HTML Framer Virus in WordPress.

Hi folks. As promised, here’s another in a series of tips and tricks. This one is about how to go about a removing the HTML Framer Virus from a WordPress installation.

I know I promised to cover installation of WordPress on a live server in this post, but a recent hack on a client’s site prompted me to address this issue first.

What is the HTML Framer Virus?

  • Well firstly, it’s a royal pain in the rear end!
  • After that, it’s a malicious chunk of code that infects your theme’s header.php file.
  • Essentially, it inserts itself into the header file and then gives itself permission to play havoc with your site.
  • Note that this hack infects / affects all themes currently in your website directory – not just active themes. So be sure to edit each theme or remove outdated / inactive themes.

How do you know that you’re infected with the HTML Framer Virus?

Sometimes this bug presents itself visually by adding a couple of random characters at the top right of your page, pushing the page layout down by 10-20 pixels.

Adding to that, theHTML Framer Virus sometimes completely deletes the rest of the page (and therefore any access to the rest of the site).

If neither of these are evident, you might find that your site is running really slow.

You might see the page partially load, and then in the bar at the very bottom of your browser, you might see something like ‘contacting [sitename.com]’, looking for a javascript file like jquery.min.js.

What’s happening there is that the normal CDN where the jQuery framework file resides is being hijacked and replaced by the HTML Framer Virus location preference.

It means that any functionality that jQuery might be able to perform (which is extensive).

The HTML Framer Virus can also take over your WordPress admin theme editor in wp-admin.

It also has the potential to stop you from editing the header.php directly from FTP.

How do you get the HTML Framer Virus?

Mostly it’s caused by a plugin that’s been compromised – in my latest case, it was caused by a vulnerability in the Revolution Slider plugin, but it could happen anywhere, any time.

It could be embedded in an email attachment (like an image), which you subsequently upload to your WordPress site to use on a page or post.

How do you get rid of the HTML Framer Virus?

Find the header.php file in your theme folder and edit it to remove the script.

If you’ve been locked out of your wp-admin, you can do this via your server control panel’s file editor.

If you still have access to the wp-admin, you can use the regular text editor that comes with wordpress, or a plugin like WPIDE which is a sophisticated code editor within the WordPress Dashboard.

Here’s a snippet of code that you’ll have to look for. (just do a search within your editor).

HTML Framer Virus

After removing the HTML Framer Virus code:

  1. Create a new WordPress administrator account and delete current admin account – be sure to attribute all posts to the new admin.
  2. Update WordPress core files.
  3. Remove all plugins and reinstall from fresh installs.
  4. Change passwords to any cpanel or ftp accounts currently associated with your domain.

The last thing about this latest hack is that anti viruses can detect the malicious script. So to ensure you have removed all traces of this you can download a copy of your website files via ftp and scan it with your anti virus. This hack can be picked up by AVG free.

Also; if you run multiple WordPress websites on the same server, there is a good chance that this will affect / infect every domains’ header.php file within WordPress.