How to Remove Malware & Clean a Hacked WordPress Site

How-to-Remove-Malware-_-Clean-a-Hacked-WordPress-Site

Introduction

For years, WordPress Experts have been committed to assisting WordPress administrators in detecting and resolving their hacked websites. In order to guide WordPress owners through the process of recognizing and removing a WordPress hack, we have compiled this guide. Although this guide does not cover all possible scenarios, if carefully followed, it should assist in resolving many of the infections we commonly encounter.

Why do WordPress Sites Get Hacked?

With over 40% of websites on the internet employing WordPress as their Content Management System, it has become the most popular CMS. Unfortunately, this popularity makes it an attractive target for cyber attackers who employ a variety of techniques, ranging from spam injections to complex credit card theft schemes, to compromise WordPress websites.

Here are a few common reasons why a website might be hacked.

1. Vulnerable CMS, Plugins, or Themes

Compromising websites through vulnerabilities in CMS and third-party components is a common tactic employed by attackers. Automated attacks that specifically target known website vulnerabilities are a major contributor to website breaches. To prevent such attacks, it is crucial to regularly update your CMS and third-party components with the latest patches.

2. Weak Passwords

In order to gain unauthorized access to a website, brute force attacks rely on guessing thousands of login combinations. If your website or database is using weak or easily guessable credentials, you are at a higher risk of becoming a victim of a brute force attack. This is particularly true if you do not have a website firewall in place to prevent such attacks.

3. Incorrect File Permissions

To regulate access to website files, your web server employs various rules. In case the file permissions are excessively lenient, it becomes effortless for hackers to tamper with the website files.

Signs That Your WordPress Site Is Hacked

Are there indications that your website has been compromised? Keep an eye out for a few clear signs and symptoms.

1. You can’t log in to your admin panel.

In some cases, hackers may delete user accounts or alter passwords to block access to a compromised website. If you’re unable to regain entry to your user account, it’s possible that it has been removed from WordPress. We recommend attempting a password reset as a first step.

2. Your security plugin or file integrity monitoring has notified you of an unexpected change in your environment or website files.

If alterations to fundamental system files have been detected or if your security plugin has alerted you of unanticipated file modifications, it indicates that your website files may have been tampered with by an attacker to dispatch spam emails, establish website backdoors, or execute malevolent code.

The emergence of any novel files that possess dubious names or server-side scripts located in upload directories is a significant warning that your website’s security may have been breached.

3. Your hosting provider has contacted you with notifications about unusual account activity or has disabled your website.

Frequently, hosting companies conduct routine scans and audits to detect any instances of malicious activity or malware, and in shared hosting environments, they may deactivate websites with identified problems to avoid spreading them to other sites.

4. Browser warnings are served to you or your site visitors when attempting to access the website.

If you receive a warning message from Google Chrome or any other browser while browsing your website, it is likely that your site has been hacked. This could also suggest that your site has been added to the blacklist of a recognized authority, such as Google Safe Browsing.

5. Google Search Console displays a warning message stating your site’s been hacked or is serving malware.

Whenever a website linked to Google Search Console is compromised, Google sends notifications to the site owners. These notifications contain significant details regarding the detection of spam content or harmful code on the site, providing valuable information to the owners.

6. When you search for your domain, a warning message is displayed.

Popular search engines such as Google and Bing issue cautionary alerts to users to minimize potential threats and safeguard them against websites hosting malware or phishing schemes. If you encounter warning notifications concerning fraudulent or hazardous sites during your search for your domain, it’s probable that your WordPress website has been compromised.

7. There’s strange looking JavaScript in your website code.

Malware perpetrators frequently employ obfuscation methods, formatting, and code comments to hide their malicious code. With just a tiny piece of malevolent JavaScript, they can acquire sensitive information such as credit card details or passwords from a compromised website.

8. Your website is redirecting somewhere else.

A common tactic used by attackers is to inject harmful redirects into your website, redirecting its traffic to their spam or advertisement pages, with the aim of improving their own website’s search engine optimization (SEO) and diverting your visitors to their domains. If you or your site visitors are unexpectedly directed to a spam landing page instead of your intended destination, it’s probable that your website has been compromised by a malicious redirect.

Steps To WordPress Malware Removal

If your WordPress website has been hacked, there are a number of crucial actions you should take. No matter how your WordPress site was breached, the following are some essential steps to take in order to recover your site as quickly as possible.

Step 1 - Find & Identify A WordPress Hack

1.1 Scan Your WordPress Site

Sucuri Sitecheck provides a malware scan for WordPress free of charge.

To find Google search results for a specific domain, use the “site:” operator followed by the domain name (e.g., site:example.com) within Google’s search engine. Take a look at the search results to see if they could be relevant to your website’s code, but exercise caution if you don’t trust the domain. For instance, you can examine domains employed by plugin authors, theme authors, and so on. Refrain from clicking on any results if you have doubts about their authenticity.

With URLScan.io, you can retrieve a wealth of information about a website by searching for its URL results. This includes details on the site’s hosting location, the nature of its requests, and its overall behavior, all without having to access it directly.

Utilize VirusTotal to investigate a domain for potential issues by using their free blocklist vendor checker.

1.2 Check Core WordPress File Integrity

A WordPress installation consists of numerous core files that remain unchanged across versions. It’s crucial to note that most core files in WordPress should not be altered. The webroot contains some core files, as well as the directories wp-includes and wp-admin. It’s necessary to perform an integrity check to verify that none of the core files have been maliciously modified.

There are a few different ways to manually check if core files have been modified on a CMS based website.

How to compare two text files with Diffchecker:

  • Visit the Diffchecker website.
  • Paste the clean core file text in the Original Text box.
  • Paste the modified core file text in the Changed Text box.
  • Select the Find Difference button towards the bottom.
  • Compare the differences in text.
  • Note down any suspicious code differences.

 

If you notice modifications to your core file, it may be infected. Continue checking more core files as others may have also been infected. If nothing has been modified, your core files are clean.

How to compare two files via SSH:

  1. Log into your server via SSH.
  2. Within a test directory, paste the clean core file text into a test .txt file.
  3. Within the same test directory, paste the modified core file text into a new test .txt file.
  4. Run the following command:
    $ diff test1.txt test2.txt
  5. If there are modifications, this file may be hacked.

 

It is uncommon but possible for minor alterations to these files to not imply a breach. However, the presence of obfuscated code within a core file may be a sign of something sinister. Obfuscated code is written in a manner that necessitates deciphering to comprehend, and attackers frequently employ it to conceal their malicious code.

If you come across obfuscated code in your files, here are some tools to help decode the content:

1.3 Check Recently Modified Files

The inclusion of new or recently updated files could indicate a potential hack. Several methods can be used to verify recently modified files, such as examining cPanel or SSH logs. Here’s a guide on using the ls command via SSH to check for recently modified files:

  1. Log into your server via SSH and navigate to your site’s home directory.
  2. Run the following command:
    $ ls -1tlah | head -10
  3. Review the most recently modified files, starting at the top.


How to check recently modified files via SSH with the find command:

  1. Log into your server via SSH and navigate to your site’s home directory.
  2. Run the following command:
    $ find . -type f -mtime -90
  3. Results will show an output with files that were modified within the last 90 days.
  4. Review these files. Unfamiliar modifications within the last 90 days may be suspicious.


How to check recently modified files from cPanel:

  1. Log into cPanel and navigate to File Manager.
  2. Navigate to your site’s home directory and click Last Modified.
  3. View files with recently modified dates, starting at the top.


How to check recently modified files with Filezilla:

  1. Open the FileZilla client and connect to your website through FTP, FTPs, or sFTP.
  2. In the top menu go to View and then select Filename filters…
  3. On the popup menu, select Edit filter rules…
  4. Select New to create a new filter.
  5. Name your new filter how you will remember it, such as Date Filter
  6. Add the filter criteria. For Filter conditions: select Filter out items matching none of the following.
  7. Select Date from the first drop down and enter the date that matches what you are looking for in the format “YYYY-MM-DD”. Uncheck the box that says Directories and select OK. For example: If today is January 15th, 2023, and you want to find files that were modified within the last 15 days, you would put 2023-01-01 in the textbox.
  8. Check the box next to your newly created filter, select Apply, and then select OK to close the window.

1.4 Check Google Diagnostic Pages

How to check your Google Transparency Report:

  1. Visit the Safe Browsing Site Status website.
  2. Enter your site URL and search.
  3. On this page you can check:
    1. Site Safety Details: Information about malicious redirects, spam and downloads.
    2. Testing Details: Most recent Google scan that found malware.


If you have added your site to any free webmaster tools, you can check their security ratings and reports for your website. If you do not already have accounts for these free monitoring tools, we highly recommend that you sign up:

 

How to check your website on VirusTotal:

  1. Visit the VirusTotal website
  2. Click the URL tab, enter your site URL, and search
  3. On this page you can check:
    1. Detection: Check a website blocklist status from 70+ vendors.
    2. Details: View the history and HTTP response from your site.
    3. Links: Review any outgoing links.
    4. Community: Review comments from the public about the safety of your site.

Step 2 - Remove Malware From Your WordPress Site & Database

After learning how to detect the location of malicious content, you can eliminate malware and restore the functionality of your WordPress site to its original state.

To accomplish this, you’ll need to access the WordPress file structure and database. This requires using sFTP/FTP/SSH to view your file structure, as well as having the database credentials to access your database. If you lack experience in handling database tables or editing PHP, it’s best to seek help from a professional Incident Response Team member who can completely eliminate WordPress malware.

2.1 Clean Hacked WordPress Files

A functional website in WordPress is created by the collaboration of several files and folders, mostly consisting of core files that are uniform across identical versions.

In case of a malware attack on your core files, you can manually remove the malware by acquiring a fresh installation from the official WordPress site and substituting every corrupted file with an uncontaminated copy. However, you should avoid overwriting your wp-config.php file or wp-content folder and ensure that you have a complete backup before proceeding.

How to clean hacked WordPress core files:

  1. Note down the version of your WordPress site by viewing the file wp-includes/version.php.
  2. Navigate to the official WordPress site and download the version that matches your wp-includes/version.php file.
  3. Extract the WordPress installation on your computer.
  4. Log into your file structure either through sFTP/FTP or through your hosting account.
  5. Replace each infected core file with a clean copy.


How to manually clean hacked WordPress plugin & theme files:

  1. Download a clean plugin/theme copy from a working backup, or from the official WordPress site.
  2. Extract the plugin/theme copy on your computer.
  3. Log into your file structure either through sFTP/FTP or through your hosting account.
  4. Replace the applicable plugin/theme folder within ./wp-content/plugins or ./wp-content/themes with the clean copy.
  5. Open any custom or premium files (not in the official repository) with a text editor.
  6. Remove any suspicious code from the custom files.
  7. Test to verify the site is still operational after changes.


How to clean a hacked WordPress plugin through the dashboard:

  1. Log into your WordPress dashboard and navigate to the Installed Plugins section underneath Plugins.
  2. Deactivate and delete the applicable plugins.
  3. Install & activate each plugin from the dashboard or upload a clean copy from a working backup.


Important Note: Restore a plugin or theme from a clean backup if they have been customized in any way to avoid erasing any changes you have made.

Caution: Do not replace any content within the wp-content directory or replace the wp-config.php file.

2.2 Clean Hacked Database Tables

To remove a malware infection from your WordPress database, use your database admin panel to connect to the database. You can also use tools like PHPMyAdmin or Adminer.

How to manually remove a malware infection from your WordPress database:

  1. Log into your database admin panel.
  2. Make a backup of the database before making changes.
  3. Search for suspicious content (i.e., spammy keywords, malicious links).
  4. Open the row that contains suspicious content.
  5. Manually remove any suspicious content.
  6. Test to verify the site is still operational after changes.
  7. Remove any database access tools you may have uploaded.


The information from the malware scanner’s payload can be utilized by novice users. However, intermediate users may also choose to manually search for frequently used malicious PHP functions like eval, base64_decode, gzinflate, preg_replace, str_replace, among others.

If an administrator’s password becomes compromised, your website might be hacked and spam posts that are unrecognizable could be injected into your site, which you may notice on a certain date.

How to move WordPress posts to the trash after a certain date:

  1. Log into your database admin panel.
  2. Make a backup of the database before making changes.
  3. Navigate to SQL Command at the top left.
  4. Note down your WordPress database prefix. wp_ is most commonly used.
  5. Note down what date the spam posts started.
    Run the following SQL Command:
    UPDATE `wp_posts` SET `post_status` = ‘trash’ WHERE `post_status` = ‘publish’ AND `post_type` = ‘post’ AND `post_date` > ‘2018/03/08’;

 

Please make sure to update the date in the SQL command provided above with the date when you first noticed the spam posts. For instance, in the given example, the command will remove all posts dated March 9th, 2018 or later.

It’s important to note that you should match the date format with how your dashboard displays it. You can check the date format at the top right corner of your posts section.

Please be aware that these functions are utilized by plugins for legitimate purposes as well, hence it is crucial to thoroughly test any modifications or seek assistance to avoid unintentionally damaging your website. Additionally, when working with database records, replacing data may not always be straightforward, particularly when it concerns the wp_options table.

2.3 Secure WordPress User Accounts

It is common for attackers to generate harmful admin and/or FTP user accounts to regain entry into your website in the future. Therefore, it is crucial to scrutinize user account access from all conceivable entry points to your site. If a WordPress site is infected and subsequently cleaned, but the malicious admin/FTP users persist, the site is susceptible to quick re-infection.

Remove any users you do not recognize so the hackers no longer have access, including:

  • FTP Users
  • SSH Users
  • WordPress Admin
  • Users
  • Additional Database Users


How to manually remove suspicious users from WordPress:

  • Backup your site and database before proceeding.
  • Log into WordPress as an admin and click Users.
  • Find the suspicious new user accounts.
  • Hover over the suspicious user and click Delete.


If a user has content associated with it, you will be prompted with the option to keep or remove any associated content. It is recommended that you keep the content and manage it afterwards to avoid any unintentional data loss.

If you believe any of your user accounts were compromised you can reset their passwords. One of the ways to do that is using the Sucuri WordPress plugin.

We recommend assigning only one admin user and setting other user roles to the least amount of privileges needed (ie. contributor, author, editor).

Note: Certain malware infections will add malicious email accounts if available on a hosting platform. (For example, the Anonymous Fox infection.) Log into your hosting account and view the Email Accounts if applicable. Remove any users you do not recognize.

2.4 Remove Hidden Backdoors In Your WordPress Site

Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked WordPress sites.

Often backdoors are embedded in files named similar to WordPress core files but located in the wrong directories. Attackers can also inject backdoors into files like wp-config.php and directories like wp-content/themes, wp-content/plugins, and wp-content/uploads.

Backdoors commonly include the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • system
  • assert
  • stripslashes
  • reg_replace (with /e/)
  • move_uploaded_file

 

Make sure to thoroughly test any changes as these functions may be legitimately utilized by plugins. Failure to remove all malicious code or removing benign functions could result in breaking your site.

In WordPress sites, the majority of malicious code detected involves some form of encoding that is used to evade detection. With the exception of premium components that use encoding for authentication protection, encoding is seldom found in the official WordPress repository.

To effectively prevent WordPress hacks, it is essential to close all backdoors. Failure to do so will result in your site being quickly reinfected.

Step 3 - Protect Your WordPress Site From Future Hacks

The concluding phase involves discovering the root causes of the security breach in your WordPress website and implementing the necessary measures to address them. Additionally, you will execute crucial procedures to bolster the security of your WordPress platform.

3.1 Update Out-Of-Date Software

One of the main culprits behind infections is the use of obsolete software, such as outdated versions of WordPress, plugins, themes, and other installed programs. To minimize the risk of vulnerabilities, it’s essential to keep track of critical patches released frequently by authors of these plugins and themes, and promptly update to the latest versions.

Update all software on your server (i.e., Apache, cPanel, PHP) to ensure that there are no security patches missing. This includes:

  • Out of date plugins
  • Out of date themes
  • Apache version
  • PHP version
  • WHM/cPanel version
  • WordPress version


It is advisable to reinstall all plugins and extensions after a hack to ensure they are functional and free of residual malware.

NoteCreate a working backup before updating software, as sometimes this process can break your site.

How to update out of date software through the WordPress Dashboard:

  • Log into your WordPress dashboard and hover over Dashboard at the top left, then select Updates.
  • Update all plugins and themes.
  • Update your WordPress version, if applicable.
  • You can reinstall the WordPress version from this page to replace all core files if needed.


How to update plugins & themes manually:

  • Log into your server via SFTP or SSH.
  • Manually remove and replace plugins and themes with copies from official sources.
  • Log into WordPress as an admin and click Dashboard > Updates.
  • Apply any missing updates.
  • Open your website to verify it is operational.


Remove Unused Software

In order to minimize the number of entry points for potential attackers and keep your system organized, it’s advisable to remove any unused software from your environment. However, before taking action, double-check that the software you’re considering removing is not necessary for the proper functioning of your website.

To be on the safe side, make sure you have a working backup of your system that you can revert to in case of any issues that may arise from the removal of unused software.

Review and remove the following:

  • Unused plugins
  • Unused themes
  • Database management tools


Pro Tip: You can deactivate a plugin or theme first and test the functionality of your website before deleting unused software.

3.2 Change User Passwords

It is crucial that you modify passwords for all entry points to your WordPress website, such as WordPress user accounts, FTP/SFTP, SSH, cPanel, and your database.

It is advisable to limit the number of admin accounts for all your systems to the bare minimum. Follow the principle of least privilege, and grant people access only as much as they need to perform their job duties for a limited duration.

For all accounts, ensure to use strong passwords that fulfill the criteria of complexity, length, and uniqueness. To create a secure password, you can utilize Passwords Generator, and to manage your passwords effectively, make use of a password manager.

Generate New Secret Keys

After resetting the passwords, our plugin enables you to compel all users to log out. WordPress utilizes browser cookies to maintain user sessions active for a period of two weeks. If a hacker obtains a session cookie, they can maintain access to the website even after resetting the password. To address this issue, we suggest resetting the WordPress secret keys to force active users to log out.

How to generate new secret keys in the wp-config.php file:

  1. Open the WordPress wp-config.php file.
  2. Add a value of 60+ unique characters for each key and salt.
  3. You can use a secret key generator.
  4. Save the wp-config.php file.

3.3 Harden Your WordPress Site

Hardenning a server or application involves implementing measures to minimize the attack surface or potential entry points that could be exploited by attackers.

Numerous methods can be employed to harden a website. Below are some suggestions to enhance the security and resilience of your site.

Reduce the number of entry points:

Ensure that only the sections of your website that are intended for public usage are accessible to the public. Employ server configuration rules or a web application firewall to prevent access to all other areas of your site.

Keep your website & server updated:

Staying up-to-date with software and server updates is crucial for safeguarding your site as outdated software remains a primary factor behind infections and reinfections. Make sure you prioritize regular updates to mitigate the risk of security breaches.

Use secure passwords and multi-factor authentication:

It is advisable to utilize lengthy, robust, and unpredictable passwords for both FTP and administrative access. Moreover, it is essential to limit entry to administrative panels by mandating multi-factor authentication.

3.4 Set Backups For Your WordPress Site

A reliable backup system acts as a safety measure. After successfully cleaning your WordPress site and completing essential post-hack measures, it’s essential to create a backup. Developing an effective backup strategy is crucial for maintaining strong security practices.

Consider the following pointers for WordPress backups:

Location: It is crucial to keep your backups in a location outside of your primary server. Storing old versions or backups on the server itself can create vulnerabilities that attackers may exploit if they are not properly secured. To minimize such risks, make sure to maintain working backups in multiple locations as a precaution against potential failures or disasters.

Automatic: It’s important for your backup system to operate automatically at a frequency that matches your website’s requirements. For instance, if your website is regularly updated due to being a news-based site, your backups should also run frequently to keep pace.

Redundancy: One approach employed to guarantee emergency backups of vital data in the event of a catastrophic incident is to first ensure functional backups and then duplicate those functional backups.

Testing: Make sure that your backups are free of any malware and capable of functioning properly in case you need to restore them. It’s not wise to solely rely on backups unless you have tested them beforehand.

File Types: Certain file types such as videos and archives, which can be large, may be excluded by some backup solutions. It is important to ensure that everything is included in your backup once it is performed.

3.5 Scan Your Computer

It is recommended that all WordPress users perform a thorough scan of their operating systems using a reliable antivirus program. This precaution is necessary because WordPress may be vulnerable if a user with a virus-infected device gains access to the dashboard. Some viruses can even spread from a device to text editors or FTP clients, posing a significant security risk.

Free Antivirus Programs:


Paid Antivirus Programs:

  • Bitdefender
  • Kaspersky
  • Sophos
  • F-Secure

If your computer isn’t clean, your website can be reinfected easily.

Tip: You should have only one antivirus actively protecting your system to avoid conflicts.

3.6 Use A Website Firewall

The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website Firewalls were invented to provide a perimeter defense system surrounding your WordPress site.

Benefits to using a website firewall include:

Prevent a Future Hack: A website firewall can safeguard your website from future attacks by identifying and preventing recognized hacking techniques and behaviors.

Virtual Security Update: Zero-day exploits, which are unknown vulnerabilities in plugins and themes, can be quickly exploited by hackers. To mitigate this risk, a reliable website firewall can help patch any holes in your website software, even if you have not yet applied security updates.

Block Brute Force Attacks: The purpose of a website firewall is to prevent unauthorized access to your wp-admin or wp-login page, thus thwarting brute force attacks that aim to guess your password through automated means. Various features are employed to deter such attacks, including time delays, restricting login attempts, blacklisting IP addresses, and other measures.

Mitigate DDoS Attacks: A website firewall is designed to identify and prevent Distributed Denial of Service (DDoS) attacks that aim to overwhelm your server or application resources. Its purpose is to safeguard your website against various types of DDoS attacks by obstructing them, thus ensuring that your site remains accessible even during a deluge of fraudulent traffic.

Performance Optimization: WAFs typically provide caching to enhance the overall speed of your web pages across the globe. This not only leads to a better user experience for your visitors, but also helps to reduce bounce rates, increase website engagement and conversions, and improve search engine rankings.

WordPress Hacks FAQ

Individuals with malicious intent scour the internet in search of WordPress websites that have vulnerabilities to exploit. If your website lacks a WordPress firewall and you fail to adhere to security best practices, it may fall prey to such attacks.

Install a WordPress malware scanner plugin: There are several WordPress malware scanner plugins available, such as Sucuri Security, Wordfence, and iThemes Security. Choose one and install it on your WordPress site.

You can secure your WordPress site by following website security best practices, such as:

  • Having a WordPress firewall
  • Using the latest version of WordPress, plugins, themes and third-party services
  • Enforcing strong password requirements
  • Only granting the type of access that someone needs
  • Isolating each WordPress website
  • Implementing 2FA on the WordPress login page
  • Limiting Login Attempts on wp-admin
  • Leveraging IP access restrictions for the WordPress dashboard
Wordpress Experts
Elevating Your WordPress Experience Beyond Limits.