This week has been challenging for many self-hosted WordPress site owners. I've seen numerous posts all over the Internet of people plagued with the dreaded Ninoplas Base64 Virus.
This virus isn't pretty. It attacks EVERY .php file on your server! If not removed properly, it will replicate itself and you'll spend endless hours trying to remove all the malicious code.
If you suspect that your site's been hacked with the Ninoplas Base64 virus, you need to take action now before your site infects your visitor's computer, gets blacklisted from search engines, or you lose your website all together.
Here's some of the symptoms:
1. Your WordPress site and your wp-admin/dashboard are redirected to:
2. Your site is trying to load http://kdjkfjskdfjlskdjf[DOT]com
3. You can't login to your wp-admin area.
Yesterday, I got to see this virus firsthand, along with my Deputy in Training, Allen Dresser. We helped someone repair the damage left by this malicious attack.
What I found…
At the top of EVERY .php file on the server contained 3,077 characters of ugly code injected. And close to the bottom of every page had this script injected…
Plus, I found a mysterious file in the root named…
I did a search on the database for malicious code and, luckily, it was not affected.
It is yet to be determined on how malicious hackers are getting onto people's server and injecting this mess.
Who's to blame…
I've heard many people say that WordPress has security vulnerabilities causing this. Others are blaming their hosting companies. You can read an article over at wordpress.org about it – Secure File Permission Matter.
Rather than playing the blame game, it's time for you to take action to protect yourself. As a website owner, it's your responsibility to take all the necessary security measures. This includes using a reliable hosting company, setting permissions, strong passwords, securing vulnerabilities, updating software, etc.
When installing WordPress, did you use an instant installer like Fantastico?
Do you have your permissions set correctly on your server? Is your wp-config.php file set to 644 or can the whole world see it because it's set to 777?
If you're one of the unlucky website owners that has had your website hacked, spending the time to remove the ugly code from your .php files is a waste of time unless you remove ALL of the virus. Are there any mystery files on your server? This Ninoplas Base64 virus is hard to locate, seems to replicate itself and is well hidden.
How to remove the Ninoplas Base64 virus…
I've found an article on how to remove it using SSH access, you can check it out here. (Note: I have not tried this script, so I can't say whether it works or not.)
Many webmaster's don't have SSH access enabled or they're unsure how to use it. So maybe you can try restoring your website, if you're lucky enough to have a website snapshot before the hack happened. By restoring your website to the day before it happened will elevate the virus, but…
Change your passwords immediately! And I can't stress this enough…use STRONG passwords for your hosting account, ftp account, wp-admin, database, and ANY place else you login. And change them every 30 days. And DON'T use the same password for more than one account.
My suggestion…your password should be at least 14 characters in length (I prefer 18) with a combination of upper and lower case letters, numbers and symbols. I've got some of the ugliest passwords on the planet!
Here's where I generate mine – http://www.strongpasswordgenerator.com.
Make sure your computer is clean by running a virus scan. Keep your Windows and programs up-to-date.
Download my free “7 Plugins for WordPress Security” eBook.” This will help you start the security process and harden your website up a bit.
UPDATE: As David commented below, change your site's Authentication Unique Keys. These can be found around line 35 of your wp-config.php file. Instructions can be found here. Many thanks to Sucuri for their work in web-based integrity monitoring.
UPDATE 2: In an effort to spread awareness about this virus and protect others, we are asking for your help. If you learn any new information, like where it came from, if it affects the database, new symptoms, cookie setting, etc., please leave a comment below.
Still need help?
If your site has been hacked and you need help, contact me. I'll do my best to get your website up and running ASAP.
And better yet, we can help you make your WordPress site more secure now. Check out our Services available.
I'd love your feedback…
If this post has helped you or you've found another way to get rid of this virus, please leave me a comment below.
Follow on Twitter
Friend on Facebook