Detection
IMPORTANT: If we suspect that your site has been compromised, we will take the site down and alert you via email. You will still be able to log into your CGI Server account via FTP to work on your files and you still can use phpMyAdmin to log into your MySQL database to work on your data as well.Our Malware Scan
If we have notified you that your site is infected, we may send you more information about the files and/or folders in which we are conserned about. If you did not get this information or have not been notified but suspect your site is compromized, you can request a malware scan. Be sure to also give us your domain name in your email. We will then conduct the scan and send you the results. This is probably the first place you should start.
External Malware Scanner
WordPress Security Scan is an external web site where you enter your WordPress URL and it will scan your WordPress site for malware. Keep in mind this is not foolproof. You will want to use other methods for detecting malware as well. We are not affiliated with this site nor do we endorse or support use of this site. We provide this link as a suggestion for your information only. Use at your own risk.
How Many Users Can Log In?
Log into your WordPress site's Dashboard and check your list of users. Be sure that the user count matches the number of listed users. If it does not match, then your site may have been compromised and has an unauthrized hidden user which can also log into your WordPress site. For example, if you are the only user, and the user account shows 2 users instead of 1, then there is a hidden unauthorized user. See the Removal section for more information on how to remove this user.
Look At Your WordPress Files and Folders
If you have a fresh (never installed) set of files and folders from WordPress and your themes and plugins on your hard drive, you can use these to compare them with your current files and folders. Here is how you would do this:
1. Create a new directory on your hard drive to hold your WordPress, theme and plugin files and folders. Make sure it is different from the directory that has the fresh copy of WordPress, theme and pluing files and folders. Log into your CGI Server account via FTP and download your WordPress files, theme files and plugin files and directories to this new directory. Be sure that your FTP program is set up to view hidden files (for example, in FileZilla, this is in the Server menu as Force showing hidden files). Be sure to download any dot files such as .htaccess.
2. Use your file manager in either a dual-pane mode (if it has this feature) or two file managers side by side. One side will have the fresh copy of the files and the other side should show the downloaded files from your WordPress site. If your operating system (such as Mac or Linux or other Unix-based system) automatically hides files that start with a dot (such as .htaccess), you'll want to set your file manager to also show hidden files.
3. Create a new directory outside of your WordPress directory and name it quarantine. You will put your suspected files here. This way if the file turns out not to be malware but instead needed for the operation of your site, you can always replace it.
4. Go through each directory and take note of any files or folders that are named differently from the original fresh copy or any new files and folders. Note that there should not be any *.php files in your wp-content/uploads folder.
5. If you find anything that is not in the fresh copy, open the suspected file in a text editor. Search for text such as eval or base64. If the file contains this and/or has a lot of lines which have a mix of letters and numbers (and perhaps symbols) that appear garbled, then you may have found an infected file which needs to be moved to quarantine.
NOTE: The above method may not catch all infected files. Advanced users may use what is called a DIFF program to compare files and directories as well. In addition, some file managers allow you to search whole directories of files for certain text in each file. These ways may prove to be faster than going through each file by hand. Linux and Unix or Mac based Operating Systems have programs such as find and grep which can also be used to quickly find text in a large amound of files within a directory. If you are interested in using any of these options, use a search engine to research how to obtain and use these programs.
Once you have cleaned your site and verified that your site is operating properly, immediately permanently delete all files and folders in your quarantine folder on your hard drive.