WordPress websites are commonly compromised to do a variety of malicious behaviours so there isn’t a one fix solution to all the WordPress problems out there.
I hope that this quick read helps someone sometime to clear off left behind files from a recent WordPress compromise that I was looking into where I spotted a certain file appearing in each and every folder on the account.
The file at first seemed part of WordPress due to its name – “.class-wp-cache.php” – but after seeing it a number of times, I thought I’d take a look and see what it actually is.
Google search for “.class-wp-cache.php” shows some similar names; so it may be misleading to think it is part of WordPress. Digging in, the code was not obfuscated so I was able to quickly skim through and see it was going to be used to do some cURL requests.
Due to time constraint, I didn’t investigate further on what it was used to do and how it was put in every folder. I imagine the attacker left these behind to come back to the site after it was fixed, hoping to re-infect it again.
I proceeded to clean this infection; and realised that it would take a long time to do this manually. For anyone else needing to clean this sort of attack quickly, here are some shell commands.
1. Use the following to find where the file exists;
[root@server public_html]# find . -name .class-wp-cache.php2. Use the following to delete these files from everywhere;
[root@server public_html]# find . -name ".class-wp-cache.php" -exec rm -rf {} \;Don’t forget to secure WordPress instance with the usual best practices:
- Use a very strong password for WordPress admin
- Make sure to have a username that is not called admin
- Update WordPress core to the latest version
- Remove plugins that are not active or in-use
- Update all the Plugins to their latest versions
- Remove themes not in use
- Update the theme in use to the latest version
- Setup a firewall plugin like Wordfence
All the best.
