Last day, it came into my notice that our FOSS website, foss.amrita.ac.in gets redirected to some .uk malicious websites, when external links were clicked from websites like Facebook, Google. I was going through the wp-admin->Edit Theme files and it came to my notice that the entire files were infected by a virus which encoded some php code in base_64 encryption.
- Disable all plugins and delete all the unwanted plugin files from wp-content/plugins
- Inorder to find which all files got infected, run a ‘ grep -r base64 *’ under the wp-content folder via ssh or ftp access
- Delete all plugin folder’s which will have the malicious code, for me it was inside a particular plugin, which I removed later to clear all issues.
- Reinstall the theme files again.
- Share the website link on facebook, try clicking on it again.
What to be taken care of :-
- Never leave any file permission above 755. Feel free to give 755 or 754 to folders in wp-content/plugins or wp-content/themes.
- Make sure that the file permission of wp-config.php is 600.
- Never install unpopular plugins or themes.