Malware on WordPress
We recently had a client contact us about a WordPress website they were not able to log into and asked us to troubleshoot and repair the site. On our initial inspection we discovered not only could they not log in but the entire site was down.
After getting access to their hosting provider (whom shall remain nameless) we set up a new FTP account. When we looked at the files there were numerous .PHP files that had been renamed with the suffix .suspected. We tried renaming the plugins folder but that made no difference. We ended up deleting everything on the site except the wp-contents folder and the wp-config.php file. Then we uploaded a fresh WordPress installation. Next we added the plugins back in 1 at a time with the exception of one folder which was named “normalstiil” that was in the plugins folder. The client didn’t recognize the name and it turned out to contain a file named bouncer that was infected with a virus.
The end result is that we were able to get the site back up and operational without losing any of the clients’ data. If you manage your own WordPress website you should review your site on a regular basis. This particular website had a ton of spam in the comments (which we deleted and then turned comments off) and had some posts the client didn’t make. Reviewing your site on a regular basis improves your odds of being able to ward off potential trouble.