During July 2020 a number of WordPress websites that we manage were affected by the WordPress Push Notifications Malware hack. All of the affected websites were hosted on the same cloud platform, so we suspect that just one of these websites had a compromised plug-in, which allowed hackers access to the server.
What are the symptoms?
When browsing a website on a laptop / desktop, there are no symptoms at all, which made it hard to detect. But when browsing an affected website on a mobile phone, vulgar push notifications started appearing immediately when visiting the website. Also, when clicking on any link within the website, you would be redirected to malicious websites.
What we found
After scanning a couple of the affected websites, we found a hidden file in the WordPress plug-ins folder called ccode.php – it was not visible when viewing the installed plug-ins within WordPress, only when viewing the files via FTP. We also found that the core WordPress file /includes/functions.php had been modified.
How we fixed it
We simply deleted the ccode.php file using FTP, saving the file locally so we could take a look at it. And we re-installed WordPress to overwrite the modified functions.php file. We also changed all admin passwords, just to be safe.
How did this happen?
We had around 8 affected websites on this particular cloud hosting platform, so it was difficult to pinpoint the cause of this hack. But when scanning all of the websites, we found that the Ninja Forms plug-in had been modified on one of the websites, so we re-installed this plug-in. We also removed the Contact Form 7 File Upload function that was used on another website, which we suspect could have been the source of the problem.
We had set restrictions on the Contact Form 7 File Upload function, so people could only upload image files, under a certain size, but we saw that PDF files were allowed, which can be a security risk. PDF files are becoming more sophisticated these days, with the ability to add forms & other functions, so they can give hackers a possible route into a server, if not created properly.