Loading...

Types of Malware and How to Prevent Them

How Attackers Gain Entry

  • Exploiting unpatched vulnerabilities in popular plugins or themes.
  • Credential stuffing or brute-forcing weak administrator passwords.
  • Using leaked credentials harvested from infostealer logs.
  • Uploading malicious files through insecure form, media, or file-manager plugins.
  • Exploiting outdated WordPress core installations that have not been patched.
  • Compromising a shared hosting neighbor and pivoting laterally through misconfigured file permissions.

Once inside, attackers typically plant one or more of the malware types below. Understanding what each type does makes it much easier to spot the warning signs early and respond before damage spreads.

1. Backdoors

A backdoor is malicious code that gives an attacker a persistent, hidden way back into your site, bypassing normal login authentication entirely. Backdoors are often the first thing installed after a successful breach, because they let the attacker return even after the original vulnerability is patched.

Backdoor Types and What They Do
Type What it does
Web shell A script (commonly PHP) that gives the attacker a command-line-like interface to browse files, run commands, and upload more malware directly through a browser.
Uploader script A minimal file that lets an attacker upload additional malicious files without re-exploiting the original vulnerability.
Fake plugin/theme backdoor Malicious code disguised as a legitimate-looking plugin or theme file, often placed in wp-content with an innocuous name.
Database backdoor A rogue admin-level user account or scheduled task injected into the WordPress database.

Signs of Infection

  • Unfamiliar PHP files in wp-content/uploads or other directories that should not contain executable code.
  • New administrator accounts you did not create.
  • Unexplained outbound connections or spikes in server resource usage.

Prevention

  • Disable PHP execution in the uploads directory using server rules or a security plugin.
  • Run regular file-integrity scans to flag new or modified files against a known-clean baseline.
  • Review the admin user list monthly and remove any account you cannot account for.
  • Keep WordPress core, plugins, and themes updated, since most backdoors arrive through an unpatched vulnerability.

2. SEO Spam and Pharma Hacks

This category injects hidden content designed to manipulate search engines or redirect traffic, often without any visible change to the site for a normal visitor.

SEO Spam and Pharma Hack Types
Type What it does
Pharma hack Injects hidden pharmaceutical or counterfeit-product keywords and links, visible to search engines but hidden from human visitors via CSS or cloaking.
Japanese SEO spam Generates thousands of auto-translated spam pages, frequently in Japanese, that only search engine crawlers see.
Doorway pages Auto-generated landing pages stuffed with keywords, created to redirect search traffic to an unrelated or scam destination.
Comment spam injection Abuses the comments system to plant backlinks in bulk, sometimes paired with a script that auto-approves spam comments.

Signs of Infection

  • Search results showing your site's pages with titles or descriptions you never wrote.
  • A sudden drop in search rankings or a Google Search Console security warning.
  • Unfamiliar pages appearing in your sitemap or admin page list.

Prevention

  • Set up Google Search Console and enable security issue alerts, so you are notified the moment Google flags your site.
  • Restrict file editing in wp-config.php using DISALLOW_FILE_EDIT to prevent theme/plugin editor abuse.
  • Use a Web Application Firewall (WAF) to block known SEO spam injection patterns before they reach your site.
  • Audit your sitemap periodically for pages you did not create.

3. Malicious Redirects and Phishing Kits

Redirect malware sends visitors, and sometimes only mobile visitors or only first-time visitors, to an external scam, ad-fraud, or phishing destination.

Redirect and Phishing Malware Types
Type What it does
Conditional redirect Checks the visitor's device, referrer, or geographic location and redirects only specific segments of traffic to avoid detection by the site owner.
Phishing kit A cloned login page (often mimicking a bank, webmail provider, or popular brand) hosted inside a compromised WordPress installation to harvest credentials.
Malvertising injector Injects third-party ad scripts that serve malicious pop-ups or drive-by download attempts to visitors.
Favicon/clickjacking redirect Hides redirect logic inside an innocuous-looking file, such as a favicon or cached asset, to evade casual code review.

Signs of Infection

  • Visitors reporting they are being sent to unrelated or suspicious websites.
  • Browser warnings ("Deceptive site ahead") appear when loading your site.
  • Unexplained new directories that mimic login pages of well-known brands.

Prevention

  • Test your site from multiple devices and connections periodically since conditional redirects often hide from desktop/admin sessions.
  • Monitor Google Safe Browsing status for your domain.
  • Lock down file permissions (typically 644 for files, 755 for directories) to limit what a compromised plugin can modify.
  • Use server-level malware scanning that checks media and asset files, not just PHP.

4. Cryptojacking Malware

Cryptojacking scripts hijack server or visitor CPU resources to mine cryptocurrency on the attacker's behalf, usually without any visible defacement.

Cryptojacking Malware Types
Type What it does
Server-side miner A background process or cron job that mines cryptocurrency using your hosting account's CPU allocation.
Browser-side miner (Coinhive-style) JavaScript injected into page templates that mines cryptocurrency using each visitor's browser while they are on the page.

Signs of Infection

  • Unusually high CPU or resource usage reported by your hosting account, often flagged by automated resource alerts.
  • Site slowdowns with no corresponding traffic increase.
  • Unfamiliar cron jobs or scheduled tasks in cPanel.

Prevention

  • Review scheduled cron jobs regularly and remove anything you did not create.
  • Use resource usage alerts to catch abnormal spikes early.
  • Apply the same patching discipline as other malware types since crypto miners always arrive via the same plugin/theme vulnerabilities.

5. Defacement and Ransomware

Less stealthy than the categories above; this malware announces itself, either by visibly altering the site or by encrypting files and demanding payment.

Defacement and Ransomware Types
Type What it does
Defacement script Replaces the homepage or key pages with a message, image, or political/branding statement claiming credit for the breach.
File-encrypting ransomware Encrypts site files or database content and displays a ransom note demanding payment for the decryption key.
Database wiper Deletes or corrupts database tables, sometimes as a distraction from a quieter, simultaneous data theft.

Signs of Infection

  • The homepage or any page displaying unfamiliar content, images, or ransom messages.
  • Files that will not open or display garbled/encrypted content.
  • A site that is completely down with no clear server error.

Prevention

  • Maintain automated, frequent backups stored off server so you can restore quickly without negotiating with an attacker.
  • Test backup restoration periodically. A backup you have never restored is not a verified backup.
  • Apply the principle of least privilege to database and file-system accounts, so a single compromised credential cannot wipe everything.

6. Data-Stealing Malware

This category is built to quietly harvest sensitive information, customer data, payment details, or admin credentials, rather than alter the site's appearance.

Data-Stealing Malware Types
Type What it does
Form/checkout skimmer (Magecart-style) Injects JavaScript into checkout or contact forms that capture and exfiltrate payment card or personal data as it is typed.
Credential harvester Logs WordPress admin login attempts and silently forwards captured usernames and passwords to the attacker.
Database exfiltration script Quietly export user tables, order data, or other database content to an external location.

Signs of Infection

  • Customers report fraudulent charges shortly after purchasing through your site.
  • Unfamiliar outbound network connections in server logs, especially around checkout or login pages.
  • Modified checkout, cart, or login template files.

Prevention

  • Use a PCI-compliant payment processor that keeps card data off your server entirely whenever possible.
  • Enable two-factor authentication for all administrator and editor accounts.
  • Run file-integrity monitoring on checkout, cart, and login templates specifically since these are the highest-value targets.
  • Rotate API keys and database credentials if you suspect any exposure.

General Prevention Checklist

Most malware families above share the same root causes. These foundational practices address most WordPress infections regardless of which payload an attacker installs.

  • Keep everything updated. WordPress core, plugins, and themes should be updated promptly. Remove any plugin or theme you are not actively using rather than leaving it dormant and unpatched.
  • Use strong, unique credentials. Enforce strong passwords and enable two-factor authentication for every account with publishing or admin access.
  • Limit login attempts. Use a login-attempt limiter or Web Application Firewall to block brute-force and credential-stuffing attempts.
  • Check infostealer exposure. Periodically check whether site credentials have appeared in known breach or infostealer-log databases and rotate any that have.
  • Harden file permissions. Set files to 644 and directories to 755 and disable PHP execution in the upload directory.
  • Maintain offsite backups. Automate daily backups stored away from the live server and periodically test restoring them.
  • Scan regularly. Run automated malware scans on a schedule, not just when something looks wrong.
  • Restrict file editing. Disable the built-in theme/plugin file editor in wp-config.php to reduce the impact of a compromised admin account.

If You Suspect an Infection

Warning Do not panic but act quickly. Many infections spread further the longer they are left in place.
  • Take a backup of the current (infected) state before remediating in case you need to compare files later.
  • Change all passwords, including hosting, WordPress admin, and database credentials, from a clean device.
  • Run a full malware scan and review recently modified files for anything unfamiliar.
  • Contact Bluehost for a guided cleanup if you are on a plan that includes malware remediation.

Need Help?

If you believe your site has been compromised, Bluehost support is available to help diagnose and remediate the issue:

If you need further assistance, Bluehost Chat Support is available 24 hours a day, 7days a week while Bluehost Phone Support is available 7 days a week from 7 am-12 midnight EST. 

  • Chat Support -  While on our website, you should see a CHAT bubble in the bottom right-hand corner of the page. Click anywhere on the bubble to begin a chat session.
  • Phone Support -
    • US: 888-401-4678
    • International: +1 801-765-9400

You may also refer to our Knowledge Base articles to help answer common questions and guide you through various setup, configuration, and troubleshooting steps.

 

 

 

 

Loading...