threatover Patrik Grobshäuser

FAVICON MALWARE · WORDPRESS · REMOVED

WordPress favicon malware removal.

Attackers disguise PHP backdoors as favicon files because nobody looks at them. I find the fakes, remove the backdoor that planted them, and tell you how it got in. Flat $279.

MECHANISM

A favicon file is just an image. Until it isn’t.

The trick is simple: the attacker plants a file named favicon.ico_bak, favicon_baddc6.ico, or wp-favicon.php in your WordPress directories. Most look like normal favicon backups. Some are actually PHP files that the server will execute when called the right way.

Hosting providers and security plugins skip files that look like images, which is exactly why the attacker chose this disguise. I list every favicon-like file on the install, compare against a clean WordPress, and confirm what each one really is.

find — favicon files that aren’t favicons
01 find . -type f \( -name 'favicon*.ico*' \\
02     -o -name 'favicon*.php' \\
03     -o -name '*-favicon*' \)
04
05 // Anything outside the theme root, or any PHP file
06 // in the list, is a candidate for a backdoor.

What I remove

Every place a fake favicon hides.

  • TRIAGE

    Every file matching favicon-like names is listed and inspected — image headers, file size, last-modified date.

  • FILES

    Fake favicon files removed. PHP disguised as images extracted before deletion so I know what they did.

  • BACKDOORS

    The backdoor that planted them is found — usually in wp-content/uploads or mu-plugins — and removed.

  • DATABASE

    wp_options and active widgets reviewed for related persistence. Scheduled tasks audited.

  • HARDENING

    PHP execution disabled in uploads directories. Permissions tightened so the trick can’t be repeated.

  • REPORT

    Plain-English forensic write-up, entry vector named, what to change before I hand back the keys.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.