You may have encountered irregularities such as unexpected slowdowns, intrusive pop-up ads, or unusual changes to your content. You may also have seen anomalies in your WordPress files—such as unusual favicon files or oddly named wp-config files. These signs may indicate that your WordPress site has been hacked using the favicon malware. 

If you suspect that your site has the favicon virus, scan it right away. 

Disguised as innocent .ico files, cyber attackers nest malware files within your website’s directories. By renaming malware files to appear as favicons, your site’s small screen icon, the damaging code blends into your website’s background. It is indistinguishable amidst legitimate files, all the while laying the groundwork for substantial performance and security disruptions. Despite the severity, it’s crucial to remember: favicon.ico virus is not unbeatable. 

Throughout this guide, we’re going to walk through the essential steps needed to identify, deal with, and ultimately safeguard your site against this sort of threat.

TL;DR: The best way to remove the favicon.ico malware is to install MalCare. MalCare is a powerful security plugin that will find every trace of malware on your site, and surgically remove it with one click. Don’t worry about the malware coming back, as MalCare includes a robust firewall as well. 

What is the favicon virus?

Do you see the MalCare logo on the browser tab for this article? That is a favicon. Favicons are small image files displayed in the browser tab next to the page title.

They are visual identifiers for websites and are often used for branding purposes. Favicon files have the .ico extension and are usually harmless image files.

The issue is that file extensions can be easily changed, and they may not reflect the real contents of a file. Hackers change the extensions of malware files to .ico to evade detection. If you convert it to a text file and open it in an editor, you’ll discover executable code instead of the image information. Hackers use this mechanism to hide their malware in plain sight. Because the malware file is hidden in the form of an icon file, inexperienced users may ignore it, believing it is a benign image file. 

Additionally, there are variants of the favicon virus, and instead of .ico files, you may see a number of files with the .bak or .bak.bak extension instead. 

Mislabeled favicon files can be used to conceal different types of malware for a variety of fraudulent activities. Here are some of the attacks we have come across hidden in favicon files:

• Credential theft: Malware that steals usernames, passwords, and login credentials, etc.
• Redirect malware: Malicious software that redirects users to phishing websites.
• Clickjacking: A technique that tricks users into clicking on hidden buttons or links. The user is then led to unintended actions or malicious sites.
• SEO spam: Hackers add spam on websites that  affect its search engine rankings.
• Privilege escalation attacks: Hackers gain unauthorized access and elevate privileges. This compromises the entire website or server.
• Spyware: Malicious code tracks user activities, collects data, and reports it to the attacker.
• Phishing scams: Hackers trick users into disclosing personal information with replicas of real sites.

How to detect the favicon malware on your WordPress site

The favicon.ico malware is most commonly a form of hacked redirect malware and can be quite challenging to detect. Infected websites often redirect visitors from search engine results to malicious sites. On top of that, the redirection will typically not affect logged-in users or frequent visitors. This behavior makes it even trickier to spot the infection.

This malware shows up as a widespread distribution of favicon files throughout the website directories. It is even found in unexpected places like core WordPress folders, where favicons are typically not found. 

With that in mind, in this section, we will explore various methods to find the virus.

1. Scan your site

There are two primary scanning methods you can use:

A. Server-side scanner

Install MalCare on your WordPress site to deep-scan every inch of your site. This plugin scans your entire site, including the database and uses advanced algorithms to flag malware. This makes it a reliable way to detect any malware on your site, even if it’s in core files.

B. Frontend scanner

If you prefer not to install a scanner on your site, you can opt for a frontend scanner. These scanners enable you to scan without installing any software on your website. But frontend scanners do not have access to all parts of your site, so will not detect malware in those locations. 

2. Look for symptoms

Scanning your site for malware is the definitive way to find malware on your site. However, there are sometimes other telltale signs of a malware infection. 

• Redirects to spam sites: Track user experiences and pay attention to any unusual redirections.
• Google blacklist warnings: You will see a Google blacklist warning when you visit your website from search engine results or when using a Chrome browser.

• Account suspension from web host: Your website hosting provider can suspend your account if it detects malware. Generally, you will receive an email about the suspension. 
• Security warnings in Google Search Console: Check for any security warnings or notifications indicating potential malware or spam pages on your site.

• Broken code on the website frontend: Unexplained code in the header or footer areas of your site could be a sign of malware, or a misbehaving plugin at the very least. 
• Several unaccountable favicon files in various folders: Look for favicon files in folders where they don’t belong or an excessive number of them.
• Altered sitemaps containing spam sites: Review your website’s sitemap. If you discover spammy or unrelated pages, it indicates a compromised website
• Spam results in Google search results: Search for your website on Google and review the search results. If you notice spammy links, irrelevant snippets, or more indexed pages than you should have on your site, you have a compromised site.

How to remove the favicon.ico virus

Once you’ve found the favicon virus on your WordPress site, it’s important to act fast to get rid of it. In this section, we’ll cover 3 methods to remove the malware and restore your website.  

All 3 options are not equal, however. Keeping WordPress’ DIY nature in mind, you may be tempted to try manual malware removal, thinking it may be more cost-effective. On the contrary, manual removal ends up being far more expensive than a security plugin or a maintenance service because of the time and effort it takes, not to mention the risk of losing the entire website. 

We highly recommend using a security plugin because of these reasons, and many more. 

1. Automated malware removal with MalCare

Remove the favicon.ico virus in minutes with MalCare. As soon as the scanner detects malware on your site, all you need to do is upgrade to a subscription to clean it. One-click and poof goes the favicon malware in 5 minutes.

Additionally, if you would like a WordPress security expert to check your site as well, your MalCare subscription gives you unlimited premium support. A security expert will thoroughly scrutinize your site for malware.

The plugin ensures reliable and efficient removal of malware. It has no negative impact on your website’s functionality or performance. If anything, the firewall will improve the speed of your website by keeping away malicious bots. Additionally, MalCare will take a full backup before initiating the removal process. This ensures that you have a safety net in case any unforeseen issues arise during the cleanup.

2. Professional malware removal service

While automated malware removal is great, a professional malware removal service can be helpful too. In fact, if your site is offline or your only resort is a backup, this may be your only option. You can reach out to MalCare support to have WordPress security experts for an emergency cleanup in this situation. 

However, we will always recommend a service as a secondary option. For starters, they can be quite expensive. Some specialist services charge up to hundreds of dollars for their expertise. Another challenge is the waiting time involved. While you will not have to wait for a MalCare emergency cleanup, this is not the case with other services. There is a lot of demand for their expertise, and they are often preoccupied by other clients. This can leave your website vulnerable to further attacks while you await their help.

This is why it is advisable to resort to professional help only as a last resort. But, if you do opt for this route, it is crucial to choose a reputable and experienced specialist. MalCare has a great team that prides itself on quick and complete malware removal. So, even if you can’t install the plugin, you can reach out to our team for support.

3. Manually remove malware (NOT RECOMMENDED)

Manual malware removal is the riskiest way to get rid of the malware. It’s a difficult and time-consuming process that requires a lot of technical knowledge. There’s also always a chance that some hidden malware is left behind, or the site breaks if a mistake is made.

Over and above that, there are many steps involved in manual malware removal.

1. Backup your website: Before you start cleaning up the malware, make sure to create a full backup of your WordPress files. This backup will come in handy if anything goes wrong and you need to restore your website.

2. Download clean versions of WordPress core, themes, and plugins: Check the versions of WordPress, themes, and plugins installed on your site. Download the clean versions of these components from trusted sources.

3. Check PHP files: The favicon virus is often split between malicious code in PHP files and favicon files. Look for php files with odd filenames that may not make sense in the context of a directory. On opening them up, you may notice some @include statements that use hexadecimal characters to hide their function. Use a decoder to understand which files they point to. If it is indeed malware, the code often includes a .ico extension with random names. The .ico files will then contain obfuscated PHP code.

Apart from odd-looking PHP files, also check all core PHP files, like the wp-config.php and index.php files, for example. The image below is an example of an infected wp-config.php file.

4. Look for .ico files containing obscure code: Next, we move on to the other aspect of the malware. Again, you need to keep in mind that not all files with the .ico extension are malware. Some may be genuine icons.

Download a file you think maybe malware. Change the extension from .ico to .txt, and open it in a text editor. A genuine favicon file will be a series of numerical values, whereas a malware file will be code.

On top of that, the malicious code will rarely make sense and can be confusing. Keep an eye out for files with other extensions like .bak” or “.bak.bak” as well. 

5. Clean the core files and directories: Once you’ve identified the snippets of malicious code, remove them from the core files and reupload it to your server. If you find files with malicious code, you can delete those files altogether. But be very certain that you are indeed deleting malware. For example, not all @include statements are malicious. So it’s important to check each of them, one by one, for mentions of .ico files that contain weird code.

6. Clean theme and plugin files: Go to the wp-content folder and check each file in your themes and plugins. Compare them to fresh downloads and look for any suspicious code. Again, remember that customized files may look like discrepancies. Check online for known vulnerabilities in any of the plugins installed on your site.

7. Remove malware from WordPress database tables: Use the phpMyAdmin panel to clean malware from your WordPress database tables. Check the ‘wp_options’ and ‘wp_posts’ tables for any suspicious content, as these are commonly used to redirect unsuspecting visitors.

8. Remove all backdoors: Deleting the malicious files alone is not enough to remove the malware from your website. You must also find and remove the backdoor that allowed the malware to enter in the first place. These malware scripts can be nearly impossible to find. But, if you don’t remove them, the hacker still has access to your site even after malware deletion. Backdoors can also be in CSS or JavaScript folders and often contain weird file names.

Search for and delete common backdoor keywords such as “eval” and “preg_replace.” Again, we advise caution here. Although these functions are rarely used for legitimate purposes, they are in fact legitimate functions themselves. Use judgment when cleaning them out. 

9. Re-upload cleaned files: After you have completed the cleanup process, upload the files back to your website using cPanel or FTP/SFTP.

10. Clear the cache: After removing malware, clear the WordPress caches. This step helps in removing any cached files that might contain the malware.

11. Verify each plugin and theme: Disable all your plugins and themes, and then reactivate them one by one. Check for any changes or issues on your website that could be caused by vulnerabilities. This step helps you identify any plugins or themes that may still be compromised.

12. Check subdomains and nested WordPress installations: Repeat the same process for subdomains and second WordPress installations. This may not apply to you but if it does, it’s important to remove any malware code from every directory. Even if one malware file remain, it will reinfect your entire site again.

13. Use a security scanner for confirmation: Scan your website again using a security plugin like MalCare. This will reassure you that all traces of malware from your site are gone from your site.

Post hack checklist

In this section, we will outline the essential steps to take after a favicon hack. We will dive into why they help and how to handle the aftermath of a hack.  

• Check your list of users: After a website breach, it is essential to conduct a thorough review of user accounts to verify their legitimacy. Delete any suspicious or unauthorized accounts that may have been created by the hacker. By doing so, you reduce the risk of further unauthorized access and potential misuse of your website’s resources or data.
• Get your website removed from the Google blacklist: This may not be relevant to you but if you find that your site has been blacklisted, submit your sitemap. Then, request a review to have your website removed from the blacklist. This step helps protect your website’s traffic and reputation.
• Get in touch with customers: Favicon virus is a type of redirect hack. Your customers may have had an unusual experience and been sent to spam sites or sites that sell illegal things. It’s important to proactively reach out and address their doubts. This can also help rebuild some of their trust. 
• Change access passwords to the admin panel, SSH, FTP, etc.: Changing passwords is a crucial step in regaining control of your website’s administration and securing sensitive areas. This includes passwords for the admin panel, SSH (Secure Shell), FTP (File Transfer Protocol), and any other relevant access points. Use strong, unique passwords that combine uppercase and lowercase letters, numbers, and symbols. By doing so, you prevent unauthorized access and limit the potential for future breaches.
• Check the file permissions on your site and tighten them: File permissions dictate who can access, modify, or execute files on your website. After a hack, it is essential to review and adjust file permissions to minimize the risk of unauthorized modifications or exploits. Ensure that sensitive files and directories have restrictive permissions, limiting access only to those who require it. By implementing stricter file permissions, you enhance your website’s security and make it more challenging for attackers to manipulate or compromise your files.

Prevent the favicon.ico malware from reinfecting your website

Hackers often exploit vulnerabilities found in plugins, themes, and even in the WordPress core itself, although that is much rarer. By taking proactive measures, you can reduce the effort and time it takes to clear the malware with a range of preventative methods that you can put in place.

• Install a security plugin with an integrated firewall: We recommend MalCare for its comprehensive security features. It offers a real-time firewall that is reliable and can block sophisticated malware. It will not slow down your site and offers additional features like login protection and bot protection.

• Keep everything updated: Updates often include security patches that address vulnerabilities. So it’s important to update all components of your website, including plugins, themes, and the WordPress core itself. This can minimize the risk of potential exploits that hackers could leverage.
• Avoid installing nulled software: Refrain from using nulled or pirated software. Nulled software versions can contain hidden backdoors or malware. Installing such software puts your website at significant risk of compromise. Instead, rely on legitimate and licensed software options to ensure the integrity of your site.

• Opt for premium software when possible: Whenever feasible, choose premium or paid software solutions over free alternatives. Free plugins and themes may lack regular maintenance and updates. Premium software often comes with dedicated support, regular updates, and better security features.
• Use an activity log to monitor user activity: Implement an activity log plugin to keep track of user actions and monitor site activity. Unexpected user accounts or unusual activity patterns can be early indicators of a hacked site.

• Backup your site regularly: Establish a routine backup system to regularly create copies of your website’s files and databases. Having up-to-date backups allows you to restore your website in case of a crash caused due to malware, minimizing downtime and potential data loss.

Impact of the favicon virus

The favicon virus can have a significant impact on the overall functionality and reputation of your website. 

• Loss of SEO ranking: The presence of malware on your website can lead to a loss of SEO ranking. Search engines like Google prioritize secure and trustworthy websites in their search results. If your site is infected with the favicon virus, search engines may detect the malware and penalize your site’s ranking.
• Loss of traffic and Google blacklist warnings: Malware-infected websites are often flagged by search engines and browsers. Google may blacklist your site too, showing warnings when a visitor clicks on your site in the search results. When users encounter such warnings, they are likely to avoid visiting your site altogether, fearing potential security risks. This can lead to a substantial loss of traffic as users.
• Redirects to spam sites: The favicon virus may cause your website to redirect visitors to malicious or spam sites without their consent. These unauthorized redirects erode visitor trust and credibility in your site. Users who experience such redirects may view your website as untrustworthy or compromised.
• Web host account suspension or deletion: Web hosts prioritize the security of their servers and that of other hosted websites. If your site is infected with malware, your web host may suspend your account temporarily to prevent the malware from spreading to other websites. In severe cases, the host may even delete your site outright to protect other users and maintain the overall security of their infrastructure. This can lead to a complete loss of your website and all associated resources.
• Significant resource loss: Dealing with the favicon virus and its consequences can be an arduous and resource-intensive process. You may need to invest time, effort, and potentially financial resources to clean and restore your website to a secure state. 

Final thoughts

The favicon virus is notorious for its rapid spread, elusive nature, and challenging removal process. It can quickly infect multiple files and directories on your website, making it difficult to pinpoint and eradicate. To effectively combat the favicon virus, we highly recommend utilizing a reliable security plugin like MalCare.

MalCare offers an exceptional scanning feature that detects malware and potential vulnerabilities. It also provides a powerful malware removal capability that is quick and beginner-friendly. MalCare’s robust firewall protection adds an extra layer of defense to your website’s security.

By leveraging MalCare’s comprehensive features, you can effectively combat and safeguard your website from potential threats.

FAQs

Is favicon ICO a virus?

No, a favicon ICO (Icon) file itself is not a virus. It is a standard file format used to display small icons associated with a website. However, it is possible for a favicon ICO file to be infected with malware or be used as a carrier for malicious code. It’s important to ensure that the favicon ICO file you use is not compromised.

What is the favicon ICO vulnerability?

The favicon ICO vulnerability refers to a security weakness or flaw associated with the favicon ICO file on a website. Hackers can add malicious files to your site and change the file extension to .ico to avoid detection. This vulnerability allows hackers to gain unauthorized access to your website. It’s a hard malware to find and remove completely because it hides in plain sight.

Is the ICO file safe?

ICO (Icon) files themselves are not inherently unsafe. They are commonly used to store small images or icons that represent a website or application on a browser tab. However, as with any file type, it’s essential to ensure that the ICO file you encounter is legitimate. Hackers can use the extension to hide malicious code in plain sight.

What is favicon ICO used for?

Favicon ICO files are used to display small icons associated with a website. They appear in the browser’s address bar, bookmarks, tabs, and other areas where the website’s identity is displayed. Favicon ICO files help in visually identifying and branding a website, making it easier for users to recognize and locate the site among their bookmarks or open tabs. The ICO format allows for multiple sizes and resolutions, ensuring the icon displays correctly across different devices and contexts.