how to remove cryptoPHP malware from WordPress

After moving WordPress site to live server my client reported me another day that hosting provider has blocked his site and saying that it’s infected with CryptoPHP malware. Hosting provider guys has setup an .htaccess protection and mailed client to prevent further damage. They sent a link describing this malware.

After I have scanned whole site through security plugins like Wordfence, Sucuri Security, and All in one WP Security. and increased protection. To know more on this malware read further.

What is cryptoPHP malware ?

It’s a malicious file which backdoors your CMS like Joomla, WordPress, Drupal sites. This comes from nulled plugins/extensions mostly. If you are a PHP developer then you will find a block code that looks strange. It includes similar code as below to php files.

cryptoPHP malware infected file

cryptoPHP malware infected file

One can easily find that png files should not be in include function.

What it does ?

As I have noted on infected site, that It has created 2 new users named ‘system’ and ‘system1’.  After analyzing social.png (main malicious script) I found that this script sends curl requests to malicious server also and processes some execution. At the end of the post I am attaching part of this script.

How to remove ?

  • Scan your site with security plugin/extensions, like listed above.
  • Then you can manually scan files for malicious code in files. Look below embedded git to see how this code looks like.
  • Check your site installation folder for weird looking file name and code.

Read more CryptoPHP malware | White paper 

Sample code


Full source sample code can be found here.

Shyam has written 22 articles

Shyam is senior full stack developer, who loves to explore new technologies and work on them. He's passionate about coding so can code 24/7. He uses PHP as a backend programming language.

He knows Laravel, MySQL, AngularJS, ReactJS, Redis, Kubernetes, Git, CodeIgniter, PHP, MVC pattern, Lodash, jQuery, VanilaJS, Teamcity and many other technologies and tools.

Shyam writes notes and hacks on his blog ( In spare time he can be found @ StackOverflow or crafting any new open source application.

Passionate Programmer and Meditator #PERIOD.