CleanTalk's blog

Sign Up

Stop spam without frustrating your visitors

Create your CleanTalk account and start blocking spam — no CAPTCHA challenges and no impact on visitors.

Security Block Lists

CleanTalk Account

No credit card required • Setup takes less than a minute • Your temporary password will be sent by email.

Category: Security

  • Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)

    Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)

    We were contacted by one WordPress website owner with the issue of a website hack. Consequences of the hack were that their whole website content was deleted, meaning articles, pictures, plugins and themes were gone and visiting the website displayed a blank page. What was left in the folder «wp-content» was a single folder «uploads», new files in the root directory and many custom files «.htaccess» in other folders.

    What measures were taken in the first place before restoring the website. To avoid future successful connections from the hacker, all passwords were changed, including database ones, authorization over HTTP was enabled, installation of any files and themes were allowed only over FTP.

    What Has Been Done to Find Out the Source of the Hack

    The main task was gathering information about how the hacker managed to get access to the website and delete all of its content.

    The first step was saving the entire file system in a way where the files can not be created anew but to be saved in their current state (It’s important to know for identifying the creation time of the malicious files).

    • saving nginx «access.log» on the date of the detected hack
    • saving nginx «error.log» on the date of the detected hack
    • saving nginx «syslog» on the date of the detected hack

    Input data:

    • logs «access.log» (200 MB) «error.log» (47 MB)
    • website files

    The local repository of Splunk was chosen for the log analysis, data sources were the files «access.log» and «error.log».

    To determine the time when the website infection happened, the creation time of the suspicious files in the website folder was inputted.

    The next step was selecting a set of lines from the log files within a certain time period and the server response 200, while requests from «admin_ajax» and «wp_cron» were excluded.

    Thus, we found the hacker’s IP address that was able to get a response 200 for its POST request to this address: /wp-content/themes/seotheme/db.php?

    Next, we analyzed every line of activity of this IP address within the same time period. Based on this data, we see that someone created this folder: /wp-content/themes/seotheme

    Furthermore,

    • the cybercriminal from the IP address 43.153.77.57 was able to get a response 200 to their POST request while forcing /wp-content/themes/seotheme/db.php?u and in the end a number of malicious files was created which were started being called; 
    • a set of files «.htaccess» was created and modified specifically for the Apache-like webserver to allow executing files; 
    • the file «index.php» was modified, added obfuscated malicious code;
    • the file «plugins.php» was modified, added obfuscated malicious code;
    • the file «pluggable.php» was modified, added obfuscated malicious code; 
    • there were some eval constructions in the files, and parsing them was impossible.
    • It’s also impossible to know the origin of the folder /wp-content/themes/seotheme and the files in it, the reason is self-deletion of the malware results.

    How to prevent future hacks:

    1. constant monitoring of the website files for any new unknown files in the system,
    2. aggressive response to status changes of the «.htaccess» files if you use an Apache web-server
    3. force to implement any filesystem actions with a protected FTP account only, you can edit your wp-config.php by adding the code below:
    define( 'FS_METHOD', 'ftpext' );

    define( 'FTP_BASE', '/yoursitepath' );

    Hacked WordPress website? We’ll clean it for you.

    Our experts remove malware, backdoors, and malicious code, restore your website security, and help prevent reinfection — fast, safe, and handled by professionals.

  • CleanTalk Malware Scanner — heuristic code analysis

    CleanTalk Malware Scanner — heuristic code analysis

    We have already talked about the launch of security service for WordPress in the previous article. Today we want to talk about the launch of heuristic analysis to detect malicious code.

    The very presence of malicious code can lead to a ban in search results or a warning in the search for that the site is infected, to protect users from potentially dangerous content.

    You can find malicious code on your own, but it’s a lot of work and most WordPress users do not have the necessary skills to find and remove unnecessary lines of code.

    Often, the authors of malicious code disguise it, which makes it difficult to determine by its signatures. The malicious code itself can be located anywhere on the site, for example the obfuscated PHP-code in the logo.png file, and the code itself is called by one inconspicuous line in index.php. Therefore, the use of plugins to search for malicious code is preferable.

    CleanTalk on the first scan scans all WordPress kernel files, plugins and themes. When rescanning, only those files that have changed since the last scan were scanned. This saves resources and increases scanning speed.

    How heuristic analysis works

    One of the main disadvantages of heuristic analysis is that it is quite slow, so we use it only when it is really necessary. First of all, we divide the source code into lexemes (the minimal language construct) and remove all unnecessary:

    1. Space symbols.
    2. Comment of different types.
    3. Not PHP code (outside of tags <?php ?> )

    Next, we recursively simplify the code until there are no “complex constructs”:

    1. Perform concatenation of strings.
    2. Substitution of variables into variables.
    3. and other

    Also, in the process of simplifying the code, we monitor the origin of the variables and many others.

    In the end, we get a clean code that can be analyzed. It is very important that we get the code not in the form of a string, but in the form of lexemes. Thus, we know where the lexeme is a string with the desired text, and where the lexeme function is.

    In the sense of finding “bad constructs” eval for us there is a difference:

    <?php echo 'eval("echo \"some\"")'; ?>

     

    — in this case there will be no lexeme T_EVAL,

    there is a lexeme T_CONSTANT_ENCAPSED_STRING ‘eval (“echo \” eval\”)’

    <?php eval('echo "some"'); ?>

    – and here it is. And this is the version we will find.

    We look for such constructs, we break them down into degrees of criticality:

    Critical:

    • eval
    • include* и require*
      • with bad file extension
      • non-existent files (will be deleted in the next  versions)
      • connecting deleted files

    Dangerous

    • system
    • passthru
    • proc_open
    • exec
    • include* и require*
      • with the error suppression operator (will be deleted in the next versions)
      • with variables depending on POST or GET.

    Suspicious

    • base64_encode
    • str_rot13
    • syslog

    And other.

    We are constantly improving this analysis: adding new constructions to search, reducing the number of false alarm, optimize the simplification of the code.

    In the plans to teach it to detect and decode strings encoded in URL and BASE64 and others.

    The plugin itself is available in the WordPress directory. If you are unsure how to identify, remove, or clean malware using the plugin, you can book a WordPress Malware Removal service with our Security & Pentest team.

  • How to Check wp-content for Malware with Security by CleanTalk?

    How to Check wp-content for Malware with Security by CleanTalk?

    WordPress powers a significant portion of the internet, making it an attractive target for cyberattacks. Ensuring the security of your WordPress website is paramount. One essential aspect of WordPress security is regularly checking your wp-content directory for vulnerabilities. In this article, we’ll guide you through the process of safeguarding your wp-content folder using the powerful Security by CleanTalk plugin.

    Why Checking wp-content for Malware is Crucial?

    Your website’s wp-content directory is a critical part of your WordPress installation. It contains themes, plugins, and uploaded media files, making it an attractive target for hackers. Malicious actors often seek vulnerabilities in this directory to compromise your website’s security.

    Checking wp-content is vital because it allows you to:

    1. Detect Unauthorized Access: Regular checks help you identify any unauthorized changes or suspicious files within your wp-content folder.
    2. Prevent Malware Infections: Detecting malware early can prevent it from spreading throughout your site, damaging your reputation and potentially harming your visitors.
    3. Maintain Website Performance: A compromised wp-content directory can slow down your site and disrupt its functionality. Regular checks help maintain optimal performance.
    4. Protect Sensitive Data: Your wp-content directory may contain sensitive information. Ensuring its security safeguards your data and user information.

    Introducing Security by CleanTalk

    To streamline the process of checking your wp-content directory and enhancing your WordPress security, we recommend installing the “Security by CleanTalk” plugin. This comprehensive security plugin offers a wide range of features to protect your website, including:

    1. Real-time Firewall: Defends your site against malicious traffic and hacking attempts in real-time.
    2. Spam Protection: Blocks spam comments and registrations to keep your site’s content clean.
    3. Malware Scanner: Regularly scans your website for malware, vulnerabilities, and unsafe permissions.
    4. Login Page Security: Protects your login page from brute force attacks.
    5. Two-Factor Authentication (2FA): Adds an extra layer of login security for administrators.
    6. IP and Country Blocking: Allows you to block specific IP addresses or entire countries to prevent malicious access.
    7. Security Audit Trails: Keeps a record of all security-related events on your site for monitoring and analysis.

    How to Install Security by CleanTalk

    Follow these simple steps to install and activate Security by CleanTalk on your WordPress website:

    1. Login to Your WordPress Admin Dashboard: Navigate to your WordPress dashboard by entering your site’s URL followed by “/wp-admin” (e.g., “https://yourwebsite.com/wp-admin“).
    2. Go to Plugins: In the left sidebar, click on “Plugins.”
    3. Add New Plugin: Click the “Add New” button at the top of the Plugins page.
    4. Search for “Security by CleanTalk”: In the search bar, type “Security by CleanTalk” and press Enter.
    5. Install and Activate: When you see the plugin in the search results, click “Install Now,” and then click “Activate” once it’s installed.
    6. Configure Settings: Visit the “Security by CleanTalk” settings page in your WordPress dashboard to configure the plugin’s settings to your liking. Be sure to set up the malware scanner to check your wp-content directory regularly.
    7. Enjoy Enhanced Security: With Security by CleanTalk in place, your WordPress website is now fortified against threats, and your wp-content directory will be regularly monitored for vulnerabilities.
    Security by CleanTalk at WordPress.
    The Malware scanner checked and found an issue with wp-content.
    The Malware scanner cured files at wp-content.

    Conclusion

    Regularly checking your wp-content directory is an essential part of maintaining a secure WordPress website. To simplify this process and ensure comprehensive protection for your site, we recommend installing the “Security by CleanTalk” plugin. With its wide range of security features, this plugin will help you safeguard your website, keeping it safe from threats and ensuring the integrity of your wp-content directory.

    Anyway, if you are unsure how to identify, remove, or clean malware using the plugin, you can book a WordPress malware removal with our Security & Pentest team.

    Don’t leave the security of your WordPress site to chance—take proactive steps today by installing Security by CleanTalk and regularly checking your wp-content folder for peace of mind and a secure online presence.

  • Why Even the Best Free Malware Removal Tools Can’t Cure Your Website Completely

    Why Even the Best Free Malware Removal Tools Can’t Cure Your Website Completely

    If your website was developed using one of the popular CMS like WordPress or others, there are various security plugins for them, which provide permanent protection from malware. But what to do if your site is unprotected and you suspect that it has been infected? Let’s find out together.

     

    6 signs that your website may be infected

    First of all, let’s break down when it’s really time for you to think about cleaning your site of malware.

    1. Unusual activity in Server logs
      Server logs contain access logs that display the users who have recently accessed your website.

    2. Your website is slow
      Hackers deploy DoS attacks to overload your server resources, thus impacting your website speed and performance.

    3. Emails ending in the Spam folder
      This happens when your web server is infected with malware. As a result, email servers categorize your emails as “spam”.

    4. Pop-up and Spam Ads
      Usually happens when you have installed an insecure plugin or theme. Hackers earn money when visitor clicks on them.

    5. Modified website files
      To insert backdoors and other malicious code in your site, hackers often modify your website core files.

    6. Website being redirected
      Hackers often deploy cross-site scripting (or XSS) attacks to send your website traffic to unsolicited websites.

    What is a manual malware removal

    During a manual malware removal, a dedicated cybersecurity specialist is assigned to your site to work on your site from start to complete site cleanup.

    Step 1: Clean up the bad stuff
    Using SSH and admin access, the specialist reaches your website hosting and gets rid of all viruses, malware, malicious code, and bad links on your website.

    Step 2: Restore the site from backup
    In case you have a backup he restores the site from backup. Otherwise, he works with the site’s current version.

    Step 3: Protect it from future infections
    The specialist installs a permanent Security protection plugin to avoid infecting in the future.

     

    Reasons to use manual malware removal instead of automatic

    Sometimes automatic solutions can be enough to find the most known viruses and malware and often are low cost or free.

    Automatic free malware removal tools can be effective at identifying and removing known malware from a website, but there are several reasons why they may not completely cure a website of all security threats.

    • Over-insurance and possible data loss
      The problem is that they often over-insure and accept your files as bad ones, causing large file and data losses during automatic site cures. A specialist can always distinguish your files from malicious ones even if it’s a custom code.

    • Evolving Malware
      Malware is constantly evolving, with new variants and techniques being developed by cybercriminals. Automatic tools may not always be able to keep up with the latest malware threats.

    • Hidden Malware
      Some malware is designed to be stealthy and can hide in obscure locations within a website’s code or files. Automatic tools may not always detect these hidden threats.

    • False Positives
      Automatic tools may sometimes flag legitimate code or files as malware, leading to false positives. This can result in the removal of essential components of the website, causing functionality issues.

    • Complex Infections
      In some cases, websites may be infected with complex malware that requires manual intervention to fully eradicate. Automatic tools may not have the capability to address these intricate infections effectively.

    • Vulnerability Patching
      While malware removal tools can remove existing infections, they may not address the underlying vulnerabilities that allowed the malware to compromise the website in the first place. It’s essential to also address security vulnerabilities and implement robust security measures to prevent future infections.

    • Human Expertise
      Manual inspection and intervention by cybersecurity experts are often necessary to thoroughly assess the extent of an infection, identify potential backdoors, and ensure that the website is fully secure.

    In conclusion, while automatic malware removal tools are valuable for initial detection and removal of known threats, they may not be sufficient to completely cure a website of all security issues. Manual inspection, ongoing security measures, and expert intervention are often necessary to ensure comprehensive protection against malware and other security threats.

     

    Why it is profitable for you to use CleanTalk malware removal

    100% refund in case of unsuccessful
    We will manually clean your site from viruses and malware or refund your money.    		10+ years fighting malware
    of fighting malware and spam all over the Internet. We are aware of all the dangers that can threaten your website and how to deal with them.

    30-day support
    Free 30-day help with reinfection. As a guarantee of our work we continue to be with you and will get back to work if needed.

    		50+ CVE reports published
    And we continue to share found vulnerabilities in our blog.
    10 000+ active users
    A lot of loyal users that trust our experience and use our Security protection.    		1 year of free Security Plugin
    Order your Malware Removal now and get 1 year of free Security plugin.

    Clean your site from malware today

    And get CleanTalk Security Plugin for 1 year for FREE

    ORDER MALWARE REMOVAL

     

     

  • Wtyczka Security dla WordPress została przetłumaczona na język polski!

    Wtyczka Security dla WordPress została przetłumaczona na język polski!

    Z przyjemnością informujemy, że wtyczka Security od CleanTalk jest teraz dostępna w języku polskim. Tłumaczenie jest już gotowe do użycia. Szczególne podziękowania dla François-Xavier Bénard z zespołu WP Translations za cenne konsultacje dotyczące tłumaczenia!

    Masz pytania? Zadaj je w formularzu komentarzy!

  • Great plugin & support

    Great plugin & support

    We continue to share stories of our clients and the new one is brought by Sabine from sabineboogaard.nl.

    https://www.sabineboogaard.nl/
    Screenshot 2026 01 07 at 8.31.18 AM

    To me this is the best security plugin. There are many options (like easily block IP-addresses and countries) and it’s very easy to monitor what’s happening on the website. I also love the automatic scans and reports. The support is quick, friendly and helpful.

    January 6, 2026, wordpress.org.

    Thank you, Sabine! I appreciate your great feedback, and we do our best to keep WordPress safe.

  • Prevent for User Enumeration on WordPress

    Prevent for User Enumeration on WordPress

    I’m happy to announce option Prevent collecting of authors logins which you can find under settings,

    WordPress console -> Settings -> Security by CleanTalk -> General Settings

    This option disables users IDs enumeration in your WordPress. So, it stands against brute force for authors names. Here is example how the enumeration works in the plain WordPress,

    https://blog.cleantalk.org/?author=1

    By executing such links, an attacker brute forces users list on a site to get valid IDs and use it in further attacks.

    If you turn option Prevent collecting of authors logins on, the plugin disable enumeration by showing a blank page instead of valid page of author. URL for the blank page like this,

    https://blog.cleantalk.org/author/honeypot_login_1753432662.9124

    That’s it! Drop questions in the comment form down below.

  • WP CLI support in Security by CleanTalk (WordPress plugin)

    WP CLI support in Security by CleanTalk (WordPress plugin)

    We’ve added to Security by CleanTalk support of WP CLI commands. The list of commands,

    • Service setup, including interactions with cloud to get an API key and synchronization.
    • Various settings of the plugin.
    • Settings for templates.
    • Malware scanner commands.

    Full guide with examples is here https://cleantalk.org/help/security-wp-cli

    It works on plugins starting version 2.156 which has been released on May 19, 2025.

    Have questions? Please drop us a message in the comment form down below.

  • Malware Auto-Cure Update: Enhanced Threat Treatment and Logging

    Malware Auto-Cure Update: Enhanced Threat Treatment and Logging

    The latest update to Malware Auto-Cure System in the CleanTalk Security Plugin introduces significant improvements in threat detection and remediation, ensuring a more effective and reliable security solution.

    • Fixed the treatment process when a file may contain multiple threats.
    • Fixed the treatment process when a file can only be partially cured.
    • Added detailed logging of automatic treatment results.
    • Added responses to the initiation of manual treatment.
    • Fixed an issue where a file could never be treated due to missing instructions. Now, if an instruction becomes available after a failed treatment attempt, the treatment will succeed.

    The update strengthens our commitment to proactive cybersecurity, reducing infection persistence and ensuring a higher success rate in malware remediation.

  • Security vulnerability in CleanTalk plugins fixed – please update your plugins

    Security vulnerability in CleanTalk plugins fixed – please update your plugins

    There was a security vulnerability, that was discovered in both Anti-Spam (versions <= 6.43.2) and Security & Malware scan (versions <= 2.145). The vulnerability was relevant to some users, who had created an account, but hadn’t inputed the Access Key. The vulnerability was discovered, but wasn’t exploited.

    We’ve taken immediate action to address this issue and fixed all the vulnerabilities. The only thing you need to do is to ensure, that you use an up-to-date version of the plugin.

     

    How to update the plugin

    To protect your website, please update the plugins to the latest version as soon as possible. This update will ensure that your website is secured against the vulnerability.

    1. Log in to your WordPress Dashboard: Access your website’s administrative area.
    2. Navigate to “Plugins”: Click on the “Plugins” menu.
    3. Update Your Plugins: Look for the available updates for both Anti-Spam and Security plugins. Click the “Update Now” button for each plugin.

    We apologize for any inconvenience this may cause. Your security is our top priority, and we appreciate your prompt attention to this matter.

    If you have any questions or concerns, please don’t hesitate to drop a comment below or create a private ticket.

CleanTalk

About

Create a support ticket

Contact us

Dashboard

Sign up / Sign in

Anti-Spam

Anti-Spam for Websites

Anti-Spam API

Best Anti-Spam Plugins in 2026

Check IP

Check Email

Filter fake emails

Hide contact data

Security

Website Malware Scanner

WordPress Malware Removal

WordPress Security Plugin