.BT Malware is relatively new to many. Two common signs of its presence on your website.
- WordPress site become slow
- Advertising links redirecting you when clicked on any links on the website
- .BT extension on your website directories
- High Bandwidth consumptions (check if there is a sudden spike)
How do you fix it?
Removing the .BT files wont remove the malware. You need to dig deep on certain PHP files on your WordPress core files. Note, even if you change the core files the fix is temporary.
Tools you need to identify infected files:
Security plugin to scan for change of WP core files and presence of malware.
- WordFence or
- Sucuri
Once you got the scan results and understand where these malicious files located, then you need to remove them. To access these files you need to either use File Manager, SSH or FTP to your website root directories that holds the website contents.
Common locations to check:
- functions.php – check in themes directory to access these file. All themes both parent and child. Open functions.php with your text editor and remove malicious code which contains strings such as zeeta and yup. From my experience, you need to check right after opening PHP tag.
- template-config.php – remove this file as well
- Look into wp-includes/CSS and check for .BT extensions. Remove them from there.
- Remove files such as default or index.php on locations that are flagged by wordFence or Sucuri.
- netlifier class file should also be removed
Remember to run the scan again to see if you haven’t removed all infected files. I like Sucuri for showing any changes to wp core files. If it’s clean and no modifications, it will turn green.
I will extend more on this post with more details later
I hope it helps you remove this stupid malware once and for all.
All the best!