10 Steps to Remove Malware from Your WordPress Site
Removing malware from a hacked WordPress site is no easy task. And now that Google is enforcing a 30-day ban on site reviews to prevent repeat offenders from distributing malware, cleaning up a hacked site thoroughly is more important than ever.
Malware Removal WordPress Plugin
I highly recommend the plugin for MalCare by the creators of BlogVault. They have a free and paid version of both. This is the most affordable and quick way to remove Malware from your site if you can access your WordPress Dashboard and install a plugin. Just $99/year is the paid version, which is a bargain compared to other similar services. You then get access to the security expertise of MalCare. This link can be used for 10% of your first year off: https://malcare.com/womeninwpp
What I like about the MalCare plugin:
- All scanning takes place on their cloud servers, so there is no impact to the performance of your site.
- There are no configuration options. Install and activate, and it immediately blocks brute-force attacks, sets up a firewall, and copies your site encrypted to their servers for regular scanning.
- One-click malware clean up with ability to restore if something goes wrong.
- Deep scanning of files and database with robust algorithm for finding complex malware.
- Very few if any false positives.
Please try it out and let me know how it works for you in the comments below.
WordPress Malware Removal Services
If you can’t access your WordPress admin due to the hack, I highly recommend using a professional to clean the site. Jim Walker, the Hack Repair Guy, along with Sucuri, who has a great knowledge base of research on website security, vulnerabilities, vectors, and more, is the person I most often refer people to. I referred many people to Jim, and all of them were quite happy with his thoroughness.
If you are going to attempt to clean the site yourself, here are steps I recommend:
Steps to Remove Malware from WordPress Site
Step 1: Backup the Site Files and Database
Backup the entire site if you can use the snapshot feature of the web host’s site. This will be your entire server’s most thorough backup. It could be quite large, however, so be prepared for the download to take time.
If you can login well, use a WordPress backup plugin. The hackers may have compromised the database if you can’t log on to the website, in which case you may want to use one of the professionals I mentioned above.
Using these steps, make a separate, extra backup of the database.
To export an XML file of all your content, also use Tools > Export if you can login.
Perhaps some sites are quite large. The upload file itself may be over 1 GB in size. As it contains all your uploads, the wp-content folder is the most important folder on your server. If you can’t run a backup plugin and your web host doesn’t have a “snapshots” feature, then you can make a zip archive of your wp-content folder using the web host’s File Manager and then download that zip file.
If you have multiple WordPress installations on the server, you’ll want to back up each one of them.
Note about the .htaccess file: Make a backup and download the .htaccess file. This is an invisible file, so you can only see it in the File Manager of your web host if you choose to display invisible files when you start the File Manager. To delete the period at the beginning, rename this file so you can see it on your computer, otherwise it will be invisible on your computer as well. Download it then. If it contains content you’ll need to copy back to your clean site, you may need a backup of the .htaccess file. Some hosts use the .htaccess for determining the PHP version you are using, so the site will not work correctly without that. In their .htaccess file, some individuals placed 301 SEO redirects. It could also have hacked the .htaccess file, so you’ll want to examine it later.
Step 2: Download and Examine the Backup Files
Download the backup to your computer once the site is backed up, then double-click the zip file to open it. Should you see:
- All the files for WordPress Core. You can download WordPress from WordPress.org and then check the downloaded files and match them with your own. You’re not really going to need these files, but you might want them later for your hacking investigation.
- A file for wp-config.php. This is important as it contains the name, username, and password to your WordPress database which we will use in the restore process.
- File: .htaccess. It’ll be invisible here. The only way to know if you have backed up this is to use an FTP program (like FileZilla) or code editing application (like Brackets) to view your backup folder that allows you to view invisible files (check the Show Hidden Files option) inside the application interface.
- The folder for wp-content. You should see at least three folders within the wp-content folder: themes, uploads, and plugins. Check out these folders. Do you see your theme, plugins, and uploaded images? If so, then that’s a good sign that you’ve got a good site backup. Usually, this is the only mission-critical folder you need to restore
- your site to (in addition to the database).
- About the database. You should have a SQL file, which is a database export. In this process, we are not going to delete the database, but it’s good to have a backup.
Step 3: Delete All the Files in the public_html folder
Using the web host’s File Manager, delete all the files in your public html folder (except the cgi-bin folder and any server related folders that are clearly free of hacked files) after you have verified that you have a good and complete backup of your site. The File Manager is recommended because it’s much quicker than deleting files via FTP. If SSH is comfortable for you, then that will be quick as well. Be sure to view invisible files to delete any .htaccess files that are compromised as well.
If you have other sites on the same account that you host, you can assume that they have all been compromised as well. Cross-infection is prevalent. You need to clean ALL the sites, so back up all of them, download the backups, and for each one, do the following steps. I know this sounds severe, but, seriously, it’s absolutely onerous to try to scan for and find all the hacked files on a server. Just make sure each of your backups is complete. And don’t just clean one website and then clean the other leisurely as in the time it takes you to clean one, then other that is still infected can re-infect the one you just cleaned. Like the bubonic plague, treat it.
Step 4: Reinstall WordPress
Reinstall WordPress in the public html directory using the one-click installer in your web hosting control panel if this was the original location of the WordPress installation, or in the subdirectory if WordPress was installed in the add-on domain.
Referencing your site backup, edit the newly installed WordPress wp-config.php file to use the database credentials of your former site. This will connect the installation of the new WordPress to the old database. I don’t suggest that you re-upload your old wp-config.php file because the new one will have new salts of login encryption and will definitely be free of any hacked code.
Step 5: Reset Passwords and Permalinks
Log in and reset all user names and passwords on your site. Your database has been compromised when you see any users you do not recognize, and you need to contact a professional to make sure that no unwanted code has been left in your database. If you want to kill your old database and start fresh, I do have a Nuke it From Orbit blog post you can read. It’s a bit more of a job, but it really makes sure you have a clean place.
Go to Settings > Permalinks and click Save Changes. This will restore the .htaccess file, so that the URLs of your site will work again. Be sure that you showed invisible files when you deleted files on your server, so you did not leave any hacked .htaccess files behind. .htaccess is an invisible file that controls a lot of server things and can be hacked to maliciously redirect individuals to other sites from your site.
Make sure to also restore all FTP and hosting account passwords.
Step 6: Reinstall Plugins
Reinstall all your WordPress repository plugins or fresh downloads from the developer of the premium plugin. Do not install old plugins. Do not install plugins which are not maintained anymore.
Step 7: Reinstall Themes
From a new download, reinstall your theme. Referencing your backup files and replicating the changes to the new copy of the theme if you have customized your theme files. Do not upload an old theme, as you may not know which files were hacked.
Step 8: Upload Your Images from the Backup
Step 9: Scan Your Computer
Scan your own computer for viruses, trojans, and malware.
Step 10: Install and Run Security Plugins
Install and activate iControlWP’s WordPress Security plugin for Shield. Through all its settings, check. To keep track of all activities on the site, I would recommend running the Audit feature for a few months.
Run the Security and Brute-Force Firewall of Anti-Malware and scan the site thoroughly. To make sure you do not miss anything, scan the site with Sucuri’s Sitecheck. You don’t need to run two firewall plugins, so after you have verified the clean site, de-activate the Anti-Malware plugin. In the future, Shield will notify you if any core files have changed.
Quick and Dirty Hack Repair to Remove Malware from WordPress Site
Sucuri has a great step-by-step guide for hack removal that includes details on how to use the Sucuri plugin to facilitate the process above. Sucuri’s plugin has some great Post Hack features, including:
- a core file scan
- quick access to error logs
- tool to reset all user passwords
- ability to automatically reinstall all free plugins
- ability to reset encryption salts
What you could do if you want to simplify the hack recovery process above is:
- To scan core files and replace/delete those that have been modified or are not included, use the Sucuri plugin.
- To replace all free plugins, reset user passwords, reset encryption salts, use the Sucuri Plugin Post Hack tab and Site Audit tab.
- Premium plugins re-upload.
- Review the contents with a fine-tooth comb of every folder in the wp-content folder (except the individual
- plugin folders which you would have replaced in step 2 above).
- Carefully assess each and every theme file.
- Delete themes and plugins that are unused.
- Carefully comb through your folder for uploads.
- Review your .htaccess file manually and any other files left in the public html folder that you have not replaced.
The aim of my slash and burn strategy is that if they don’t methodically and consciously choose what to upload back to the server, many people inadvertently leave hacked files behind. If you are, however, very detailed and very familiar with your WordPress files and what they should look like (for example, you are familiar with how to customize themes and what theme code should look like), you can use this simplified approach to clean up a hack
Finding the cause of the hack
It can be tricky to find the cause of a WordPress hack if you are not a professional, but if you have an eagle eye, it is certainly not beyond your reach. Check out this post on common WordPress hacks by Smashing Magazine. You can more easily narrow down why it happened once you have identified the type of hack you encountered. The WHY is not as important as the cleanup in many instances, but can be important if the cause came from your own machine.
Also, if you reinstall the same vulnerable plugin or theme and are not aware that this is why your site has been hacked, the site will be re-hacked quite quickly. So knowing the cause is more about making you aware of not repeating the same mistakes after all the effort you have made to clean things up.
If you want to go deeper into the cause of the hack, do the following:
- Inspect your backup for hacked files. They will have odd names and stand out from the other files in your WordPress install or may have recent modified dates. If you open these files in a code editor like Dreamweaver, TextWrangler, BBEdit, Coda, etc., you may notice quite quickly by way of the color coding of the code or the huge amount of code that something is odd. See screenshots below.
- Do a Google search on specific phrases, included files, or file names. Sometimes it might just be the name of a div class you find in the hacked code as on my client’s hacked site.
- Examine the Raw Access Logs on the hosting cPanel to find out what files the hackers were accessing (look for POST statements in the log files). This will be a clue as to what exactly was compromised and when. You can look up the IP address accessing these files to find out where the hacker was coming from.
- Most hacks are caused by old plugins and themes, so look up the plugins you used on your hacked site and see if maybe the site was compromised due to an older version of Gravity Forms, Revolution Slider, timthumb.php script in a theme or plugin, etc. Many sites are hacked through common, known vulnerabilities. It’s all low hanging fruit for hackers.
- Search the database for hidden admin users and other potential hacked content. Sucuri has a great tips on how to scan your database for hidden malicious code. If you do try to modify your database, back it up like 3x first!
Monitoring your site
Stay on top of notices from Google Search Console as well as any error logs that you find on the server after cleaning up. To track any user accessing files on the site, especially POST requests, you can look into your Raw Access Logs on the server. If this is not enabled, the archiving of Access logs can be turned on in your cPanel.