backdoor scripts
  • Malicious downloads
  • Pharma hacks
  • Malicious redirections

Backdoor scripts

Backdoor scripts enable the attacker to gain access to your environment, access your FTP, sFTP, wp-admin section etc. They can access your account through command line, and sometimes we can see interfaces like this one:


Backdoor scripts are quite dangerous. Worst case scenario – a backdoor injected in your website can cause serious problems and even loss of data on the whole server. AdriaHost proactively protects you from these types of vulnerabilities. Every night, while you’re sound asleep, we are scanning your account, and if we notice any problems, we will let you know.

How is the attack performed?

The attack often occurs due to outdated software and scripts. We have recently witnessed a problem with the timthumb script, which is used by the majority of WordPress themes, mainly for resizing images on your website. The safety issue in this script enabled the hackers to inject malicious code in your hosting account and execute it from there.

Here is the example of the timtumb vulnerability seeking script:


How does it look like?

Often, the malicious script can be recognized as encoded base64/eval script or as an encoded part of a script. Sometimes it’s not even the case – the following image shows a seemingly ordinary script:


Another example:


Example of a code targeting solely the timthumb vulnerability:


Example of code often seen in WordPress installations, also known as FilesMan:


How do I know that I’m under attack?

Backdoor looks different each time, but a certain pattern can be detected. You may notice files with names like these ones in your hosting account:

  • wtf.php
  • wphap.php
  • php5.php
  • data.php
  • 1.php
  • p.php
  • satan.php

In other cases, the code can be injected in standard files that your site is using:


Backdoor scripts are constantly changing and growing, so there is no final solution for the backdoor scripts issue.

How can I protect myself?

Although backdoor scripts are tough to detect, once the hack happens there are some step which can be taken as a precaution.

1. A combination of 3 steps for protection of the wp-admin section has shown as an efficient way of protecting your website from backdoor attacks:

  • Limit access to your IP address
  • Enable two-step authentication
  • Allow login only at specific times

We know, it sounds paranoid, but it is because it is paranoid. You must be a freak when it comes to security.

2. Disable execution of PHP files via third party

The most vulnerable is the /uploads folder in WordPress installation, because, in order for WordPress to operate, this folder must have writing permissions. So the only thing you can do is to prevent php execution in that folder by entering following code in your .htaccess file:

<Files *.php>

Deny from All


How to find it and remove it?

When and if you find the right file, all you need to do is to delete it. It’s a first step, and it actually means nothing, since a security hole through which the attack happened still exists. This is the part about which you don’t need to worry much since, as we said earlier, we are scanning and automatically finding files which have known vulnerabilities or are backdoor scripts.

You can check your files, check the dates of the last changes, or is there something in your hosting account which you didn’t put there. People often mistake by thinking that reinstalling the WordPress will make the problem go away. It will, if you are lucky enough that the backdoor was only in your WordPress files, which is almost never the case. WordPress reinstall does not delete files from your account, it just overwrites them with new versions, so it doesn’t delete the files which are not a part of WordPress.

Malicious downloads

Malicious downloads are files downloaded on your computer without your knowledge. They are most often uploaded to your website as a script that initiates malicious software installation on the victim’s computer, after which their computer becomes a zombie, free to be used at purpose known to the attacker. Ironically, one of the most common messages associated with this problem is when a user sees an information that his computer is infected and it that it is necessary to install an antivirus.


How an attack occurs?

Some of the most usual problems are:

  • Outdated WordPress
  • Weak password
  • SQL injection

How does it look?

Below are some of the examples of scripts which initiate unauthorized downloads:

Example 1:


Example 2:


Example 3:


As we said, the attacks are becoming more and more sophisticated, so we are noticing so called conditional downloads which contain malicious code. This means that the downloads will not initiate every time the page loads, since it would be easy to notice it, but only when certain conditions that the attacker has defined have been met.

How do I know if I’m attacked?

A pretty good way to check if your website is performing unauthorized downloads on visitor’s computers is using the Sucuri scanner. It is an online scanner that checks the most of safety aspects of your website, the ones which can be verified from end user point of view. Also, there is also the Google Search Console, where you can submit your website. If Google detects malware on your website, it will confirm it via email before they blacklist your website. If Google blacklists your website, it is a certain sign that your website is infected. It is necessary to locate the source of the malware, clean it and then notify Google through Search Console in order for them to reevaluate your site.

Besides using a scanner, finding a malicious code can depend on its complexity. Check if your account shows something like this:


The good thing is that this type of code is almost always located in files used by your site, and they are rarely located in a file that is not a part of your website. Files that you can check for malicious code are:

  • wp_blog_header.php
  • index.php
  • index.php (theme file)
  • function.php (theme file)
  • header.php (theme file)
  • footer.php (theme file)

In 60% of the cases the problem will be in some of these files. Anti-virus software can also help a lot with detecting unauthorized downloads. Team from Sucuri has announced that in some cases the download was embedded in a post or page, which means that malicious code was injected into your SQL database. If that is the case, it would be necessary to check your database for anything that shouldn’t be there. A clue that your website was under the SQL inject attack are registered users on your website, and you haven’t registered them nor they were not registered before.

How to clean it?

We recommend to download your website on your computer and start searching. Total Commander’s search feature for text within files can be quite useful. It is enough to find one file with malicious code in it, and then to search for that string in other files of your website.

Pharma hack

Pharma hack is one of the most sophisticated ways to hack your website. Your site is working normally and you are not noticing anything unusual, but if you type your website’s name in Google, the search results look very funny, like on the picture below:


How does it occur?

Pharma hack uses a number of rules defining what info will be shown to the user. They can be controlled easily with a simple piece of code shown on picture:


Some attackers go a step further and create vulnerability databases on your account, after which you get redirected to the online store under the attacker’s control:


As any other SPAM, pharma hack serves to create revenue to the attacker. Sometimes a click-through is what pays, sometimes just visits. Only rarely the pharma hack can redirect you to another additionally infected website, but most of the time everything happens instantly. That is why it’s very difficult to detect and remove this type of infection. Searching for keywords used in the hack won’t do much, since they are masked. And you would be surprised how many pharmaceutical companies are advertising for those keywords, which means more money and more attacks.

How does it look?

This type of attack is very complex. It can look like this:


Lately, things got more complicated, so a result of pharma hack can look like this:


Another form of pharma hack is when a visitor clicks on an ordinary link on your website, e.g. Home page, Contact, About Us… and gets redirected to an online store that is advertising, like on an example below:


How do I know if I’m attacked?

Earlier, it was easy to find this type of vulnerability on your website since it was quite obvious that the site was infected, but nowadays things have changed. The safest way is to set up some type of file monitoring on your WordPress website and to track changes. That has shown proven results.

You can try free scanners, and yet we go back to Sucuri, but have in mind that this is a very sophisticated exploit and that technically nothing seems out of the ordinary, making it very difficult to detect what is valid, and what is hacked content.

How to clean it?

Download your WordPress and your database to your computer and look for keywords. This may not get you far, but it will lead you in the right direction, in order to identify location of the hack – whether it’s in comments, posts, files etc. When you do identify it, search through your WordPress database and check your content. The database can be edited as a plain text file and searched for previously identified keywords. Hint: pharma hack has often targeted the Akismet plugin, hiding in its tables in the database.

If you can’t detect keywords in your files, you can try the Bots vs. Browsers service, which would test your website’s results against all browsers.

How to prevent infection?

Although pharma hack often occurs with outdated WordPress installations, it may not necessarily be the case. We have witnessed a DreamHost’s server breach which resulted in all WP databases being injected with pharma hack.

In order to prevent pharma hack:

  1. Update your WordPress and all of your plugins to the latest versions
  2. Do not host your website on unsecured servers

Malicious redirections

Malicious redirections send your visitors to a malicious website. In 2010 there were over 42926 malicious domains to which victims of this vulnerability were sent to. In 2011 that number grew to 55294, and this includes only main domains, not subdomains.

Malicious redirections can contain malicious code, but it’s not always the case. For example, if a visitor arrives at your website and gets redirected on someothersite.com/file.php, and file.php contains malicious code, then it is a malicious attack. If there is only redirection to someothersite.com for pure visits logging, then it not so dangerous, but you definitely must deal with this issue.

How does an attack occur?

As before, unauthorized access is the main culprit. An attacker can send a bot searching for a Thimthumb vulnerability, and when it detects it, a backdoor file can be placed, as we explained earlier. Additional files are then placed to redirect your visitors to other websites.

How does it look like?

This problem is by far easiest to solve out of all four presented in this post. The redirection is often performed directly in your .htaccess file and can look like this:


Or this:


Redirection can be performed through a PHP file, using an encoded script usually in index.php , header.php or footer.php files. It looks something like this:


How can I know whether my site is hacked?

There are several ways:

  • Sucuri scanner
  • Testing with Bots vs. Browsers
  • Visitors will let you know directly

How to clean the infection?

Malicious redirections are easy to clean. Here is the recommended procedure:

  • Open your .htaccess file
  • Save rewrite rules that you’ve previously added
  • Delete everything else
  • Track down every .htaccess file on your hosting

How to protect?

Since it all about a .htaccess file, we recommend lowering permissions on that file so that only the owner can edit it.

You can also read this tutorial on how to protect a WordPress .htaccess file.


We hope that we’ve shed some light on the most common WodPress security issues. Maybe everything above looks a little scary, but trust us, everything can be solved, and we haven’t had a user that has lost his website due to WordPress vulnerabilities. And if there is only one thing to remember from this long story – always update your WordPress.

10 advices for WordPress security

  • Don’t use generic usernames, always know who is accessing the website
  • Secure your folders. Forbid PHP execution.
  • Make regular backups – you never know what can happen
  • Use safe connections to your server
  • Check your hosting provider’s security
  • Forbid unnecessary logins on wp-admin, FTP
  • You don’t have to write an article as an admin, and not everyone should be admin

Tags: , ,

2 Responses

  1. Joni Mueller January 27, 2017 at 10:08 am #

    Do you use WP Scan on client sites? Just curious. 🙂

    • Goran Magdic January 30, 2017 at 12:10 pm #

      Hi Joni,

      Actually no, we use Sucuri combined with our own malware detector 🙂

Submit Comment