New WordPress HTML/Framer virus hack
Have you been affected by the new WordPress HTML/Framer virus hack?
You may have noticed your website doesn’t look quite right, or a small icon in the top left corner, often pushes the design down about 20 pixels.
Well, you could have been hacked.
The new hack compromises your themes’ header.php file with malicious code just below the < body > tag. The code is 2 segments of < script > code that can potentially be very harmful to your site and server. Here is a description of this type of code / file from AVG anti virus:
“HTML/Framer is a malicious software that once it is executed has the capability of replicating itself and infect other files and programs. These type of malware, called Viruses, can steal hard disk space and memory that slows down or completely halts your PC. It can also corrupt or delete data, erase your hard drive, steal personal information, hijack your screen and spam your contacts to spread itself to other users. Usually, a Virus is received as an attachment on an email or instant message.”
The sophisticated hack can also take over your WordPress admin theme editor in wp-admin, often stopped you from removing the code. It also has the potential to stop you from editing the header.php directly from FTP.
How to solve this issue?
The best way is to edit your header.php file through the raw file editor of your control panel, cpanel is great for this. Edit the file and remove the code from below the body tag of your theme.
Note: this hack infects / affects all themes currently in your website directory – not just active themes. So be sure to edit each theme. I would suggest removing outdated / inactive themes anyway.
Here is what the code looks like:
After you have removed the code i recommend doing the following:
1. Create a new wordpress admin account and delete current admin account – be sure to attribute all posts to the new admin.
2. Update WordPress core files.
3. Remove all plugins and reinstall from fresh installs.
4. Change passwords to any cpanel or ftp accounts currently associated with your domain.
The last thing about this latest hack is that anti viruses can detect the malicious script. So to ensure you have removed all traces of this you can download a copy of your website files via ftp and scan it with your anti virus. This hack can be picked up by AVG free.
Also; if you run multiple WordPress websites on the same server, there is a good chance that this will affect / infect every domains’ header.php file within WordPress.