Over the years I have helped lots of people to remove malware from WordPress after their sites have been infected and now it’s time to put the process into a thorough tutorial.
There’s nothing worse when you are running a business online than finding out your website has been hacked and is now full of malware.
So to follow up our guide on WordPress security and how to prevent hacks from happening, it’s now time to look at how to remove malware and fix a hacked WordPress website.
Why do hackers do it?
Hackers infiltrate WordPress websites for a number of reasons, below are some of the most common examples:
- Extreme black-hat SEO tactics.
- Generate backlinks to their own sites or for other people buying them.
- Create redirects to take you to their site.
- Mining cryptocurrencies.
- Steal sensitive user and customer data.
- Negative SEO – By hurting your site with malware a competitor could take you out and benefit.
Did you know as much as 70-90% of all hacked websites in 2018 were running WordPress? A pretty shocking statistic if you ask me and between 20-30% increase from the previous year.
How to find out if my site has been hacked?
There are several ways to find out if your WordPress website or blog has been hacked and now contains malware.
Google Search Console
There are a few ways Google Search Console can help you find out if you have been hacked.
Firstly if Google scans your site and finds that it contains malware they will send a message to the email address connected to GSC account to let you know and to inform you they have either blacklisted your website or they are showing a warning in the search results.
If you miss the email, periodically checking Google Search Console (which you should be doing anyway) will usually show you if there’s an issue under the “security and manual actions” section.
If you notice a change in traffic both for the better or worse this could indicate something has happened, you can monitor this in Google Search Console and Google Analytics but the former is the more useful of the two tools on this occasion (and most in all fairness).
Let’s say your traffic drops it could be an indication that you have lost rankings as a result of your site containing malware or unusual spammy content (something else hackers do).
On the other hand I have seen websites traffic spike upwards after being hacked, this was because the site was suddenly ranking for porn actors and viagra search queries as a result of the hackers or bot injecting the website with 100s of spam pages and taking advantage of the website’s domain authority to rank these new pages very quickly.
Google search results
If your website is infected and Google has detected it in a scan you will be able to see this when you search Google for your web address or do a branded search for yourself.
This, of course, murders your click-through rate from Google as it acts a pretty strong deterrent.
In some cases, you might be notified by your hosting company that your account has been suspended and your site is currently set to block all traffic.
Look at this example below of how your site would look if you host with Siteground and they suspend your site and placed a holding page up that says “This site is currently unavailable” and to reach out to support.
While this might feel frustrating it’s actually a good move, they are taking it seriously and trying to protect their other customers and your website visitors.
They will usually send you an email if they have detected malicious code and either ask you to fix it or upsell you on a security package they offer. If you are with an exceptional host like WPEngine then they will likely fix the issue for you but you may need to bring it to their attention if they don’t spot it first.
WPXHosting is another great web host for lightning-fast WordPress websites that offer a completely free malware removal service as part of the package.
A visitor might Notify you
In some cases you might find out by a visitor emailing you to let you know that either they saw a warning in the Google search results like below or they noticed something unusual on your website like a strange redirect to an external website, content that doesn’t seem to fit or their browser might have warned them to be careful.
Running a Wordfence scan
Install the Wordfence plugin for WordPress and run a scan or if you already have it installed make sure it does a fresh scan and monitor it to see what it finds.
Wordfence will improve your security but there are other security steps you should be taking in addition to using this plugin and if Wordfence is installed but the firewall isn’t running or isn’t working for some reason then you aren’t benefiting from its full protection.
So make sure to troubleshoot the firewall settings if you are having an issue.
Inspecting Your Website and Files
The last way and the method that benefits from you having more experience and knowledge and involves going through your website with a fine comb and looking for any tell-tale signs.
We are essentially looking for a couple of things.
Firstly, malicious payloads, this is the name given to the part of the hack that is causing the damage like a Trojan Horse in the city of Troy.
The second thing we are looking for are backdoors. Hackers always leave backdoors in several places so they can regain access later if they haven’t all been removed and cleaned up.
But, what do you even look for?
Start by downloading a fresh copy of WordPress from wordpress.org, extract it and open the folder so you can explore the contents.
Then open your own website in either File Manager or FTP/SFTP so you can see your live copy of the same files.
Work through the files and look for any that exist on your server but not in the vanilla install files you just downloaded.
You are essentially comparing two folders here, one is the fresh copy of WordPress you just downloaded and the other is the live file directory and subdirectories of your website and server.
When you find a file you don’t recognize you can:
- Search for it on Google to see if other people have asked what the file is for and to see if it has a legitimate use.
- Open the file in your file manager (I recommend Notepad++) and have a look at the contents.
- You can also open both the new copy of a file and the version on your website and compare them side by side with Notepad++.
Here are some signs that a file has been hacked or hijacked that you can look for:
- Anything that contains eval, base64_decode, gzinflate, preg_replace, str_replace (so do a search in your code editor for “base64” for example). Use Ctrl+F or CMD+F and search for these strings to see if any exist.
- Anything saying the site has been hacked like comments in the code, though this is less common these days as hackers prefer to be stealthy.
- Any long and strange obfuscated code, sometimes hackers will encode their base64 and other functions by converting them to hexadecimal or encoding and encrypting them in different ways to make them harder to detect and translate.
- A Series of random characters on a single line in a PHP file like $csgmfic = ‘umylc0#oab8g5_nx2*p1s69He7-itvkfdr\’4’;$mzluwvz because nothing purposeful would be encoded like this unless it was trying to hide something.
Sometimes legitimate plugins will need to use functions like base_64 though it’s not very common you want to be careful when removing plugin files that contain base_64 without first downloading a fresh copy and checking if it also exists there.
If they do then it’s likely legitimate and benign if not it has been modified and you want to replace the entire plugin folder with the newly downloaded copy to be safe.
If you can locate a backup of your website files from a little while back you can download a copy, extract it and then compare the files in your current site and the backup using Notepad++ compare feature and view them side by side. This can take time but it’s a sure way to know if something has changed.
You can also limit it to files that have been modified recently rather than going through every single file on your server.
This method isn’t as effective if you don’t know how long your site has been infected for.
How to Clean Malware from a Hacked WordPress website
If you have discovered that your website has in fact been hacked and accessed by others this is the process you want to follow to lock down your site, clean it up and then improve security so it doesn’t happen again.
The hack might have infected your existing files or it might have created new files inside your directories.
Usually, it will be a series of files and a combination of different file types working in tandem to operate whatever function they are trying to achieve while being able to respawn. If you cut one head off, another grows back like the Lernaean Hydra from Greek mythology (sorry for all ancient Greek analogies today, I’m on a roll).
Regardless of how intimidating the task is, the below steps should help you to safe passage and assist you in removing the malware and infected files from your site for good and then how to prevent it from happening again.
Lockdown the site
Before you begin cleaning up you want to block the website from all but your own IP address.
Doing so ensures that as you clean things up the hacker or a bot isn’t detecting that the files have been deleted and prevents it from adding replacements with different names in different directories or regaining access manually.
You don’t want to be playing cat and mouse.
The easiest way to do this is to use your .htaccess file to block all IP addresses apart from your own.
The .htaccess file lives in the root folder of your WordPress install, locate it via CPanel’s file manager tool or via FTP if you prefer and add the following to the top of the file and save
deny from all
allow from 126.96.36.199
Of course, you want to change 188.8.131.52 to your IP address.
If you aren’t sure what your IP address is then you can easily find this by either going to What’sMyIP.com or literally just searching on Google the query “What’s my IP” and Google will do you a solid and display it in a rich snippet box at the top.
Then all you have to do is copy and paste that over the example above and save your .htaccess file.
You can test if it’s working and blocking other IP addresses by using a VPN to access the site and check it blocks you, or you could go on your phone, turn WiFi off and visit the site, this way it will use your 4g connection which of course has its own unique IP address from your broadband connection.
Take a Backup
With any major changes on your website, you should always take a backup of the website, at least unless you have a recent backup that’s clean and you haven’t made any changes that matter if you lose them.
You can use the backup facility in your CPanel (If your hosting provider offers it) or a plugin like UpdraftPlus. Download a copy of the backup and delete it from your server.
Don’t extract it on your computer, just leave it as a zipped file so it’s isolated. You are likely going to delete this completely later as long as everything goes to plan with the cleanup.
If your website is currently functioning, receiving high traffic and you are sure it’s safe you could opt to set up a staging version of your website on a subdomain and work on resolving the issue there.
But in some cases, this just means creating more copies of the malware and the two installs might not be isolated from one another, leading you to have to clean up twice as many files to avoid cross-contamination.
Change ALL passwords
At this point, you want to ensure all of the login credentials for the website are secure by changing them and picking secure and complex passwords.
You want to change the following to be safe:
- All WordPress account logins
- FTP/SFTP logins (All if you have multiple)
- SSH logins (If you have this feature)
- Your Database password (This means changing it in your wp-config.php file and by changing it via Cpanel > MySQL Databases.
- Your main hosting account password
- You might even want to change your WordPress username if that’s being targeted.
When you update your wp-config.php file with a new and very secure password you will also want to generate new secret keys by going to the WordPress Secret Key generator.
Every time you refresh that web page it generates 8 new keys which you want to copy and paste over the old copies.
Doing the above process without blocking the site from all IP addresses apart from your own means they can be changed again as quick as you are working through them.
Run a Scan
There are a few ways to do this when being thorough but it’s easiest to start with a Wordfence Scan.
- Install Wordfence from the WordPress plugin repository
- Go to the plugin and then “Scan” page
- Click “Start Scan”
- Wait for the scan to complete and review the findings
Wordfence might find some issues with plugins etc being out of date and needing an update but we are looking for more critical warnings.
Any mention of files that are in your WordPress files that look foreign and out of place or core WordPress files that have been edited and injected with base64 and other potentially malicious code is the priority.
Once you have a list of the files, you want to move onto cleaning them up (explained further down).
If you want to do an additional scan you could also use Sucuri by just putting your web address into their web-based tool and running a scan.
You can learn about the other security services offered by Sucuri here.
Now if you have good backup protocols in place and you have daily backups and you haven’t made any recent changes to your website you might want to opt to restore to a previous state and them move onto improving your security to prevent reinfection.
This might allow you to get back to a clean version but it might not.
You will want to run a scan afterward and you will still want to go through my above advice on changing ALL passwords as there’s a high chance the hackers or bots can get back in your site unless you change all of the login details connected to your website and improve the security with a firewall and my other recommendations in the guide I linked to above.
Malware Removal and Clean Up
Different types of infections and vulnerabilities need to be patched and fixed in different ways and so it’s difficult to create a catch-all guide for all hacks, malware, and infections but I will attempt to cover the best practices and process I go through when working on a hacked site.
Evaluate the threat
There are a few ways to research the malware and infection on your WordPress site so you can learn the best course of action.
The easiest is to start by looking at the symptoms. What’s happening with your site? Does it redirect to another website? If so try searching on Google for the name of the URL it’s redirecting to with the words “hack” “malware” and “WordPress”.
If other people have reported the same problem then you might find a guide or forum thread discussing what steps you should take to remove it and prevent reinfection.
Another approach is by taking a look at the infected files on your server.
When looking at unusual files that shouldn’t exist that Wordfence has found during a scan the best thing to do is find out if there’s any information available online.
If the hack is common and uses malware that’s infected lots of websites you will likely find searching the name and folder location of the infected file will find you some additional information.
It might be other people discussing it on a forum or it could be a WordPress security expert writing about it in an article.
This is helpful for a couple of reasons. Firstly it will give us some tips on how to remove the malware, secondly, it might give us some idea as to how the infection happened in the first place, where the backdoor or vulnerability was.
It might name and shame a particular plugin that has been used on thousands of different websites to spread the same malware.
All of this information is extremely valuable in helping you work out your next steps, as some of these infections act like viruses and worms and can respawn with a new name in a different folder as soon as they are deleted.
Some infected files will also lead you to discover other issues, an example could include instructions to check if certain WordPress users have been added to your site and how to check your database for any unusual tables or even the exact data to search for.
Let’s take a look at an example from a site I cleaned up the other day. See the screenshot below which shows the results of a Wordfence scan and lists out some critical issues.
Each of the critical issues will stand out like a sore thumb as the names of the .php files are obviously bogus but because they are randomly generated filenames that might be unique to this website it’s harder to find any results on Google when searching the file names.
So the next step in trying to learn more about them is to try and open one in Notepad++ so we can look for anything unusual in the file we could potentially search for on Google.
After checking the infected files’ contents it seems as though they are randomly generated and encoded too and so this didn’t lead to any good search results either.
At this point, I decided to remove the threat the manual way.
If you discover there are infected files inside a specific plugin folder then it could mean that is where the vulnerability exists, and so you could then start searching the plugin name + the word vulnerability.
So, for example, you could search “social warfare vulnerability” which was a pretty serious issue that allowed a lot of websites to be hacked back in 2018.
If you try this search for yourself you will see articles about the issue, how to patch the issue (upgrade the plugin) and any specific info to help you remove the existing infection if you have already been a victim.
There might also be files that don’t get detected by any of the malware scanners and these can be difficult but one way to look for them is to check the modified date of your files via FTP or SSH (if you are comfortable using it).
Then you can make a note of all of these files and later on you can open them to examine the contents to look for anything unusual.
Remove the threat and Clean Files
Depending on what you have discovered in the above steps you will then either want to follow the specific instructions you have found or begin the below process.
Step 1) Remove the files
If these files are inside core WordPress folders like the wp-admin folder, wp-includes folder or the root install then the best way to remove them is to delete these folders and files completely. The only exception here is your wp-contents folder and your wp-config.php file which should remain so your files can connect to your database.
Step 2) Upload Replacement Files
Then download a fresh copy of WordPress from wordpress.org making sure to match the version you are running or update to the latest version before you begin this process.
Upload the files via the file manager in CPanel or FTP/SFTP (CPanel is usually faster) and you will have removed any infections and files within these folders.
I prefer to delete all of the existing copies before uploading the new copies just to be safe.
If not using CPanel’s file manager then I advise using an SFTP connection if possible or an encrypted FTP connection but not an unencrypted FTP connection as this isn’t a secure method of connecting to your server.
The reason you can delete all of the locations mentioned above is because any changes to your WordPress website will all exist in the wp-content folder only.
Step 3) WP-Content
This is where it can get a little trickier.
If the malware and infected files are inside your wp-content folder then you will want to check if they are genuine files that exist as part of a WordPress theme or plugin or if they have been put there by someone else.
Let’s say the infection is in one or several of your plugins.
You want to go to the WordPress.org plugin page and search for each of the plugins.
Then download a copy of each plugin and extract them on your desktop.
Compare the files in the fresh copy with what you see in your folder when looking at it in File Manager or SFTP.
Are the infected files also in the fresh copy or do they look like they have been injected?
Either way, the safest option now is to delete the plugin entirely and upload your fresh copy.
If you are dealing with premium 3rd party plugins not available in the WordPress plugin library then you will need to go to each specific vendor and login to download the latest sterile copy.
Repeat this process for each plugin that contains infections and if you want to be really thorough you can download a fresh copy of every plugin you have and replace them all.
This process should also be applied to WordPress themes folders in case the infection got in that way or has spread to those folders.
After cleaning up both WordPress plugins and themes the next folder to look at is the uploads folder to see if any of these digital creepy crawlies have found their way into the date archived folders used for storing your WordPress media library uploads (usually images).
This part can be laborious but you need to at least check through these even if you don’t get a warning of any files in here just to check if there’s anything unusual.
Aside from the above sub-folders of wp-content you also want to check the root of wp-content to see if there’s anything else out of place in there. Realistically there should just be the 3 folders and an index.php file and nothing else.
In some cases, plugins might create folders at this level like in the case of Updraft Backups if this is the case for you, make sure to check those folders.
If you have backups and your site is infected you might want to remove them because there’s a chance these backups are infected too.
You also want to check the file manager and check if only one website uses this storage space or if there are multiple sites hosted on the same shared hosting account.
If there are multiple installs of WordPress on your account then there’s a good chance the infection has spread to multiple websites this is known as cross-site contamination.
This means you will need to spend more time cleaning files and is the reason why its always safer to isolate your website.
It also makes it harder to be confident where the initial infection got in because if your site shares the same space as other sites it might not have got in via your main site but one of the others instead.
Clean Hacked Database Tables
Many hacks will also involve injected tables and data into your database so we also need to take a look at this to evaluate.
- Take a backup of your database by going to your hosting account and CPanel (If your host uses it) and then PHPMyAdmin.
- Select your database from the list. You can find the database your site connects to by checking the DB_NAME line in your wp-config.php file.
- Once you have selected the database, click on the “Export” tab and then click the “Go” button.
This will download a copy of your SQL database that you can store on your computer for safe-keeping.
The next thing we want to do is search through the database tables, we can navigate through them one by one and scan things over on the “Structure” tab or we can go to the “Search” tab where you can search for different spammy queries.
If your site is small and you don’t use many pluigns there might not be too many tables and it might be easy to scan through clicking on the different tables so you can look for anything untoward.
If you find things that seem odd, manually remove the data from the tables and then check to see if your site is still loading normally.
You might find some default WordPress tables which have had strange code or URLs added to them and other times you might find new tables that shouldn’t even exist in the first place.
It’s impossible to cover every possibility in this guide but the above gives you a good overview and process to follow.
Unblock Your Site
Remember, when you are all done you want to remove those lines you added to .htaccess at the beginning of this process and put the site live again.
You can monitor Wordfence over the coming hours and days by checking the firewall, running additional scans daily and keeping an eye out for any emails Wordfence might send to warn you if it has found infected files again.
If your hosting account includes multiple websites you will want to monitor them all to be sure there are further infections.
It should go without saying but you want to also make sure all of your WordPress installs are kept up to date moving forward.
If you have gone through all of the above steps properly then there’s a very low chance of your site getting infected again.
If your site has been flagged by Google as containing unsafe content then you will want to request a review via Google Search Console.
You can also check if your site has been flagged by going to Google Safe Browsing Site Status.
Once your site has been reviewed it should reappear back in the index and your rankings should return to normal (most of the time) however if a site has been hacked and left in an unfit state for a long period of time it might be a major set back in terms of keyword rankings and traffic for a while.
If your site has been blocked or marked as unsafe by other webmaster tools then you might need to submit reviews with each of them. Examples include Bing, McAfee and Yandex.
There is also a chance that your hosting company detected the malware and suspended your account to protect their other customers and ensure the issue is resolved before your site is allowed to go live again.
Remember a hacked website could cause harm to your visitors, as they might end up being redirected to a harmful website and end up downloading malware, a keylogger or other viruses onto their computer.
So taking your website security seriously is also an ethical obligation you have to your audience and customers.
After all of the above is complete and your site is finally clean and live again you will want to take a fresh backup while it’s up to date and everything is clean.
If you are concerned that the hack was a result of your hosting company not taking security seriously, consider switching to one of our recommended options below.
- Siteground – The more affordable option for smaller websites and businesses.
- WPEngine – More expensive but provides extremely fast performance and more support coverage (They will help with WordPress specific issues)
- WPXHosting – Also lightning-fast and starts slightly cheaper than WPEngine but more expensive than Sitegrounds entry-level packages.
In my experience it’s best to avoid GoDaddy, Bluehost, HostGator and any of the other EIG owned hosting companies if you want good security and performance.
Finally, you want to work through this WordPress security guide to make sure your website is fully secure and there’s no risk of you getting hacked again anytime soon.
This guide will take you through all of the steps required to secure your website by ensuring everything responsible for running your site is up to date and optimized.
One example you find often on hacked sites is that they are running outdated versions of PHP that no longer recieve any security updates which leaves them compromised. If you have been hacked, check your PHP version via CPanel or contact your host if you’re not sure.
It can be a royal pain in the ass to have to go through and clean an infected site but it’s a lesson in security that will hopefully make sure you take website security seriously in the future and make sure all of your websites are fully protected and your business is secure.
This is the lesson I had to learn the hard way and ever since it has been part of my standard operating procedure with all website builds.
If your website is generating a lot of revenue and leads on a daily basis a few days out of action and having to deal with lower keyword rankings for months can be an expensive penalty to pay.
Don’t be that guy or girl! Good luck!