Steps taken to identify the issue
The malware had created .htaccess file in almost all the directories. There were also non WordPress files in the webfoot. To verify the WordPress setup I used:
wp core verify-checksums
This command verifies if all the WordPress files are present and if they are in order. This command highlighted many unwanted files including the .htaccess files.
I tried to verify with the site owner if he is aware of any non WordPress files in the webroot and if those files can be deleted. The answer came was – “If you are sure those are not WordPres files, you can delete them”
This was not the expected answer. I do know which are the WordPress files & directories. However I do not have complete idea of all the other files. Thus, completely deleting non WordPress files & directories would have turned risky. What if the site owner needed any of them?
Steps taken to clean the site
So I decided to move the non WordPress files & folders to “unwanted-files” folder and at the end I zipped that folder using following command:
sudo zip -r unwanted-files.zip unwanted-files
After this I decided to delete all the .htaccess files from all the directories. Manually deleting them was not a solution as there were many many of them. So using the below find command I targeted all .htaccess files and deleted them:
To verify (before deleting) I used following command:
find . -name "*.htaccess" -type f
Then after confirming the output, I just used -delete flag as below
sudo find . -name "*.htaccess" -type f -delete
This saved a lot of manual work and deleted all malicious .htaccess files. But it also deleted one .htaccess file required by WordPress (which was expected). As a result only home page was working and inner pages were giving 404 error. To fix this I placed a bare minimum .htaccess rules required by WordPress as below:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Steps taken & suggested to avoid the issue in future
Finally, I updated the the file & folder permissions to harden the security. All files were updated to have permission 644:
sudo find . -type f -exec chmod 644 {} +
Exception: wp-config.php was given 440 to prevent other users on the server from reading it.
And all folder permissions were updated to have permission 755:
sudo find . -type d -exec chmod 755 {} +
After doing all this, I requested the site owner to:
- Change passwords
- Verify & delete backup zip files of non WordPress files
- Update all the plugins
- Update all the themes
- Delete unwanted plugins and themes
- Update WordPress
There were many unwanted plugins & themes laying on the site and 40+ updates were due. Many a times WordPress plugin/themes have security updates. In such case, even if an older version of plugin kept on the site in an inactive state, it still becomes a huge security risk for entire site. Thus it is always advised to keep only required plugins & keep everything up-to-date.
I hope this article helps someone to fix similar issues. If you need any help, do not hesitate reaching out to me.