Recently, I have cleaned a WordPress website which was infected with malware. The client was complaining that the malware (unknown PHP file in our case) comes back even after delete. I asked the name of the file that appears, although it may make no sense, it might lead me somewhere. He said there were two files created. I remember only one filename i.e. helad.php.
The modification of genuine files and unknown posts was troubling him a lot and impacting the business negatively. It was happening too frequently, sometimes two times a day.
He hired me to take a look and find the root cause of the problem. The first thing I did was scan the IP address of the website. Although he was using Cloudflare, the other subdomains were not pointed to it. The attacker could easily find the other subdomains using the site like dnsdumpster. I scanned the IP address and was amazed to see the ports like MySQL was left open. Even surprised that I could log in to MySQL if I have the right username and password. I quickly asked him to close all the unnecessary ports and open only 80 and 443.
Further, I checked for any suspicious files inside the WordPress installation and found a file called rms_unique_wp_mu_pl_fl_nm.php at location wp-content/mu-plugins/. I searched the file on google and found that it was indeed a malware. The related question can be found in StackExchange .
I inspected the malware and see that it was giving remote control to the hacker. The attacker can get the WordPress administrator-level access and can do whatever s/he wants. I asked my client if he had downloaded any premium themes/plugins from any unknown source for free. He said he was using such a theme before. This might be the reason why my client was getting hacked. An unknown file was included along with the theme and it was giving unauthorized access to the hacker.
One such provider is thewordpressclub [.] org which provides a free version of premium themes/plugins. In their Terms of Service, they include a section on Remote Access:
As stated above, they can do anything with the source code. Nowadays no one reads the Terms and condition page. This is a good example of why you should read it carefully.
You can read about the malware in detail in sucuri blog post
Hackers lure the victim by providing premium themes for free. But be careful those themes may contain unknown files which can give them full privilege. Always download WordPress themes and plugins from a known source only.