How to Remove “Mass Injection Website 5” from your WordPress Website

June 28, 2013 Security, WordPress

Oh no!  Your site has been hacked!  The world now knows to avoid it like the plague and your audience is rapidly shrinking.  Terrible news isn’t it?  The first time you find out that one of your sites is hacked, a very sinking, horrible feeling comes into play.  However, fear not! I’ve seen MANY, MANY websites hacked especially WordPress powered websites.  The good news is that FIXING a website that has been hacked by many of WordPress targeted viruses is pretty easy.  In this example we’ll learn how to remove “Mass Injection Website 5

What is Mass Injection 5

According to Symantec, this piece of Malware “injects iframes into website that redirect users to exploit kit hosted sites when visited. These exploit kit sites hosts several different exploits that exploit different client-side vulnerabilities one by one.”

What Files Does it Target?

Okay.  So let’s get started on removing this nasty little bug from your site.  The first thing to know is WHERE to look.  The Mass Injection Website 5 targets the following WordPress files

  • index.php (on the site root)
  • theme header.php files
  • JavaScript files (sometimes)

These files are usually hacked because of an insecure .htaccess file and / or loosely set directory permissions.

If you look at these files, you’ll notice a piece of PHP code that will output a piece of JavaScript that will create an iframe.  If the affected file is a JavaScript file you’ll find a similar injection.  The following two images depict what the code looks like in a PHP file:



Removing the Malware

Next we have to remove this.  And believe it or not, that’s the EASY part.

  1. Download your ENTIRE site – Fear not, download a site with Mass Injection Website 5 will NOT harm your computer.  Just don’t run the files in a web server.
  2. Find a file with the Malware in it.
  3. Copy the Malware string into your clipboard – Again, this will NOT harm your computer!
  4. Do a mass find / replace on the entire downloaded site – We use Dreamweaver to do this.
  5. Upload the affected (and now cleaned) files back to your web server.

Believe it or not, that’s it.  Please note: that depending on what kind of injection this is, you might have to repeat this process again for JavaScript files.


Bottom line is that since WordPress is the world’s most popular piece of web software, the bad guys out have nothing better to do than make good guys like us lives’ harder.  Because of the rising threat to WordPress based sites, every self hosted WordPress installation should use security plugins.  Currently we use Better WP Security on all of our live production WordPress websites.  This has helped us fend off tens of thousands of attacks on our sites and let’s everyone rest easy that their digital assets are protected.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Let's Talk About Your Project Schedule Free Consultation

Request a FREE Consultation