Malware Code is Injected in WordPress Websites Hosted on Godaddy.com

May 3, 2010, filed in: Security, Wordpress

0


WordPress-Hacked Recently some people have noticed a malware injection in their WordPress websites those are hosted on Godaddy.com. The compromised sites were usually outdated WordPress versions or had weak FTP passwords, according to godaddy.com. Godaddy.com is looking into this issue and posted a message on their community forums how to correct the malware injection.

If you’re concerned you have been compromised with a malware script injection, you should search your content (the .php files WordPress uses) for anything that says ”eval(base64_decode(” and remove that line. Many of these compromises also are accomplished by scripts adding users to WordPress and then injecting malicious code. You should review the users you have in your wp-admin control panel and make sure there aren’t any you didn’t intend to have. We have seen malware files in image directories such as wp-includes/js/tinymce/themes/advanced/skins/default/img/style.css.php. [According to Godaddy.com].

There is a short term temporary fix, and that is to use the File Manager’s ”History” feature to restore your site content to a date you know was before your site was compromised (this won’t affect posts). Steps are here: http://help.godaddy.com/article/5091 If however you do not see the ”History” feature in the File Manager, please contact our support team 24/7 at 480-505-8877 for assistance restoring your site’s content.

The permanent fix is to follow these steps to ensure it is fully cleaned and to prevent a recurrence. This is the best method to ensure it is 100% clean.

  1. Backup the database http://community.godaddy.com/help/2009/10/12/backing-up-and-restoring-mysql-or-mssql-databases/
  2. Make a note of the customizations, such as plug-ins or any other modifications you’ve made.
  3. Remove all files from the site, be sure to save anything that isn’t part of WordPress!
  4. Reinstall WordPress through Hosting Connections
  5. Restore the database (see the above article)
  6. Verify the WordPress users are correct and authorized
  7. Re-install any plug-ins you were using
  8. Reload any additional .php files from known clean copy

This is the best way to ensure the site was not attacked previously and has hidden backdoors loaded deep into the site.

It is extremely important to keep your WordPress software up to date and use strong passwords for your WP admin, FTP and Database, and that you don’t use the same password for all of them.

If you have WordPress installed on your hosting account but are not using it, we recommend removing it.

Related Articles


Tags: , , , , , , , , , , , ,

Leave a Reply