Cleaning Up Malware from WordPress Sites

Malware: Short for malicious software, a program or file created by hackers to gain sensitive information and cause harm to computer, network or server.

WordPress is an open-source and the most popular Content-Management System (CMS). Due to huge number of users worldwide, they become an easy target for hackers to inject and infect the sites with malware.
Malware is commonly injected to sites through compromised admin access, outdated scripts with vulnerabilities or undetected backdoor.
WordPress sites that are infected by malware may show symptoms such as:
– Constantly consuming high server resources.
– Theft of personal information
– Website blacklisted by search engine such as Google
– Website redirects to unknown sites
– Spam contents and pages on website

Identifying Malware on WordPress Sites

You can identify a hacked WordPress site by scanning it. There are several methods available for you to scan the website, the most common ways are:

1. Scan using plugin – You may install security plugin on your WordPress site, and the plugin will do the job for you. Security plugins can perform thorough scanning on the site and can identify malware within short period of time.

2. Scan using online tools – Online scanning tools help to analyse and show report of infected sites, some scanning tools can detect suspicious links, iframes and scripts in your site. This can be used as first layer of diagnosis.

3. Manual scanning – Manual scanning involves downloading the web files to local computer to perform antivirus scanning, files and folders inspection based on modification date, as well as checking WordPress core file integrity.

Cleaning Up Malware from WordPress Site

Engaging an expert is always recommended to clean up WordPress sites. Cleaning up is not entirely complicated, however requires some patience in order to complete the process. If you must perform the clean up manually, you may refer to the steps below.

1. Record down the theme and plugins in use on the website.
Record down the name of theme and plugins in use on the site, this will come in handy for the next step.

2. Download clean copy of WordPress core files, themes and plugins.
For WordPress core, free themes and plugins, download the files from official WordPress repository, this ensure that the files are uninfected by malware. If you are using any premium/paid themes or plugins, you will need to download them from the official marketplace only. Please download the same version as in use on the website and do not use nulled theme or plugins, as these are usually modified and injected with hidden malware.

3. Backup your web files and database before performing the clean up.
Backup your web files and database, in case anything goes wrong during the process and you need to restore the site.

4. Delete all files in the web root folder except wp-content, wp-config.php and .htaccess.
wp-content, wp-config.php and .htaccess contains data and information related to the site; deleting them may cause the website to break. You may delete all files except wp-content, wp-config.php and .htaccess to preserve the data.

5. Inspect wp-content folder, wp-config.php and .htaccess file.
Backdoor is often injected into wp-content folder, wp-config.php or .htaccess file, hacker may inject the backdoor by uploading files similar to original WordPress files or add in suspicious code into existing file. Delete the suspicious code or file to prevent reinfection, you may compare the file or folder with the clean copy downloaded from WordPress.

6. Delete all files in wp-content/themes.
Remove all files in wp-content/themes folder, as malware may come from the theme folder.

7. Delete all files in wp-content/plugins.
Remove all files in wp-content/plugins folder, as malware can be hidden in the plugins folder.

8. Upload clean copy of WordPress core, themes and plugins to your web server.
Upload WordPress core, themes and plugins with the files downloaded from WordPress repository or official marketplace.

9. Change all passwords.
Change all password, including WordPress admin, FTP, control panel and database. A strong password shall consist of combination of alphanumeric and special characters.

10. Update new database password in wp-config.php.
Update new database password into the configuration file, otherwise the website will not be able to connect to its database and display the right contents.

11. Replace secret key in wp-config.php.
Hacker may still be able to access WordPress sites even after resetting the password. This is due to WordPress uses browser cookies to keep user session active. Resetting WordPress secret key can force active users to log off from active session. Use secret key generator to generate new key and replace it into the wp-config.php file.

12. Upgrade WordPress core, plugins and themes.
Upgrade WordPress core, plugins and themes to the latest version, this is to ensure vulnerabilities on previous versions are patched.

13. Re-scan website.
Re-scan your website once it is cleaned and patched to the latest version.

Summary / Conclusion

Keeping WordPress websites up to date is much more easier compared to cleaning up an infected WordPress site, therefore it is important to patch the site (including themes and plugins) whenever new updates are available.
It is also recommended to remove all unused plugins and themes from your WordPress sites to minimize the vulnerabilities.
Yeahhost provides website cleaning service at affordable price, given that all premium themes and plugins must be provided to us for virus cleanup purpose.

#wordpress #malwarecleanup #yeahhost #wordpresscleanup
Fathiyah Jauhari
IT assistant manager with more than 10 years experience. Having expertise in Windows servers, Linux, cPanel, WordPress, IT consultation, trainer and more.
Previous Article 
Next Article