How do I know my favicon files are malicious?

You don’t need to. We list every favicon-like file on the install and check the file headers — a real favicon is an image, anything else is a candidate for removal. If yours are clean, we tell you that.

Are favicon backdoors actually dangerous?

Yes. A PHP file disguised as a favicon can execute anything on your server when the attacker requests it the right way. It’s a foothold that survives plugin updates and most automated scans.

Can this affect SEO or Google rankings?

Only indirectly — the backdoor is typically used to plant other malware (redirects, SEO spam, skimmers) that does affect rankings. We check for those as part of the cleanup.

Almost always a vulnerable plugin or stolen credentials. We identify the path and close it before signing off.

// FAVICON MALWARE · WORDPRESS · REMOVED

WordPress favicon malware removal.

Attackers disguise PHP backdoors as favicon files because nobody looks at them. I find the fakes, remove the backdoor that planted them, and tell you how it got in. Flat $279.

Start a cleanup → How the favicon trick works

§ 01 — MECHANISM

A favicon file is just an image. Until it isn’t.

The trick is simple: the attacker plants a file named favicon.ico_bak, favicon_baddc6.ico, or wp-favicon.php in your WordPress directories. Most look like normal favicon backups. Some are actually PHP files that the server will execute when called the right way.

Hosting providers and security plugins skip files that look like images, which is exactly why the attacker chose this disguise. I list every favicon-like file on the install, compare against a clean WordPress, and confirm what each one really is.

// find — favicon files that aren’t favicons

01 find . -type f \( -name 'favicon*.ico*' \\
02     -o -name 'favicon*.php' \\
03     -o -name '*-favicon*' \)
04
05 // Anything outside the theme root, or any PHP file
06 // in the list, is a candidate for a backdoor.

§ 02 — WHAT WE REMOVE

Every place a fake favicon hides.

[ TRIAGE ]

Every file matching favicon-like names is listed and inspected — image headers, file size, last-modified date.
[ FILES ]

Fake favicon files removed. PHP disguised as images extracted before deletion so I know what they did.
[ BACKDOORS ]

The backdoor that planted them is found — usually in wp-content/uploads or mu-plugins — and removed.
[ DATABASE ]

wp_options and active widgets reviewed for related persistence. Scheduled tasks audited.
[ HARDENING ]

PHP execution disabled in uploads directories. Permissions tightened so the trick can’t be repeated.
[ REPORT ]

Plain-English forensic write-up, entry vector named, what to change before I hand back the keys.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

FLAT · ONE-TIME · PER SITE

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup →

[ SHIELD ]

$29 / mo

PER SITE · CANCEL ANY TIME

Continuous monitoring, hardening, one cleanup per year included.

Get protected →

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Start an engagement.

Send the scope, stack, and timeline. You get a written proposal with a fixed quote.

Contact →