Saturday, April 21, 2012

How to stop URLs on WordPress site redirect browsers to web pages that install malware

Get the Safe web browsing warning and Google black listing your website is not a good surprise for any genuine webmaster. It happened to couple of my websites and struggle for two three days to clean the websites and solve the issue. I will explain exactly what I did so, if you are going through the same situation this article may be helpful.

Here is my situation: warnings and clues I was getting ... 


  • Get the Safe web browsing warning when you try to access your web site from Google Chrome or Firefox. Also, Google search result may put the warning next to your site.
  • Even though Google is complaining that your website is redirecting, it won't redirect you, because it only does that for certain bots.
  • First, go to Google Safe Browsing Page and get the following clues about what is going on with your website. You can access Google Safe Browsing page for your website by  the following link. Dont foreget to replace www.example.com with your site URL.
    http://google.com.au/safebrowsing/diagnostic?site=www.example.com

    In my case
    • First Warning: Malicious software is hosted on 1 domain(s), including riotorio.com/.
    • Second Warning: 1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including 91.121.198.0/.
    • It will also tell you weather your site hosting any malicious software. In my case it was not hosting any.  No, this site has not hosted malicious software over the past 90 days.
  • Secondly, you need to go to Webmaster Tools and get some more clues about your situation. Also, we required Webmaster Tools to request a review in the last step. So, if you haven't add your website to Webmaster Tools do it so.

    Here are the couple of information I gathered from Webmaster Tools.
    • Some of the URLs on this site redirect browsers to web pages that install malware. This indicates that the server(s) that host pages for this site may contain altered configuration files (such as Apache's .htaccess file).
    • General Problem
      When Google last tested this page, no content was returned from your server. Instead, the browser was redirected to a malicious web page. It is likely that your server configuration has been modified.
Are you in the same situation. Then you may continue and there is a change that you may able to get your site back to normal. Even if it is not the exact messages following steps will give you a general idea. 

  • First thing First. Back up your word press site completely, including all the files, posts, database. WordPress plugin XCloner - Backup and Restore will help you to do that. Remember, this copy is infected but in any case if you don't have any other backup and clean up process breaks down your site at least there is a infected copy that you can start up again.
  • Then use one or more Online Website Scanners to scan your website to double check that your web server is not hosting any viruses. Most probably results will be negative except for  Stop badware scanner results.
  • Then install the Exploit Scanner WordPress plugin. This step is bit tricky. It scans the entire WordPress website and give all the possible code that hackers can hide the redirection. eval(base64_decode, script, iFrames are key ares you need to look. I scanned all my pages with Exploit Scanner and kept the result aside. Don't start visiting all those pages and deleting the line which this plugin indicates. Instead, just try to read the url and the file name and guess which plugin or page is having suspicious code.
  • Here is what you need to do. Uninstall all the plugins that you are not using or  Exploit Scanner indicates that there is a suspicious code segment. if you re do the scanning you can see that no of suspicious codes are shrinking.
  • In my case,  Exploit Scanner showed me that wp-settings.php file has a  eval(base64_decode, but non of the plugins instillation able to remove that. I can easily remove that lines manually but I am not sure is it something needed. Then I noticed that there is a new version of WordPress.  So, I updated the site from WordPress 3.3.0 to  WordPress 3.3.2. Bingo  wp-settings.php is clean. No more major issues.
  • Log in back to Webmaster Tools and request Google to review your site. I got it cleared with in couple of hours. 
Hopefully, you will be able to remove all the malicious code which black list your site. 
  • One more tip. Don't forget to look into  .htaccess file for any unwanted redirection. Look for any suspicious URLs.
Good Luck! If you have any questions or better way to do this drop a comment.
 



Blog Widget by LinkWithin