If you have a WordPress site that uses tagDiv’s Newspaper theme with the tagDiv Composer plugin below version 4.1, it is vulnerable to or probably infected with the Balada injector malware, that redirects your site to other malicious websites. Sometimes the redirection works only on mobile devices.
Over 17,000 WordPress sites have already fallen victim to this attack. This exploit has been reported under CVE-2023-3169.
In this article, I will guide you through the process of fixing this infection and securing your site again.
Table of Contents
- 1 Steps To Fix Balada Injector Malicious Redirect Infection on tagDiv Newspaper [WordPress]
- 1.1 Step 1: Update Newspaper and tagDiv Composer Plugin
- 1.2 Step 2: Backup Your Site
- 1.3 Step 3: Fresh Installation & Components
- 1.4 Step 4: Check /uploads/ for Malware
- 1.5 Step 5: Remove Suspicious Admin Users
- 1.6 Step 6: Backup and Review wp_options
- 1.7 Step 7: Request Reindex via Google Search Console
- 1.8 Step 8: Apply Updates and Use PHP Version 7.4+
- 1.9 Step 9: Use Search Replace DB for Cleanup
- 1.10 Step 10: Scan Other Sites on the Same Server for Cross-Site Contamination
Steps To Fix Balada Injector Malicious Redirect Infection on tagDiv Newspaper [WordPress]
Step 1: Update Newspaper and tagDiv Composer Plugin
This vulnerability was completely patched in tagDiv Composer version 4.2. So, the first step in resolving this problem is to update your tagDiv Newspaper theme to the latest version available, which will automatically update the tagDiv Composer plugin.
To update the Newspaper theme, head over to Newspaper > Updates from your WordPress navigation bar.
Follow the on-screen instructions to update your theme and its companion plugins.
In most cases, the malicious redirection issue should be resolved as soon as the tagDiv Composer plugin is updated to the latest version.
However, if your site is still experiencing malicious redirections, the malware might have spread to other files in your website. Perform the steps mentioned below to completely clean and fix your site.
Step 2: Backup Your Site
Before making any changes, it’s crucial to safeguard your content. Use a reliable WordPress backup plugin or your hosting provider’s backup tools to create a complete backup of your site, including both the database and files.
Step 3: Fresh Installation & Components
Start Fresh with a New WordPress Installation
- Install a fresh copy of WordPress. Many hosting providers offer one-click installations to simplify this process.
- Set up a new database for your WordPress site during the installation.
Manually Reinstall Core Components
Reinstall your essential plugins and themes one by one directly from the WordPress repository.
Manually copy essential files, such as images and custom uploads, from your old site to the new installation.
Verify and Restore wp-config.php
Confirm that the new installation’s wp-config.php file is secure.
Copy relevant configurations from your old wp-config.php file to the new one.
Step 4: Check /uploads/ for Malware
Access the /uploads/ Folder
Navigate to the /uploads/ folder in your WordPress directory using either your hosting file manager or an FTP client like FileZilla.
Remove Suspicious Files
Look for any files with the extensions .php and .zip. Delete any suspicious files to ensure your uploads folder is free of malware.
Step 5: Remove Suspicious Admin Users
- Log in to your WordPress dashboard.
- Go to “Users” and review the list of admin users. Remove any unfamiliar or suspicious accounts.
Step 6: Backup and Review wp_options
- Use a Backup Plugin: Employ a WordPress backup plugin to create a backup of your database.
- Review wp_options Table: If you have access to phpMyAdmin or a similar tool, inspect the
wp_optionstable for any unusual code or entries. Remove any identified suspicious entries.
Step 7: Request Reindex via Google Search Console
- Access Google Search Console: Log in to your Google Search Console account.
- Request Reindexing: Submit a request for reindexing to ensure that Google indexes the clean version of your website.
Step 8: Apply Updates and Use PHP Version 7.4+
- Update WordPress and Plugins: Go to the WordPress dashboard and update WordPress, themes, and plugins to their latest versions.
- Check PHP Version: Confirm with your hosting provider that your website is using PHP version 7.4 or higher.
Step 9: Use Search Replace DB for Cleanup
Use a tool like Search Replace DB to search for and replace any remaining instances of malicious code inside the wp_options table.
Step 10: Scan Other Sites on the Same Server for Cross-Site Contamination
If you find the same malicious redirect symptoms on other sites of yours, repeat the steps for each site.
By following these steps, you can effectively clean and secure your WordPress site against the malicious redirects caused by the Balada malware injector.
I hope you’ve found this article helpful. Feel free to share your thoughts in the comments below.
If you’d prefer to hire a professional agency to cleanup your WordPress site for you, do check out TechRBun Hire, where we provide custom WordPress support and development services at fair price.
