How to remove a Word Press virus
How I came to noticemy Word Press site had the virus
I've been creating my own websites for years - ever since I was young and had a fascination with a certain boy band. Now I've grown up and moved on from such interests, although I still enjoy creating my own websites.
Currently I'm using Word Press on my website, as it seems to be quite powerful. However, because of this, I feel as though much of my site is beyond my control. I realized just how little control I had over what was happening on my site when it became infected with a virus. While at work using Lotus Notes, I could see some weird location was being loaded through my site - something similar to pornovanal.ru/module/tracking/..... etc (DON'T try to follow that). I *know* there should never be anything like that being loaded from my site.
My second clue came when my virus scanner poped up after loading my site with an altert saying that FireFox has a thread - JS Downloader.Agent.
So - follow me in my efforts to remove this virus.
A word of warning - I am a beginner to this - however, as there seems to be very little help online, especially in simplistic terms, I thought others would find it useful, and even just understanding how Word Press works will make things easier. Read it, think about it, read other peoples ideas, and decide the best method for you.
First Things First - back up your database
I was a bit naive with Word Press. I'm used to everything being stored in html files, and these days in php files. However, Word Press uses a database, so all your posts and comments are stored in this database. You cannot simply download your word press directory and consider that an adequate backup.
You need to log into your database (phpMyAdmin) and continue by using the directions to back it up. This does not back up your word press website, but it will back up all you posts and comments. It's a start at least.
Word Press has already created these instructions, so follow them here.
With the new Word Press 2.7, there is an easy Export option under Tools, which would also be worth carrying out. I haven't yet tested how it differs from the database backup, but it's worth doing and may be useful to have two separate backup strategies.
I don't have the abilities to search through pages of code and pull out the malicious code. I'm new to php coding, and this just wasn't an option for me.
However, as all your main content is stored in your database, you can update or replace your entire word press files without losing your content. You will also have to update your theme with fresh, clean files as well. You may loose some of your personal formatting and tweaking, unless you have a clean version of your tweaked theme and files on your hard drive.
This is where I found one of the tricks to this virus. This virus created a new user on my database, and changed my wp-config.php file so to log into my database using this new user id and password. I knew I would never create a password such as a987g678sdf876s.
So - from there I logged into phpMyAdmin, and removed this new user. However, you must also change our wp-config.php file to have your normal username and password in it, not the changed/hacked username and password.
- Log into phpMyAdmin
- Select your blog database from the left hand drop down menu
- Click on the privileges tab
- Look for an unrecognized/suspicious user, which matches your wp-config.php login (one that you never created)
- Click the 'Edit priveledges' image for this user, remove all options
- Edit your wp-config.php file and return your original login and password in the required spaces
Uploading a clean Word Press and Theme
Now you have your database backed up - your content (posts, pages), and comments are safe.
What to do? You can upload all your Word Press files again. As I said - these folders don't contain your content - however the folder /wp_content/ does contain your themes and plugins, so you may want to leave this folder until last.
Test your sight after you have uploaded the other folders - if the virus is still there, deactivate all your plugins, and upload your fresh, clean /wp_content/ folder.
Virus removed? Sucess! Still there? Read on.
A virus can also be hiding in your plugins or in you theme files. Next I would recommend uploaded a fresh clean version of your theme. If this doesn't solve the problem, try uploading fresh versions of your plug ins.