Today Yandex.Webmaster told me some unpleasant news regarding one of my resources. The message informed that malicious code had been found on the site's pages, which could be dangerous for visitors' computers. When opening website pages, malicious code may not lead to undesirable consequences for the user: infection of the computer with viruses, unauthorized use of its resources, damage and even theft of personal data.

(N.A. Updating your browser version in a timely manner will increase the security of your Internet browsing)

The question of how and where the malicious code on the site came from was the main question to which I needed to get an answer. After all, I administer the resource alone, the password for FTP access is available only to me, and there are no people who would like to make changes to the pages.

I began to remember what changes and from what computer were made in relation to this site recently and I remembered.

A few days ago there was an appeal via FTP access from a computer that had an outdated anti-virus database. It was the work computer from which I am now writing this post.

I downloaded a thirty-day trial version of an antivirus program and checked the system. It actually contained several files infected with a Trojan. Later, my conclusions were confirmed by the hosting provider’s support service and anti-virus program developers.

Once the cause of the infection was identified, localized, and eliminated, you could move on to the next step and remove the malicious code from the site. I want to emphasize that the most important thing is to find out the source of the infection, and only then eliminate the consequences. This will reduce the likelihood of the problem reoccurring, and in some cases, without eliminating the source, treating the site is not possible at all.

The malicious code on the site contained the following script:

This script was placed at the end of each page between the tags And.

There were two ways to delete the script:

1. 1. restore the site from a backup on the server;
2. 2. remove malicious code manually.

Due to the small number of pages and knowledge of their contents, I chose the second option. It didn’t take much time to find malicious code on the site, remove it and replace the infected site pages on the server with clean ones, and the site’s security was restored.

More terrible was the consequence, which significantly reduced the number of visitors and was expressed by the phrase: “This site may threaten the security of your computer,” but you can’t argue with that, since you’ve made a mistake, you’ll have to pay for it.

How to protect your website from malware infection

In order to protect your site from infection by malicious code, you must:

1. Use a high-quality antivirus. Install the official version of the currently leading rated antivirus program.
2. Change the password for FTP access to the site and control panel. If your hosting supports disabling FTP access, disable it from the control panel and enable it as needed.
3. Access the site via FTP only from computers that have good anti-virus protection with an up-to-date virus database.
4. Access rights to files and folders (Chmod) must strictly correspond to those recommended by the developer. If you change the access rights for editing a file, upon completion of the work, be sure to restore the required values.

By following these four basic rules, the likelihood of your site becoming infected with malware will be significantly reduced.

That's all, please leave all questions and comments in the comments.

Malicious code gets onto the site through negligence or malicious intent. The purposes of malicious code vary, but essentially it harms or interferes with the normal operation of a website. To remove malicious code on WordPress, you must first find it.

What is malicious code on a WordPress site?

In appearance, most often, malicious code is a set of letters and symbols of the Latin alphabet. In fact, this is an encrypted code by which this or that action is performed. The actions can be very different, for example, your new posts are immediately published on a third-party resource. This is essentially stealing your content. Codes also have other “tasks,” for example, placing outgoing links on site pages. The tasks can be the most sophisticated, but one thing is clear: malicious codes need to be hunted and removed.

How do malicious codes get onto a website?

There are also many loopholes for codes to get into the site.

1. Most often, these are themes and plugins downloaded from “left” resources. Although, such penetration is typical for so-called encrypted links. Explicit code does not end up on the site.
2. The penetration of a virus when a site is hacked is the most dangerous. As a rule, hacking a site allows you to place not only a “one-time code”, but also install code with elements of malware (malicious program). For example, you find a code and delete it, but it is restored after some time. There are, again, many options.

Let me note right away that fighting such viruses is difficult, and manual removal requires knowledge. There are three solutions to the problem: first solution– use antivirus plugins, for example, a plugin called BulletProof Security.

This solution gives good results, but takes time, albeit a little. There is a more radical solution to get rid of malicious codes, including complex viruses, which is to restore the site from previously made backup copies of the site.

Since a good webmaster does this periodically, you can roll back to a non-infected version without any problems. Third solution for the rich and lazy, just contact a specialized “office” or an individual specialist.

How to Look for Malicious Code on WordPress

It is important to understand that malicious code on WordPress can be in any file on the site, and not necessarily in the working theme. He can come up with a plugin, a theme, or “homemade” code taken from the Internet. There are several ways to try to find malicious code.

Method 1. Manually. You scroll through all the site files and compare them with the files of an uninfected backup. If you find someone else's code, delete it.

Method 2. Using WordPress security plugins. For example, . This plugin has a great feature, scanning site files for the presence of other people's code and the plugin copes with this task perfectly.

Method 3. If you have reasonable support hosting, and it seems to you that there is someone else on the site, ask them to scan your site with their antivirus. Their report will list all infected files. Next, open these files in a text editor and remove the malicious code.

Method 4. If you can work with SSH access to the site directory, then go ahead, it has its own kitchen.

Important! No matter how you search for malicious code, before searching and then deleting the code, close access to the site files (turn on maintenance mode). Remember about codes that themselves are restored when they are deleted.

Search for malicious codes using the eval function

There is something like this in php eval function. It allows you to execute any code on its line. Moreover, the code can be encrypted. It is because of the encoding that the malicious code looks like a set of letters and symbols. Two popular encodings are:

1. Base64;
2. Rot13.

Accordingly, in these encodings the eval function looks like this:

• eval(base64_decode(...))
• eval (str_rot13 (...)) //in internal quotes, long, unclear sets of letters and symbols..

The algorithm for searching for malicious code using the eval function is as follows (we work from the administrative panel):

• go to the site editor (Appearance→Editor).
• copy the functions.php file.
• open it in a text editor (for example, Notepad++) and search for the word: eval.
• If you find it, don’t rush to delete anything. You need to understand what this function “asks” to be performed. To understand this, the code needs to be decoded. For decoding there are online tools called decoders.

Decoders/Encoders

Decoders work simply. You copy the code you want to decrypt, paste it into the decoder field and decode.

At the time of writing, I did not find a single encrypted code found in WordPress. I found the code from the Joomla website. In principle, there is no difference in understanding decoding. Let's look at the photo.

As you can see in the photo, the eval function, after decoding, did not output a terrible code that threatens the security of the site, but encrypted copyright link, the author of the template. It can also be removed, but it will come back after updating the template if you don't use .

In conclusion, I would like to note, so as not to get a virus on the site:

• Malicious code on WordPress often comes with themes and plugins. Therefore, do not install templates and plugins from “left”, unverified resources, and if you do, check them carefully for the presence of links and executive functions of PHP. After installing plugins and themes from “illegal” resources, check the site with antivirus software.
• Be sure to make periodic backups and perform others.

We've released a new book, Social Media Content Marketing: How to Get Inside Your Followers' Heads and Make Them Fall in Love with Your Brand.

Malicious code is code that interferes with the normal operation of a website. It can be embedded in themes, databases, files and plugins.

More videos on our channel - learn internet marketing with SEMANTICA

The result of the malicious code may be the deletion of some useful content, or its publication on a third-party resource. In this way, attackers can organize content theft. It’s especially offensive if a young resource with original articles was subjected to this impact. You may get the impression that he stole content from a more senior resource.

Also, malicious code can place hidden links in a free theme to third-party pages that are accessible to search engines. These links will not always be malicious, but the weight of the main site is guaranteed to suffer.

The general purpose of all malicious codes is to disrupt the operation of web pages.

Externally, the malicious code appears as a chaotic set of characters. In reality, behind this nonsense there is an encrypted code containing a sequence of commands.

How malicious code gets onto the site

There are two ways how malicious code can get onto a website.

1. Downloading files and plugins from dubious and unreliable resources. Most often, encrypted links penetrate the site using these methods. Explicit code rarely enters a site this way.

2. followed by penetration. This method is considered more dangerous, because hacking a web page makes it possible to transmit not only a “one-time” code, but also entire structures with elements of a malicious program (malware).

Such code is very difficult to destroy, because... it can be restored after removal.

Checking the site for malicious code

It should be remembered that these insidious structures can appear not only in the active topic, but also in any resource file. There are several ways to find them:

• Manually. To do this, you need to compare the contents of all current files with uninfected versions of the backup. Anything different must be removed.
• Using security plugins. In particular, WordPress offers the Wordfence Security plugin. It has the option to scan page files for foreign code content.
• With the help of hosting support. The site owner has the right to contact them with a request to scan the resource with their antivirus. As a result, they will provide a report showing the presence of infected files. These files can be cleared of extraneous constructs using a regular text editor.
• Via SSH access to the site. The search itself is carried out using the commands:

find /current page directory -type f -iname "*" -exek -"eval" () \; > ./eval.log

find /current page directory -type f -iname "*" -exek-"base64" () \; > ./base64.log

find /current page directory -type f -iname "*" -exek -"file_get_contents" () \; > ./file_get_contents.log

As a result of their execution, information about suspicious files will be obtained. The list of these files will be written to a log stored in the current directory.

• Checking a site for malicious code using the eval function. This PHP function runs any code, even encrypted one. As one of the arguments, the encoding type is supplied to the input of this function (usually base64_decode or str_rot13). It is thanks to the use of popular encodings that malicious code looks like a meaningless set of Latin characters.

Open the page editor.

Copy the contents of the functions.php file to the clipboard.

Paste it into any text editor (notepad).

Find the eval command.

• Before removing malicious code, analyze what parameters the function expects as input. Because The parameters are received in encrypted form and need to be decrypted using decoders. Once you recognize the input parameter, you can decide where it will go in the text of the functions.php file.

Removing malicious code

Once malicious code is detected, it simply needs to be deleted as a regular line in a text file.

Protection against malicious code

In order to prevent the appearance of malicious code on the site, it is necessary to follow a number of preventive measures.

Use only proven software:

• Download distributions only from trusted sources.
• Run the server software update during this time.
• Perform regular audits of your server's security system.
• Remove outdated debugging scripts.

Set strong passwords on your server software:

• Come up with a design of 12 characters, including numbers and letters of different cases.
• For each service, create your own unique password.
• Change your passwords every 3 months.

Control data entered by users:

• Set up HTML markup filters in input fields, the contents of which will be included in the page code.
• Organize a server-side check of input data for compliance with the acceptable interval.
• Use WAF. Web Application Firewall is a powerful tool for protecting your website from hacker attacks.

Limit access rights to your resource.

Block or limit access to the administration tools of your website engine and its databases. Also, block access to configuration files and backup copies of production code.

Those sites that have the ability to download user files are most susceptible to such penetration of malicious code.

1. Organize protection against bots. For these purposes, many CMS are equipped with special plugins;

2. Set up validation of user input:

• Prevent inserting JavaScript code inside the t> construct.
• Maintain a list of safe HTML tags and filter out constructs that are not included in this list.
• Analyze the links that users send.
• There are special services for this, for example Safe Browsing API. It allows you to check the security of a document by URL.

How to prevent accidental placement of malicious code.

• Carefully monitor the software you use:

Download libraries and CMS extensions only from trusted sources, and preferably from official websites.

Study the code of non-standard extensions that you are going to install on your website engine.

• Place your advertisements very carefully:

Publish ads on your site that are offered only by reliable advertisers.

Try to post static content on your page.

Beware of affiliate programs with hidden blocks.

How to check a website for malicious code.

Sometimes there is a situation when you need check the site for viruses. This may be needed, for example, if you have been looking for an answer to a question that interests you on the Internet for a long time and finally found it, but suddenly in a search engine you come across a warning that the site may threaten your security. Those who spend a lot of time on the Internet understand what I'm talking about. For the rest of you, I'll try to explain in more detail what this might mean.

And so, all search engines regularly scan and check all sites for viruses and malicious code. When a search robot finds such code on a site, it automatically issues a warning in the search that this site may threaten your computer. But this is not always true, since these robots can make mistakes and it happens that even ordinary code, for example, social buttons or JavaScript, can be mistaken for malicious. In such a situation, a natural question arises. Is it even worth visiting this site?

If it is possible to find the information you are interested in on another site, then such a site has a warning that it may distribute malicious code or virus, naturally it’s not worth visiting. But when you have been looking for information you really need for a long time and finally found it, what should you do in this case?
This is on the one hand, but on the other hand, if you are the owner of a website and one fine sunny day, in your Yandex or Google account, you will find a warning that your website has malicious code? I think such a warning will not improve your mood. And what to do in this case, How to find this malicious code or virus? Conventional antivirus programs are unlikely to help you here. For this case there are special programs and online services that can scan a site and check sites for malicious code. Naturally, there are probably a lot of such programs and online services on the Internet. And I’m not going to talk about them all here, and of course I don’t know them all. Here I will talk about some services that I know about and have used myself.
If you are a webmaster, then you can do this through your account in Yandex, Google, etc. although this also does not always help. For example, as it happened to me. One day, a friend of mine tells me that when he visits my website, his antivirus utility tells him that there is a virus on my website. Naturally, I immediately check all accounts in search engines where my site is registered. And everywhere there are messages saying that there are viruses on my site or suspected malicious code No. It turns out that according to search engines, my site is clean and there are no malware or viruses. But my friend’s antivirus program found something somewhere. And such a program is probably installed not only by him, but may also be installed by many other Internet users. And it turns out that everyone who has such a program installed will bypass my site, and it is not a fact that they will subsequently return to this site after such a warning.
That’s when I started looking for various programs and online services to check a site for malicious code. As I already wrote above, there are many such services on the Internet, but mostly they simply show information about presence of malicious code on the site. That is, whether there is suspicion or not, that’s all. For example, like this service.

There is a suspicion of a virus here and it says that they were found on the site, iframe inserts. But if you look at the code of the page, you can understand that this is just an embed code for a video from YouTube.

The second online service for checking a website for malware

Antivirus Alarm— to scan the site you specify, the service uses anti-virus databases from the world's largest anti-virus companies. A full scan takes up to 10 minutes and doesn't stop even if you close the page. There is also a link here where you can view the results at any time. Another good thing about this service is that it contains a list of the most frequently detected viruses on websites. For example, this is what the virus code looks like: iframe asqyt.in:

There is also a list of NOT viruses. This allows you to avoid panicking when one of the antivirus programs mistakes the code for a virus.
For example, here, according to Google, he doesn’t even trust himself.

Therefore, we draw a conclusion. And my opinion is that all these services are, of course, undeniably useful and really bring great help in finding malicious code on a website. But as they say, trust but verify, so you need to check every information provided by these services yourself. And of course, the final action remains only up to you.

The following guidelines apply to custom Skype apps and programs. They do not apply to the Skype for Business software product or online service provided by Microsoft.

What can you do to stay safe?

You have many different options available to you to keep your account secure. Each of them is described in more detail below.

And if you want to report any suspicious activity or security issues, don't hesitate to contact us .

If you discover a security vulnerability in any Skype apps or online services, follow the instructions at this link: Report a computer vulnerability.

It is extremely important to choose a secure password to access your Skype account. Attackers hack into accounts (not just Skype, but other websites as well) using lists of commonly used passwords, so you need a strong and unique password.

• Use a combination of letters, numbers and other symbols, such as those found above the numbers on many keyboards, i.e. %, *, $, £ and!. You can make your password more secure by including punctuation, symbols, and other non-standard characters.
• Names, dates of birth and words from the dictionary should not be used as they are easy to guess.
• The longer the password, the more secure it is, but keep in mind that a long password is more difficult to remember. Choose a password that you can remember so you don't have to write it down.

Choosing a password that is strong and easy to remember can be challenging. Below are a few techniques that can help you.

Use a sentence as your password.

Passwords are limited to 50 characters, but you can use a short sentence to make the password harder to crack.

Include numbers, uppercase and lowercase letters in the password so that the password does not look like “answeretomars”, but “ot3etetom4rs*”.

Associate the password with something personal to you.

Only you should know the password, and other people should not have any idea about it. For example, other people may know the name of your pet or the title of your favorite movie, because the spread of social networks has increased the availability of your personal information.

Try to take your mind off of this and pay attention to what you see ("There's a river flowing!" or "Yellow car"), and then apply our recommendations:
"V0tT3chetRek4*" or "4Zh3lty car.$"

Use a unique password on each site.

Many of us have multiple accounts and websites that require us to remember a username and password, but not all websites are created equal. At Skype, we care about your safety and spend a lot of money on it, but not everyone does. Therefore, we recommend using a unique password for each website you visit to protect your Skype account from being hacked by websites with weaker security.

A typical attacker strategy is to use credentials stolen from other websites to try to gain access to more valuable accounts, including Skype, email providers and social networks.

Change your passwords regularly.

Even if you use a strong password, you need to change it regularly.

If you think your password has become known to others, change it as soon as possible.

If another website or service where you use the same or similar password is hacked, change your Skype password as soon as possible to protect your account.

Viruses can harm your computer and collect your personal information whether you use Skype or not. The following tips will help you avoid this.

• Don't open email attachments from people you don't know, or suspicious attachments even from people you know. If in doubt, you should contact the sender and get confirmation from him that the letter is not fake, even if at first glance it seems harmless (for example, you received an e-card or a funny picture).
• Even if you know the sender, always use an antivirus program to scan files you receive from others, whether through Skype or other means. The anti-virus program on your computer must be running at all times, and do not forget to regularly update the anti-virus database.
• Use a personal firewall.
• Set up your computer to regularly receive the latest security updates and patches for your operating system, such as Microsoft Windows or Apple Mac OS X, and for applications such as Adobe Flash, Microsoft Internet Explorer, or Mozilla Firefox.
• Be careful about the websites you visit and download content from. Try to always use the official website of the relevant programs.

For more information about staying safe online, visit the InSafe and Get Safe Online websites.
(Skype is not responsible for the content of third party sites.)

We are constantly improving Skype, increasing its quality, reliability and security. How to update Skype to .

Be careful with emails claiming to be from Skype announcing a security update - we never send emails like this.

To download Skype, you should only use https://www.skype.com (or the App Store on the mobile platform), since Skype is not distributed through any other sites.

Before you give your credit card information to websites claiming to resell Skype products, make sure the website or seller is reputable.

Phishing is an attempt by a malicious third party to obtain sensitive information, such as a username, password, or credit card information, by posing as a trusted organization or website.

For example, they may send you an email claiming to be from Skype, in which you will be asked to follow a link to log into your account. This link may lead to a fake website that looks and functions exactly like Skype's site, but the personal information you enter there may be stored or stolen and later used by attackers.

The best defense against phishing is vigilance. Although spam and other filters are becoming more effective, they may miss some phishing messages. By increasing awareness of phishing techniques and how to combat them, you can prevent such attempts with simple measures.

Pay close attention to messages that are particularly urgent, such as "Your account has been compromised. Click here for details," or imperative, such as "Please confirm your account information." If you receive a message asking you to perform some action on your account, do not click on the links contained in it. Instead, type "skype.com" into your browser and go to your account directly from the Skype website.

If you receive a message with an attachment that claims to be from Skype, do not open the attachment.

If you arrive at a website through a link or other redirection mechanism, make sure that the site's URL is skype.com and that it does not contain other characters or words. For example, you should not trust the websites notskype.com and skype1.com.

If you think your credentials have become known to others, change your password as soon as possible.