If your WordPress site is redirecting visitors to suspicious ads or you have found gsyndication.com scripts injected into your wp-config.php, your server has been compromised by the GSyndication malware. This guide walks you through the complete removal process — from identifying the infection to hardening your server so it does not come back.

I have cleaned this malware from multiple client WordPress sites. What makes GSyndication particularly dangerous is that it operates at the server level, not just the WordPress level — meaning popular security plugins like Wordfence or Sucuri often miss it entirely.

What Is GSyndication Malware?

GSyndication is a server-level WordPress malware that injects a malicious JavaScript tag into your site by modifying wp-config.php. The injected script loads from sync.gsyndication.com, which serves unwanted advertisements, redirects visitors to spam pages, and can potentially steal user data.

The malware is sophisticated because it uses base64-encoded PHP and selectively targets only front-end visitors — it avoids the WordPress admin panel, REST API, and AJAX requests to stay hidden from site administrators.

How to Know If Your Site Is Infected

Check for these symptoms:

  • Unexpected ad popups or redirects on your site (often only visible to logged-out visitors)
  • Google Search Console warnings about malicious content or social engineering
  • Base64-encoded code at the top of your wp-config.php file
  • Unknown processes named watchdogd or defunct running on your server
  • Suspicious cron jobs you did not create

Run this quick check via SSH:

grep -l "gsyndication" /path/to/your/wp-config.php
ps aux | grep -E "watchdogd|defunct"
crontab -l

How GSyndication Infects Your Server

The malware typically gains initial access through one of three vectors:

  1. Vulnerable plugins or themes — outdated or nulled plugins with known exploits
  2. Compromised credentials — weak passwords on SSH, SFTP, or WordPress admin
  3. Outdated WordPress core — unpatched security vulnerabilities

Once inside, it establishes multiple persistence layers that make it extremely difficult to remove with a simple file cleanup:

  • System-level processes (watchdogd, defunct) that continuously reinfect files
  • Hidden cron jobs that re-inject the malicious code on a schedule
  • Backdoor files in .bashrc, .profile, and ~/.config/htop/defunct.dat

This is why many people report the malware coming back minutes after they clean wp-config.php — the persistence mechanism re-triggers the injection.

Step-by-Step Removal Guide

Important: Do all of this over SSH. Do not rely on file manager panels or FTP — you need shell access to find and kill the hidden processes.

Step 1: Kill Malicious Processes

First, stop the reinfection loop by finding and killing the malware processes:

# Find suspicious processes
ps aux | grep -E "watchdogd|defunct"

# Kill them by PID
kill -9 [PID]

# Verify they are gone
ps aux | grep -E "watchdogd|defunct"

If the processes respawn immediately, check for a parent process and kill that first.

Step 2: Remove Hidden Backdoor Files

Search the server for malware persistence files:

# Find hidden malware components
find / -name "defunct" -o -name "defunct.dat" 2>/dev/null

# Check shell config files for base64-encoded commands
cat ~/.bashrc
cat ~/.profile
cat ~/.bash_profile

# Remove the htop disguise directory
rm -rf ~/.config/htop

Look for any base64-encoded strings in .bashrc and .profile. Legitimate shell configs do not contain base64 blobs. Remove any suspicious lines.

Step 3: Clean Malicious Cron Jobs

# List current cron jobs
crontab -l

# Edit and remove suspicious entries
crontab -e

# Also check system-wide cron
ls -la /etc/cron.d/
cat /etc/crontab

Step 4: Clean wp-config.php

Now that the reinfection mechanism is disabled, clean the actual injected code:

# Backup current infected file for analysis
cp wp-config.php wp-config.php.infected

# Option A: Restore from a known clean backup
cp /path/to/backup/wp-config.php wp-config.php

# Option B: Manually remove the injected code
# Open wp-config.php and remove any base64_decode blocks
# or script tags referencing gsyndication.com

Verify the cleanup:

grep -i "gsyndication\|base64_decode\|eval(" wp-config.php

This should return no results if the file is clean.

Step 5: Scan for Other Infected Files

The malware may have infected other PHP files in your WordPress installation:

# Search for gsyndication references across all files
grep -rl "gsyndication" /path/to/wordpress/

# Search for suspicious base64 and eval patterns
grep -rl "base64_decode.*eval\|eval.*base64_decode" /path/to/wordpress/ --include="*.php"

# Check WordPress core integrity
wp core verify-checksums

Hardening Your Server After Cleanup

Removing the malware is only half the job. You must harden the server to prevent reinfection.

1. Lock Down wp-config.php Permissions

chmod 440 wp-config.php
chown root:www-data wp-config.php

2. Reset All Credentials

  • WordPress admin passwords
  • Database password (update in wp-config.php)
  • SSH/SFTP passwords and keys
  • Hosting panel credentials
  • WordPress salts — regenerate at https://api.wordpress.org/secret-key/1.1/salt/

3. Disable Dangerous PHP Functions

Add to your php.ini:

disable_functions = exec,shell_exec,system,passthru,popen,proc_open

Note: Test thoroughly after this change. Some legitimate plugins and WP-CLI need these functions. You may need to allow them selectively for CLI usage while disabling for web requests.

4. Update Everything

wp core update
wp plugin update --all
wp theme update --all

5. Set Up File Integrity Monitoring

  • Install a file integrity monitoring tool (OSSEC, Tripwire, or ClamAV)
  • Set up a cron job to check wp-config.php hash daily
  • Enable WordPress audit logging
  • Monitor server processes for suspicious activity

A simple monitoring script:

# Add to crontab - checks wp-config.php integrity every hour
0 * * * * md5sum /path/to/wp-config.php | diff /path/to/wp-config.md5 - || mail -s "wp-config.php modified" you@email.com

Why Security Plugins Miss This Malware

Standard WordPress security plugins like Wordfence, Sucuri, and iThemes Security operate within the PHP runtime environment. GSyndication malware plants its persistence mechanisms outside the WordPress document root — in system-level shell configs, cron jobs, and background processes.

These plugins can detect the injected code in wp-config.php, but they cannot kill system processes or clean shell configuration files. That is why SSH access and server-level scanning are required for complete removal.

Key Takeaways

  • GSyndication is a server-level malware, not just a WordPress plugin infection
  • Always kill the persistence processes before cleaning wp-config.php
  • Check .bashrc, .profile, cron jobs, and ~/.config/htop/ for backdoors
  • Reset all credentials and regenerate WordPress salts after cleanup
  • Set wp-config.php to read-only (440) to prevent reinjection
  • WordPress security plugins alone are not sufficient — you need server-level access

If you are dealing with a persistent GSyndication infection and need professional help, feel free to get in touch. I have hands-on experience removing this specific malware from WordPress servers.

Tags Malware Removal
Khoi Pro
About the author

Khoi Pro

WordPress Expert, Open Source Contributor & Founder of CODE TOT. Building high-performance WordPress websites with clean code.