Do you think your WordPress website is contaminated with favicon.ico malware? Are you currently seeing content on your WordPress site that you are not aware of? Is your site ranking for keywords for illegal products? favicon.ico virus could be the reason why your website is facing such issues.
This infection enables hackers to inject files on to your web server. These files contain malicious php code that could perform dangerous actions such as create rogue admin accounts or install spyware.
Next, the hackers deface your site, steal data, and launch bigger hack campaigns! This leads to warnings in search results like deceptive site ahead, this site may be hacked. If the hack is not fixed, further your website can face Google blacklisting and webhost suspension. As a result, your traffic drops, your revenue plummets causing severe damage to your business.
If you’re lucky, your web host will notify you that your website is hacked and email you the details. If you’re unsure if it’s the favicon virus, don’t worry. There are ways to scan and clean the hack.
In this article, we’ll show you how to identify the favicon.ico malware easily. We’ll also take you through the steps on how to fix and prevent it.
TL;DR: The infection caused by the favicon.ico virus can randomly spread through your WordPress website making it hard to detect. Install MalCare’s automated plugin to detect the malware and clean it instantly. Your website will be free of the favicon malware in no time!
[lwptoc skipHeadingLevel=”h1,h3,h4,h5,h6″ skipHeadingText=”Final Thoughts”]
What is Favicon.ico Malware?
To address this, we first need to understand the favicon.ico file.
Favicons – Favicons are small icons that display in a browser tab next to the website’s name. These icons also appear in bookmarks or as smartphone app icons.

ICO – ICO is an image file format just like JPEG and PNG. Modern browsers use ICO, JPEG, PNG or GIF files to display favicons.
Now, let’s understand the favicon.ico malware. Hackers exploit vulnerabilities on your website to gain access to your site.
Once inside, attackers create malicious files and name them “favicon.ico”. These malicious favicons usually have a randomized string of characters and numbers in it such as ‘favicon_bdfk34.ico.’
Note: A hacker can create any file such as an HTML or JavaScript file and name it .ico. If you see a .ico file, it need not necessarily be an image.
What happens with a Favicon.ico Virus?
Some of the usual things hackers do in a favicon.ico hack are:
- Inject malicious coding into your website’s files. They also create their own files at random locations.
- Spam the website’s server with malicious files.
- Run phishing scripts to steal valuable data of the website and its customers.
- Redirect visitors to phishing or malicious websites.
- Send encrypted data through hidden favicon files on the website that could be criminal in nature.
- Install spyware on the website that infiltrates your computing device, steals your internet usage data and sensitive information.
- Trick site visitors into downloading malware and ransomware on to their computers.
- Create a new admin account so that they can easily access your site again.
- Insert a hidden backdoor that allows them to enter even if you delete the new admin account.
How to Detect the Favicon Virus?
The favicon virus is particularly difficult to detect because hackers disguise their malicious scripts. They also spam your website’s files and the malicious script could be spread through all your folders and files.
There are two ways to find a favicon malware – manually or using a plugin. The manual method is tedious and risky. As we mentioned, the virus could be peppered through your core files. This makes it hard to detect. However, if you want to know how the manual method works, we’ve covered it later in this section.
If you suspect that your website is infected with a favicon.ico virus, you need to detect and clean it up promptly. We strongly recommend opting for a plugin as it will get the job done quickly.
Detecting Favicon Malware Using a Plugin
Using a plugin is the easiest way to detect favicon malware. There are many plugins available in the market, however, not all are effective. To beat this infection, you need a solution that will run a deep scan of your site and ensure nothing has been missed.
Today, we’ll show you how to use the MalCare Security Plugin. The reasons we recommend MalCare are aplenty. Let’s take a look:
- With other plugins, you have to first purchase their plan in order to run a scan. With MalCare, the first scan is free! This allows you to scan your site and check if there’s malware present first before you proceed to sign up for any plans.
- Many plugins use outdated methods of detecting malware. They look for malicious code that’s already been discovered. Thus, new and disguised code would go undetected. MalCare’s scanner overcomes this hurdle and leverages smart signals that identify malicious code. It can find new malware and even hidden or disguised codes by checking the behavior of codes.
- There are some virus scanners that only check folders in which they think malware will be placed. However, with the favicon virus, hackers can place it in just about any folder on your website. You need a scanner that will scan every inch of your site and not cherry-picked folders. MalCare runs a complete scan of your site so you needn’t worry about missing any areas.
- The one-time set up is easy and fast. You shouldn’t face any hassles or delays. But even then, MalCare provides a 24×7 support team to answer any doubts or queries you might have.
With these features, you can rest assured the scanner will find every trace of the virus.
How to Use MalCare To Detect Favicon Virus
To use MalCare, follow these steps:
1. Download and activate MalCare on your site.
2. Go to the plugin and select ‘Malware Scan’ and scan your site.

3. The scanner will comb through all your website’s files and folders. Once complete, MalCare will report how many infected files are present.

Now that you’re sure there’s malware on your WordPress site, you need to remedy the situation and restore your site back to normal immediately. The longer you allow the malware to manifest on your site, the more damage it will do. So without any delay, let’s start cleaning your hacked site!
If you suspect your WordPress site is under a Favicon.ico attack, use a security scanner like MalCare to detect virus. Click To Tweet
How to Remove the Favicon Malware?
To remove favicon.ico virus from your site, we recommend using the MalCare plugin. Here’s why:
- Most plugins follow a long process that involves submitting a ticket. Then, they assign a security analyst to your case who cleans it manually. This can take hours up to days! MalCare has an automated cleaner that requires a single click to run the cleaning process. It takes only a few minutes.
- Most plugins need you to disclose your wp-admin credentials and your FTP credentials in order for them to access your site and clean it. As MalCare is automated, you don’t need to disclose sensitive information to a third-party.
- The malware cleaner uses a method that removes all malicious code without breaking your website.
- Your website will be protected against future attacks as MalCare puts up a strong firewall and proactively defends your site.
- Your site will be auto-scanned daily for any suspicious activity or malware.
Removing Favicon Malware With a Plugin
Let’s get started with cleaning your site.
- On the page where MalCare displays how many hacked system files it has found, you will see an option to upgrade.
Note: As the malware removal process is complex and needs adequate resources, it is a paid service. While there are free services, they only run surface scans and cleans. When it comes to security, it’s best to choose a trusted and reliable option.
- Once you upgrade, an option to ‘Auto-clean’ will appear. Simply click on this button and sit back.

- In a few minutes, the plugin will clean your site and display a prompt that your site is clean. That’s it, you’re done!
- We recommend visiting your website to make sure everything is back to normal. You can even run a second scan to double-check.
Your website will be free of the favicon.ico malware.
Note: If you’ve been blacklisted by Google on account of the presence of malware, we recommend our guide – How to Remove Google Blacklist.
If this method isn’t for you, we’ve detailed the manual method of detecting and cleaning favicon viruses below.
How to Manually Detect and Clean Favicon Virus?
Before we begin, we must warn you that this method carries a great amount of risk. You need to have the adequate technical knowledge to carry out these steps. We don’t recommend this method even if you’re an expert with the inner workings of WordPress. This is simply because even a slight misstep can cause your website to break.
Caution: This method could cause loss of data and damage to your site. Please take a complete backup of your website before you proceed.
Step 1: Identifying Favicon Files in WordPress Folders
Hackers are found to hide the favicon.ico virus in all sorts of files and folders. Open your hosting account and access cPanel > File Manager.

Find your website’s folder. This is usually named public_html.

We recommend looking for files named ‘favicon’ in every folder of your website. Pay special attention to the following folders:
- /plugins, /extensions, /components, /modules, /uploads, /media, /themes, /templates, or /skin folders.
Step 2: Checking Scripts for Malicious Code
Once you find these files, you need to analyze them. Check for strings like “ALREADY_RUN_”, followed by a random string. Look for keywords like ‘base64’ and ‘eval’. You can also tell it’s a malicious php file if the script is completely encrypted. Here’s an example of what a favicon.ico virus looks like:

Step 3: Delete the Malicious Scripts
Once you identify the files, you need to delete them to get rid of the malware. Be cautious here as there may be other elements or files that are dependent on these files. Deleting such files can break the dependency and crash your site.
Step 4: Get Rid of Backdoors
We mentioned earlier that hackers also create backdoors so that they can access your site when they want. You need to identify these malicious codes and delete them as well. Backdoors are usually hidden very well so it’s difficult to detect manually. Refer to our removal guide on How to Get Rid of Website Backdoors.
With that, your website should be clean of the favicon.ico malware. However, there’s no guarantee that it’s gone completely. Such attacks work like cancer. Even after all the treatment possible, even if a single cell survives, it’s enough for the whole hack to reappear.
Once you’re sure you’ve removed all traces of the virus files, we can proceed to prevent favicon.ico malware.
Recommended read: How to remove malware from WordPress site
How to Protect Your Website From Favicon.ico Malware Attack?
Your website was hacked because there was a vulnerability present that enabled hackers to gain access. You need to find the vulnerability that caused your site to get hacked in the first place and seal it.
- Use a security plugin to regularly perform virus scan on your website.
- Make sure your WordPress core installation is updated to the latest version.
- Update all themes and plugins to the latest version.
- Scan your site themes and plugins regulary for malicious codes.
- Delete any rogue admin users.
- Delete any plugins that you don’t recognize and are sure you didn’t install.
- Then, delete all unused plugins and themes that are installed on your site.
- If you’ve installed any pirated or cracked software, delete it immediately. These versions usually carry pre-installed malware.
- Take measures to increase the security of your website. Follow our guide on How to Harden Your WordPress Site.
Once done, we’re confident your website is secure from the favicon.ico malware attack.
[ss_click_to_tweet tweet=”” content=”I cleaned my WordPress site of the Favicon.ico Virus with this step-by-step guide from MalCare. Check it out.” style=”default”]
Final Thoughts
We’ve had clients who have faced favicon malware on their sites. At first, they tried the manual method only to find their site hacked over and over again. If you are not sure, you can check if your website is hacked.
Delays in fixing a hack lead to severe damage to content, brand, and reputation. Sometimes, the damage is so bad it’s irreparable.
You simply can’t afford to make compromises when it comes to website security. This is why we strongly recommend opting for a WordPress security plugin such as MalCare that will guarantee your site is secured. You can read more about this topic on stack overflow and stack exchange websites.
You can have peace of mind knowing your site is monitored around the clock. The website firewall blocks hackers from visiting your site and alerts you if it detects suspicious activity.
Secure your WordPress Website with MalCare!