Beware latest .ico php Backdoor WordPress hack

If you’re reading this then the chances are you’ve fell victim of the latest .ico WordPress php hack.

Maybe you’ve noticed a strange filename in one of your WordPress folders, or perhaps there’s been some odd activity on your web server, such as a lot of email bounce backs, or your server spamming out emails (flooding the server mail queue).

One thing is for sure – if you’ve noticed 1 suspicious / malicious file, then you are guaranteed to find 5+ more hidden away in your WordPress folders.

This latest hack is sophisticated and very good at blending in.

It can even rename and replace root index files, then echo the contents back in so you can’t detect it.

This happens particularly with index.html files that the hack replaces with index.php, but uses php echo to show the contents of your homepage. The existing index.html is usually renamed to index.html.bak.bak or similar.

Signs to look out for:

• Modified existing .php files
• Strange .ico files
• Strange .php filenames

Where you might find malicious files:

• Domain root directory
• .well-known folder (cPanel)
• cgi-bin folder
• WordPress uploads (including yearly / monthly folders)
• WordPress theme folder
• wp-content folder
• wp-includes folder

How to fix:

• Ask your hosting provider to scan your account with anti-virus / anti-malware such as Maldet.
• Perform a free Sucuri SiteCheck – https://sitecheck.sucuri.net/
• Install anti-malware WordPress Plugin such as Wordfence, run a scan then either auto delete / auto repair, or manually remove via ftp.
• Manually browse through your web directory folders
• Upgrade / Replace your WordPress installation manually

Note: You must remove all malicious files or you will wake up the next day and all the directories on your server will be re-infected as the hack regenerates files periodically.