A Quick Fix for the Latest WordPress Virus

I spent several frustrating hours this weekend trying to recover from a nasty virus that has hit WordPress installations on Network Solutions and Go Daddy, which is my hosting service. After wasting many hours fiddling with wp-config files and backing up and restoring databases, I hit upon a simple solution this morning that appears to have restored my three blogs to their former glory. Maybe it will help you.

This virus is characterized by the insertion of a long string of seemingly random characters at the beginning of PHP files like the one depicted below. These files are scattered all over your WordPress directories and there’s no telling how many have been infected. You need to remove the malicious code from every PHP file to restore your system, and there could be hundreds of files.

Rogue code in WordPress

First, the disclaimers: I’m not a programmer and I can’t guarantee that this solution will eradicate the virus once and for all. It’s possible that the creeps who developed it have hidden code somewhere to resurrect it at a later point, so I will post an update few days from now. Also, you should back up your database before attempting any recovery. It’s probably also a good idea to back up the infected files to a safe directory on your computer in case something goes wrong.

That said, here goes. This fix is for Windows, but the Mac version should be pretty similar:

1. You’ll need to download and install two open-source programs –Filezilla and Notepad++ – before you get started.

2. Open Filezilla and connect to the FTP server where your WordPress installation is located.

3. Now you’re going to create a filter in FileZilla to download and upload only PHP files. This will save you a lot of time because you won’t be sending large image and audio files back and forth. Go to “View –> Filename filters..” and choose “Edit filter rules…” Create a new rule called “PHP” or whatever you want. In the “Filter conditions:” drop-down menu, select “Filter out items matching none of the following.”  In the space below that, choose the drop-down menus “Filename” “contains” and type “php” into the box. See screen grab below.

Setting up FileZilla to filter PHP files

4. Then – and this is important – uncheck the box that says “Filter applies to: Directories.” If you don’t uncheck this box, FileZilla will only download files in the root folder and miss all the sub-folders. Click OK.

5. Back in the “Directory listing filters” dialog box, check the boxes next to your new PHP filter name in both the “Local filters” and “Remote filters” columns. Click OK. Your file transfer filter is ready.
PHP filters selected=

6. In the “Local site:” window on FileZilla, create an empty directory on your computer where you can store the PHP files you download. In the “Remote site:” window, navigate to the directory containing your blog. This will be the one with the folders called wp-admin, wp-content and wp-includes. You actually won’t see those folders at the moment because your filter is on. If you want to check, temporarily disable the PHP filter to be sure you’re in the right directory.

7. In the “Remote site:” window, select all files (CTRL-A), right-click and choose “Download.” The PHP files will start downloading into the new directory you created, preserving the file structure of the server. This should be pretty fast, because you’re only downloading text files.

8. Once the download is complete, open an Explorer window and navigate to the directory on your computer where the PHP files are located. Right click and choose “Open with…” and then navigate to the Notepad++ directory and choose the file called “notepad++”.  Select this as the default for opening all PHP files.

Notepad++will open with all the files you’ve selected in separate windows. Flip through the windows until you find one containing the rogue code at the top.

9. Select all the characters between the first two occurrences of the “<?php” characters. Include trailing spaces.
In  Notepad++, choose “Search –> Find in files…” The dialog box that pops up will look like the one below. The text you selected should already be inserted into the “Find what :” field. Delete anything in the “Replace with :” field. Then choose the navigation button to the right of the “Directory :” field and navigate to the folder containing your PHP files. Click OK. The program will respond with the challenge of “Are you sure you want to replace all occurrances [sic] of…” Click OK. Notepad++ will churn away for a few seconds and then show you how many files it has changed. The number may astound you.

10. If all has gone well, you should still see part of the rogue code in the window in front of you. This is because Notepad++’s  “Find what :” field can’t hold all the characters you need to replace. So you’re going to have to run another find and replace. Simply select the remaining bad code and repeat the previous step to find and replace all incidents in the files. If all has gone well now, the file in front of you should be clear of all bad code. Save that file and any files that are open in other windows and exit Notepad++.

11. Go back to FileZilla and upload all the PHP files, being careful to choose the same directory from which you downloaded them originally. When the challenge box pops up, specify “Overwrite” and “Always use this action.”

Try to open your site again. It should be back to normal. If it isn’t, upload the bad files you had stored in a separate directory and try something else, because this obviously wasn’t the bug you had!

If the fix works, be sure to change your database and WordPress passwords. And let me know either way whether this did the trick!

Can You Hear Me Now?

A couple of weeks ago I wrote with some satisfaction about my successful conversion from Blogger to WordPress. The new important features in WordPress 2.6.2 are truly impressive, and the Blogger entries and comments came in without a hitch, even down to the permalink names.

I should have known it was too good to be true. I noticed this week that none of my recent entries were showing up in my RSS feed. Checking out the WordPress settings, I discovered that my site didn’t even have an RSS feed. Feed queries were returning a 403 error code, which means a security access violation. Trolling the WordPress message boards turned up that problems like this can only be addressed by the hosting provider, and GoDaddy doesn’t troubleshoot applications.

I tried exporting my blog using WordPress’s wonderful XML export utility. That went fine. The trouble was that the file exceeded the 2MB import limit. I had to scrounge up a way to change that (not a big deal, actually, involving a minor change to php.ini) and test a new install of WordPress and uploading my XML file. That went fine. Ultimately, I ended up uninstalling and reinstalling WordPress and reloading my blog. Then I had to rebuild by sidebar, change the header image and reburn my feed.

Long story short, this consumed a good four to six hours of time between troubleshooting and restoring. Feedburner now says I have a working RSS feed. We’ll see. I’m hoping this item shows up in it, along with the dozen or so other extries that subscribers haven’t seen over the last two weeks.

One of these days I’m going to hire me an IT person!

Freedom from Blogger

Over the weekend, I completed my long-awaited move from Blogger to WordPress. There’s plenty of fine-tuning left to do – and I need to get rid of the hideous graphic in the header – but the transition went pretty smoothly.

I’ve been trying to get off of Blogger for about a year, but migration difficulties – in particular, the loss of link consistency – has frustrated me. With its release of version 2.6.2, WordPress has made migration almost one-button simple. Permalinks are still going back to the previous site template, but that’s an acceptable tradeoff for now to be free of the Blogger system.

I signed up for Blogger more than three years ago when I didn’t know any better. Since then, I’ve learned that blogging software can lock in a user almost as completely as any proprietary software. Because each publisher architects its service somewhat differently, migration has been a headache for years. WordPress is now resolving that problem to the point that moving to its platform no longer requires Herculean effort. I host four blogs on WordPress, with my main blog being the only exception.

Why had I grown frustrated with Blogger?

  • The selection of page templates is severely limited. I never found one I really liked. In contrast, there are thousands of free WordPress templates available. I’ve found many that I like.
  • I decided to host my blog on my own domain and use Blogger as an authoring system. This requires Blogger to FTP the files to my server, a process that had become frustratingly long and failure-prone as my site grew. Blogger offers an alternative to host your domain on its own servers for a fee, but since I was already paying a hosting service, this didn’t seem an attractive option.
  • Blogger has limited support for third-party widgets and plug-ins. WordPress has a vast library of them. This alone is enough reason to switch.
  • The Blogger content management system has far less flexibility than WordPress’, where you can customize almost anything.
  • I’ve found the results of Blogger’s “preview” function to have little to do with the resulting Web page. In contract, WordPress previews in the context of your chosen template.
  • WordPress has a function to automatically import Word documents. You still have to take out some code, but the process is pretty clean.

There are other reasons, but those are the big ones. For a basic one-button blog that’s drop-dead simple, Blogger is still a great option. But as you yearn to do more with your site, Blogger’s limitations become frustrating. Perhaps I will encounter some terrible problems in the next few days that force me to roll back, but for now, I’m enjoying the flexibility and open-source choice that WordPress provides.

Here’s a pretty good tutorial on how to make the switch.