A malware removal process is tedious and time-consuming, and over 360,000 websites should start this process soon. On January 18th, 2022, JetPack’s security system discovered a major breach that is used to take full control of a website. The discovery was made last September. The makers of AccessPress themes and plugins were responsible for such an error. The team discovered that the issue involved a compromised website. They found that the malicious code was present in all the plugins and themes from this WordPress creator, but only when downloaded directly from the AccessPress site. Over 360,000 websites could be infected.

Furthermore, they found the same theme or plugin downloaded from the WordPress repository was not infected. This led them to believe the AccessPress site was compromised and that the hackers injected their malicious code into all the theme and plugins. Upon installation of the infected theme or plugin, the malicious code created a backdoor that allows the hackers full site access.

The JetPack team exclusively analyzed themes that are available for free distribution. No conclusion was reached regarding paid premium themes. If you have a paid version of AccessPress, you should check with the support team to see if you are affected.

Most of the affected plugins have been patched and cleaned up, but their themes have not. If you use one of their themes, you should look for help to transition your site to a different theme or clean it up immediately. To fix the issue, you should not only replace the theme or update the plugin, but also take additional steps to remove the infection from the WordPress core files.

Our 10 steps to malware removal

We use a very thorough clean-up process. Here are the steps we take to make sure all infected files are removed.

1- Zip and Download – Gather all your website’s files, compress them into a zip file and download them to your local computer. Most users tend to want to have the files replaced while still on your web hosting, but this can only create a never – ending cycle. As other infected files could still infect the clean files, as well as produce a poor user experience for your visitors.

2- Maintenance Page – Once the files are zipped and downloaded, the files should be removed from the web hosting, to keep away from poor user experience while cleaning the hack. An ‘Under Maintenance’ page should be created to avoid creating skepticism with site visitors.

3- Reinstall core files – To fix a hacked WordPress site, download a fresh copy of the same version of WordPress being used on the infected site. Replace the core files with the downloaded files. Then delete the wp-include and wp-admin folders, as well as any WordPress root files. Do not delete the “wp-content” and “wp-config” files.

4- Verified non WordPress files – Manually check any foreign files that are not supposed to be in the main WordPress directory. This encompasses all files that begin with “wp-“. If it is decided that the file does not belong to the site, it should be removed.

5- Replace themes and plugins – Following up the replacement of the core files, you should proceed to replacing all plugins. Download files from the WordPress repository whenever you can. If you are using premium plugins, make sure to scan the zip file with Virus Total to ensure that the downloaded version is clean. If developers haven’t cleaned up their themes or plugins, it’s necessary to manually scan and remove any malicious codes or files. This could be one of the most time-consuming parts of this process.

6- Scan the database – You often see the database infected as well. A copy of the database file should be downloaded and scanned for any injected malicious code. This is also a manual process, searching for the most common code injections and removing them. We use various open source tools, such as SonarQube.

7- Scan and double check – Before launching the site again, a full local scan should be done. Tools like WP Scan command line tool and SonarQube can help. If no infected files are found, then launching the site is safe. If infected files are still found, the process starting with replacing core files should be repeated.

8- Launching the site – Zipping the freshly scanned files, uploading them to the web hosting. Remove the ‘Under Maintenance’ page files and unzip your clean files. Replace the database as well with the clean one, even if it wasn’t infected. Open and inspect the entire site from the visitor’s perspective.

9- Securing your site – Following a hack, you will want to increase security. Using a plugin such as Wordfence or Sucuri will help you scan your site from within the WordPress backend. Passwords for all users should be reset and make sure to use strong passwords.

10- Maintenance – Updating plugins, themes and WordPress in addition to frequent scans will help you avoid losing your site to a hacked. Most security plugins can run scans on schedule and report if they find anything suspicious.

Conclusion

A CVE has been created if you are interested in more details.
CVE: CVE-2021-24867
Vendor: AccessPress
URL: https://accesspressthemes.com

For a list of all the themes and plugins affected as well as the version you need to update, to remove this malware, you can check the WP Scan CVE.
If you need help with any part of the process above or would like a security assessment of your site, feel free to contact us.