how to remove cryptoPHP malware from WordPress

After moving WordPress site to live server my client reported me another day that hosting provider has blocked his site and saying that it’s infected with CryptoPHP malware. Hosting provider guys has setup an .htaccess protection and mailed client to prevent further damage. They sent a link describing this malware.

After I have scanned whole site through security plugins like Wordfence, Sucuri Security, and All in one WP Security. and increased protection. To know more on this malware read further.

What is cryptoPHP malware ?

It’s a malicious file which backdoors your CMS like Joomla, WordPress, Drupal sites. This comes from nulled plugins/extensions mostly. If you are a PHP developer then you will find a block code that looks strange. It includes similar code as below to php files.

cryptoPHP malware infected file

cryptoPHP malware infected file

One can easily find that png files should not be in include function.

What it does ?

As I have noted on infected site, that It has created 2 new users named ‘system’ and ‘system1’.  After analyzing social.png (main malicious script) I found that this script sends curl requests to malicious server also and processes some execution. At the end of the post I am attaching part of this script.

How to remove ?

  • Scan your site with security plugin/extensions, like listed above.
  • Then you can manually scan files for malicious code in files. Look below embedded git to see how this code looks like.
  • Check your site installation folder for weird looking file name and code.

Read more CryptoPHP malware | White paper 

Sample code


Full source sample code can be found here.

Shyam Makwana has written 21 articles

I am PHP developer with passion of exploring IT world for new technologies. I do projects in WordPress, Joomla, Magento, Drupal, Open Cart, Code Igniter, MVC and CorePHP. Checkout my profile here to know more about me.

  • Very nice post. I just stumbled upon your blog and wished to say that I’ve really enjoyed browsing
    your blog posts. In any case I will be subscribing to
    your rss feed and I hope you write again very soon!