Technical guide on identifying and removing malicious payloads from a compromised WordPress site. Learn to use CLI tools to find backdoors, web shells, and obfuscated code on your Hovixa VPS.
Cleaning a Compromised WordPress Installation: Identifying Malicious Payloads
Discovering a compromised WordPress site on your Hovixa VPS requires a methodical, forensic approach. Attackers rarely rely on a single malicious file; instead, they deploy multiple backdoors and web shells to maintain persistence. Relying on plugins to clean a site is often insufficient if the malware has reached the system level. This guide focuses on using the Linux command line to identify and neutralize malicious payloads.
1. Identifying Recent File Modifications
Attackers often modify core files (like index.php or wp-config.php) or upload new scripts into the /wp-content/uploads/ directory. Use the find command to locate files modified within a specific timeframe.
# Find files modified in the last 48 hours
find . -type f -mtime -2 -name "*.php"
2. Hunting for Obfuscated Code
Malicious payloads are rarely human-readable. They typically use PHP functions like eval(), base64_decode(), or gzinflate() to hide their true purpose. You can use grep to scan your entire web root for these "red flag" functions.
# Scan for common obfuscation patterns
grep -rnE "(eval|base64_decode|gzinflate|shell_exec|system|passthru)\s*\(" .
Note: Some legitimate plugins use these functions. Always manually inspect the code before deleting. Malicious code often looks like a long, unintelligible string of characters.
3. Comparing Core Files with Checksums
If you suspect core files have been tampered with, WP-CLI can compare your local files against the official WordPress.org repository. This is the fastest way to identify "injected" code in files that should be pristine.
# Verify core file integrity
wp core verify-checksums --allow-root
If a file fails verification, replace it immediately with a fresh copy from the repository.
4. Common Malware Locations & Payloads
| Location | Typical Payload | Detection Method |
|---|---|---|
| /wp-content/uploads/ | PHP backdoors disguised as .jpg or .txt files. | `find . -name "*.php"` inside uploads. |
| index.php / wp-load.php | Injected JavaScript for redirecting users to spam. | Manual inspection of the file header. |
| .htaccess | Malicious redirects to phishing or malware sites. | Check for `RewriteRule` pointing to external IPs. |
| functions.php | Code that creates a hidden administrator user. | `grep "wp_create_user" functions.php` |
5. Technical Implementation Details
- Immutable Files: Some advanced malware uses the
chattr +icommand to make files immutable, preventing you from deleting them even as root. Check for this withlsattrand remove it withchattr -i filename. - Database Payloads: Malware can also reside in the
wp_optionstable orwp_postsas malicious scripts. Scan the database for the<script>tag oreval(usingwp db search "eval(". - Environment Isolation: If one site on your VPS is compromised, assume all sites on that user's account are affected. Cross-site contamination is common if they share the same PHP-FPM pool.
Sysadmin Advice: After cleaning the site, you must identify the **entry point**. Check your Nginx/Apache access logs for POST requests to unusual files (e.g., `wp-content/uploads/2024/01/random.php`). Without fixing the initial vulnerability—usually an outdated plugin—the site will be re-infected within hours.
