Its quite interesting to see what forms these viruses take. Often it is just a small extra php file inserted into the main WordPress install. For example I found a small file called “info.php” recently in the root directory of WordPress of my client’s server. It just had a couple of lines of code. Other times I have found that each and every wordpress file contained long lines of some very strange code inserted in front of the file. See the example picture. Now that just does not look right!
I usually start by looking at files that have changed recently that are not part of wp-content. Obviously the content changes most frequently, but unless you update WordPress the main files should not have changed without your input.
I am not an expert on this, but I have fun trying to find out what it is and so far I have been successful in finding various instances of malicious code and restoring the site to good health. Of course I follow up by installing the latest version of WordPress and adding security code to the wp-config file.
This is just another fascinating thing to keep up with in the day-to-day life of a web developer.