Recently I was made aware by a very kind visitor that part of my site had been injected with malware-YUCK!
Turns out there was a security loophole in a previous version of myphpadmin which was exploited to leave a tiny (1200+ lines, yeah, not so tiny!) piece of code that basically gave permission for the hacker (or rather, their robot) access to do whatever they liked.
On the positive side, they were only injecting links to try and raise their google page rank for your standard underbelly of the ‘net stuff-primarily, legal drugs. Of course, that’s bad for my site but since I cleaned it up, I’m worry free!
I wanted to let you know that IF you’re managing your own site, you need to be able to deal with these sorts of things so that your site doesn’t lose its rank, become blacklisted, or show up as a site your visitors should avoid because their virus software has flagged it. Seriously-malware is not something you ever want to ignore as it will begin to impact your website.
This fix was really quite easy and I’m going to share it just in case someone else like me needs this info. Take it from me-this is WAY easier than backing up everything (in triplicate) exporting your site and reinstalling everything fresh.
Today I’m sharing the 7 easy steps to removing base64 malware from your wordpress database. Chances are, even if the placement changes, you’ll still be able to located it and remove it using these simple steps.
- Log into your cpanel and navigate to myphpadmin
- Once logged into myphpadmin, you’ll likely see a drop down of database names-if you aren’t sure which one is the right one and you’re using wordpress, you can click the “wp_users” on the left hand side and it will show you who is in the user table. If that isn’t enough to help you, try wp_posts-you should be able to identify what this database is attached to by what you see there.
- Okay-once you’ve accessed the right database (though honestly, it wouldn’t hurt to do this on ANY database to make sure it’s clean!) click
- then click “search”
- Enter base64 and then “select all” then hit go
- If you see a match and the word “browse” click it-chances are, if it’s in wordpress, it’s wp-optimize which while a legitimate plugin named that exists, this isn’t it if it contains the words base64!
You’ll also see that under “auto load” it is set to YES-that means every time the site loads, it loads itself-great if it is an essential piece of code, bad when it is malware!!
- Here’s the easy part: while you’re ‘browsing’ if you see the words wp_optimize and base64, just go ahead and hit the -/delete button.
That’s it-it’s clean!
Now, go change ALL of your passwords and make sure to use a combination of letters, numbers, and symbols to keep that secure. Change it for both the administrator on your blog AND your database (please note, you’ll need to update the database email within your wp-config.php file so you don’t break your database connection. Need help? Get help through my available services)
If all of this sounds really scary, it’s VERY easy to make sure this never happens to you: sign up with Sucuri to get their awesome integrity monitor which can notify you of potential issues via twitter and email so your site is secure all the time! Not only do they scan and alert you to problems, but they include their fantastic malware cleanup-which is worth the price of $89/year for peace of mind (and not having to stay up into the wee hours of the morning trying to search and destroy!)
Additional resources for hunting down malware:
In the spirit of full disclosure: Interested in something I’ve linked to? It might be an affiliate link so I may earn a small commission if you purchase through those links (at no extra cost to you). It doesn’t cost you extra so everyone wins! (You get something AWESOME and I get a little help cover the costs of running this site)