A few weeks back when I accessed our TravelTear blog I was greeted by a popup, but I lazily assumed that I clicked an ad or any link there and the popup was triggered by that. And I didn’t face that issue after that, almost never, at least on my mobile.
But, today a Facebook friend of mine, Rushikesh Thawale, informed me that our blog facing such a similar popup and he posted the following screenshots as well.
Then I realized how serious this is. I know for sure that we didn’t do anything suspicious to trigger this, we use a custom theme, and all the plugins we used are directly from the WordPress.org directory. Rest of them are pure quality premium plugins, but still, appropriately updated. So I didn’t worry about them.
And it was at “Critical Security Risk.”
I got really annoyed when I saw the word “Malware,” and then I deactivated all the plugins. I even changed the theme and used the default one provided by WordPress. I scanned Sucuri again, and the site became clean. But that was not enough, finding the root cause is the permanent solution always. After some tweaks and messages, I came to know that a specific file from our theme got affected by an outdated plugin. So far this is what I can finalize now.
The file that got affected was “functions.php” or any other similar file and this file generated some random files on our “/wp-includes” folder. Files such as wp-feed.php, wp-tmp.php, etc. I’m not really an advanced WordPress developer, so I couldn’t actually figure out if these files are a part of the core WordPress or not. So I filtered the files according to “Last Modified,” and I saw a bunch of files modified. But, I didn’t change/edit them.
And I just started to open them one by one. And we finally found the culprit(s).
We deleted all the files carefully. The main culprit was our functions.php file. Do check this file properly and replace it with the clean one you have already. Apparently, this whole thing is called “WordPress WP-VCD malware attack.” We compared it with our newly installed WordPress /includes directory as well. But in such critical cases, I would suggest you re-install WordPress freshly.
You can also use security plugins like Wordfence or iThemes to scan all the files. It will do a good job and mention the specific code as well.
We scanned our website again on Sucuri, but this time using “Force a Re-scan to clear the cache.” option. We got clean results after clearing all the affected malicious code.
All these are very common, and it can happen to anyone, try to secure your website as much as possible. This could have happened because of that outdated plugin or any plugin which got affected generally. Let me know if you have any queries.