It's important to routinely check your website to ensure that it's operating correctly. Changes to hosting platforms, third-party integrations, or malicious code can all break your site. For example, we were approached recently by a customer whose website had broken mysteriously. When the website was accessed, it would display an empty white page instead of the content the developer intended. In this post, we'll break down how we diagnosed and fixed this WordPress malware issue for the customer.
Finding the Problem
As we began to investigate the issue, we discovered that every HTTP request sent to the site was returning an HTTP 500 error. This error lets visitors and developers alike know that something has broken on the host side. It doesn't provide much useful information beyond that, however. To find out more about the problem, we accessed the site's cPanel. Looking at the log files is a good way to find out what issues may be happening with the site. Sure enough, an investigation into the PHP logs revealed an error:
This was a good clue to guide the next steps. The most obvious problem would be that some core file was changed and the wp() function that the PHP scripts were looking for no longer existed. To follow that lead, we compared the files on the website to a fresh version of WordPress downloaded from WordPress.org. Unfortunately, that turned out not to be the problem. The relevant WordPress files referenced the wp() function were exactly as they should be.
After more digging, we found the source of the problem. WordPress uses a file called wp-config.php that contains several configuration parameters that are important to the operation of the site. The parameters, among other things, contain important credentials for accessing the WordPress database that's used to store dynamic content for the site. Without this, posts, metadata, and other configuration parameters needed to properly render the site aren't available.
In our customer's case, the wp-config.php was corrupted as the result of a buggy WordPress malware attack. The goal of the attack was to replace the wp-config.php file with a compromised one. While it succeeded in deleting the original, the buggy code failed to replace it with the malicious one.
With the WordPress malware problem found, the next step was to restore communication with the database so WordPress could connect to it and pull in all the required data. This meant replacing the empty wp-config.php file with a valid one. Should you need to perform this operation yourself, we've included the steps we followed below.
Before you can do anything, you need certain information about the MySQL database. If you have control over the database yourself, you already have this data. If not, contact your hosting support team and ask them for it. These are the items you'll need:
- WordPress host address
- WordPress database
- WordPress username
- WordPress password
It’s probably a good idea to ask the support team to reset the password and send you that instead, just in case the missing wp-config.php file is a result of unauthorized users gaining access to the system.
You’ll need root credentials for the MySQL database to follow this procedure. If you have access to the database, but don’t have root credentials, follow the steps outlined in the official documentation.
1. Connect to MySQL
To begin the process, you'll need to connect to the MySQL database using the credentials from the section above. To start the MySQL shell, enter the following command from the command line:
Remember to replace the text 'user' with the root MySQL username.
2. Verifying the WordPress Database
There may be several databases set up within MySQL. To fix the issue with WordPress, you'll need to confirm the database that's supposed to be assigned to it still exists. You can do that from the MySQL shell with the command:
If everything is working correctly, you should see the WordPress database name in the list that is printed.
3. Verify the WordPress User
You'll be logged into the MySQL shell as a root user, but the WordPress user will likely be different. In this next step, you'll need to confirm that the user still exists. There is no command to show users like there is for databases, so instead we'll query the MySQL database for a list of user names to confirm the one we need is on it. You can do that with the command:
Again, remember to replace the text 'user' with the appropriate name. In this case, that's the WordPress user's name.
4. Reset the User's Password
Assuming you are working on your own and didn't have help from the hosting support staff, you'll need to manually change the WordPress user's password. This can be done by replacing the appropriate text in the following command and running it:
5. Store the Changes
With the database information confirmed and the WordPress user's password changed, you're now ready to store the changes. In MySQL, this must be done manually. You can do so with the command:
6. Restore wp-config.php
If an intact version of wp-config-sample.php exists on the system in question, you can copy that file as a new wp-config.php. If it doesn't, you can get the file from a fresh download of WordPress and copy it over to the system as wp-config.php. This boilerplate version of the file needs to be customized to work with your WordPress installation, however. To do that, open the file in a text editor and replace the following lines with the correct information:
With the information in the wp-config.php file now restored to the correct values, the site should begin functioning again.
Conclusion - Banish WordPress Malware from Your Website
Website outages such as this are more than an annoyance. When customers can't access your site, they can't give you money. Every second the site is down, there is a potential lost sale. WordPress configuration files are sensitive and can become corrupted for a number of reasons, such as mistaken manual changes, modification by a buggy plugin, or malicious intent. In the case of our customer, there was no backup of the proper wp-config.php file. If you keep proper backups of your WordPress configuration files, you can save a few steps in the process of restoring functionality to the site.
Any time something like this brings your website down, we recommend doing a WordPress malware scan to ensure that malicious intent was not behind the error. This is such an important step in website security that we offer a free tool to do the job for you: Quttera WordPress Malware Scanner. For a more hands-off solution, we offer commercial website monitoring plans. With one of those plans, we'll continually monitor your site for signs of trouble and respond promptly when a problem arises.