How to Clean Up After a Virus Infection on a CloudWays Website

Today, I encountered a client's website that uses a Cloudways server. When accessed via mobile, the WordPress site automatically redirects to a third-party advertising website, which is a clear symptom of a virus infection. This article documents how to clean up this ad-redirect virus.

The principle is similar to previous ad-redirect viruses: they exploit vulnerabilities in plugins or WordPress itself to upload malicious files to the server. For example, in the index.php file, we found this string of encrypted code.

The file points to a file named .c963ccee.oti, and part of its content is as follows:

The code is too long to fully decrypt, but based on Naiba's experience, it's clear without decryption that this is a virus file. Normal WordPress program files are open-source and do not contain encrypted code.

Besides this, there are other interfering files in the folder, which won't be listed one by one here.

Once the infection method is analyzed, the solution is simple: delete the virus files and replace them with normal files.

The simplest method is to delete all WordPress files and reinstall it. Of course, files under the uploads directory must be manually preserved; otherwise, all website images will be lost after reinstallation.

Cloudways is a managed VPS, so users do not have the highest permissions. Using SFTP or SSH, you still cannot delete the virus files, so you need to contact customer support for assistance.

Finally, the steps to handle a virus-infected website on Cloudways are:

1. Back up the infected website data for reference;
2. Delete all files and folders except the wp-content/uploads folder (you need to contact customer support to help with deletion, as permissions are insufficient);
3. Re-download the WordPress installation package and install the WordPress website;
4. Reinstall the previous Theme and Plugin.

After completing these steps, the virus files will be gone. If you can't manage it, you canpay for Naiba to handle it.。