The Step-by-Step Guide to Removing Malware from Your WordPress Site

If your WordPress site has been infected by malware, removing it can be a challenge. If this headache wasn’t enough, Google is also banning sites from its index for 30 days as a way to try and curb the spread of malware. That means it’s more important than ever to take action to ensure your site is clean.  But you’re here because you want to remove it, so let’s get started.

WordPress Plugin for Malware Removal

BlogVault, one of the best website backup and security platforms on the market has created MalCare, which is a superior plugin to help you remove malware from your WordPress website. It’s available as both a free and paid version. If you can access your WordPress dashboard and install this plugin, it’s just a few easy steps to get rid of the malware and keep your site  clean and secure.

With this plugin:

• Scanning is handled via cloud-based servers, which makes sure that their scanning doesn’t drain or degrade the performance of your own website
• You don’t need to do any kind of configuration. Just install the plugin and activate it and it will handle stopping things like brute attacks and setting up firewalls. It also copies your site to its own server so that it can scan it regularly.
• It takes a single click to remove the malware and  you have the option to revert in case something goes wrong.
• It offers superior scanning and smart algorithms that seek out and destroy malware.
• It has a minimal false positive rate so you don’t have to worry about fake notifications that just serve to waste time.

WordPress Services for Malware Removal

Now, you may be thinking that such a plugin is great – IF you can access your WordPress dashboard. But what if you can’t? If that’s the case, you’ll want to look at this full step-by-step guide for WordPress hack removal.  It’s more involved and not as “push-button” as the aforementioned plugin, but it nevertheless will ensure that your site is clean, even though you may need to dive a bit more into the technical end of things.

Step by Step Guide to Remove Malware from your WordPress Site

If you need a step-by-step walk-through to remove malware from your WordPress installation, simply do the following.

Step #1: Backing Up

First, you need to back up the files and database of your website. For that, you  should take the following steps:

• Most web hosts will provide you a full site backup option. It will clone your entire website from the server. However, it may take a lot of time depending on the size of the site.
• If you can log into your account, you can use a backup plugin. If you’re having trouble because of the hack, you may want to consult an IT professional to help you.
• Back up your database separately as well.
• Also, export the XML file of all contents from Tools > Export.

There are times when the site is pretty large, you are unable to log in, your host does not have the ‘snapshots’ or backup feature, and so on. In any case, make sure that you can copy the wp-content folder of your website. To do this, access the file manager and make a zip archive of the wp-content folder, download and save it.

If you have multiple WordPress installs, make sure that you back up each one of them.

Important Note: Make sure to backup your .htaccess file and download it. It won’t be visible on your regular dashboard and you can only access it from File Manager. The tip here is to rename the file and remove the ‘.’ At the beginning or else you won’t be able to see it on your computer. There are a few hosts that may use .htaccess files to determine the PHP version your site is currently running on and if you remove it the site won’t work appropriately. Also, some individuals use it for 301 SEO redirects. So, if it is available, make sure that you save it.

Step #2: Examine the Backup Files

As you end up with the backup files, download these to your computer and examine the contents. Open zip files and make sure the following content is available:

• Core WordPress Files: Use WordPress.org and download WordPress. Match the contents with your folder to assure that the core files are all present. While these are not necessary, they come in handy for a hack examination later.
• Wp-config.php File: This is a file that carries your important details such as name, username, password, etc. to access the WP database.
• .htaccess File:  As you back up, this particular file won’t be visible on your computer by default. To view it, you need to use FTP programs or code editing apps i.e. FileZilla or Brackets.
• Wp-Content Folder: It contains the primary contents of your website such as themes, uploads, and plugins. When you back it up, you’ll want to check and make sure those aforementioned three folders are in it. It is the most critical folder that is necessary for site backup, otherwise all that content you’ve worked on is gone.
• Database: Clone your database and export the SQL file. It’s possible that the malware has infected the database, but it’s nevertheless important to back it up.

Step #3: Delete Files from public_html Folder

Once you are certain that you have a complete backup of your website, delete the files from the public_html folder. However, keep the cgi-bin folder and other directories that are related to servers and you are certain that these are free from hacks. Use the File Manager because it will work way faster than the FTP. If you’re confident and know how to work with SSH,  that can speed up the process even more. Make sure invisible files like .htaccess are also deleted.

Malware can cross-contaminate other files and folders on the same account. It can be hard to know without going in depth into your files and folders precisely what has become infected, but if you’re certain you have a complete backup, you can clean all of your files thoroughly. Cleaning the malware from one site alone won’t do much good if it can become contaminated again from another infected site.

Step #4: Reinstall WordPress

Your web host will allow you to reinstall WordPress with a single-click installation platform. Follow the steps to do so and then open your own local wp-config.php file and refer to your backup. Make the changes to connect with your former DB and credentials. Some people reupload the previous wp-config.php file and replace it with the current one. However, there can be traces of some hacked code so you should avoid doing it.

Step #5: Resetting Permalinks and Passwords

Now is the time to log in to your website and reset the details. Change all the user names and passwords. If there’s a user (or several) with names you don’t recognize, it’s possible that your database has also been compromised. If this happens, you’ll need to work with a professional to clean out all traces of the hacked code.

Save changes by going to settings and permalinks. Ultimately, you will end up restoring your .htaccess file and your website URLs will begin working. Assure that you deleted the invisible files too when deleting the data on your server so there is no hacked .htaccess file on your server. Different folders and files can be hacked and compromised so you need to be very careful.

As you are doing the resets, also change the FTP and hosting account passwords.

Step #6: Reinstalling Plugins

Now that the heavy lifting has been done, the rest is fairly simple. Reinstall your plugins from the WordPress repository (don’t install the old plugins or any that are no longer maintained as these can be impacted by the malware or virus).

Step #7: Reinstalling Themes

Reinstall the theme that you were using on your website to get its layout back. There are instances when people customize the layout and if you have done this too you can refer back to your themes backup. However, refrain from re-uploading the backup files. Theme code can also be hacked and vulnerable.

Step #8: Uploading Images

Go to your backup folder and upload your images. Here, you have to refer to the wp-content > uploads folder. Copy the data from your backup and upload the files on the server. People do make a mistake here that they copy the files without examining the folders and upload it to their servers. You don’t want to end up adding any hacked content or code to your website. So, examine the data carefully by going into the details of each month and year to assure that you don’t have any .PHP or .JS files in it. Just get your images and nothing else. If there is something that you haven’t added to your media files or you don’t recognize, do not copy it. You may want to use an FTP program to upload the images.

Step #9: Scanning Computer

Now that you have a full backup stored on your computer, scan those files using your antivirus and anti-malware scanner.

Step #10: Installing Security Plugins

Use the Shield WordPress Security plugin created by iControlWP and install it on your website. Activate the plugin and go through the settings thoroughly. There is an audit feature that you can run. Running that over the course of a month or two will make sure your site isn’t suffering from any further infections.

Also, use other tools such as anti-malware security and brute-force firewall to proceed with a thorough scanning of your website. Sucuri’s Sitecheck is another helpful tool to be certain that you are not missing anything.  A common issue here is that, in an effort to further reinforce their site, people will install two firewalls, thinking it gives them extra security. This doesn’t do anything extra to protect your site, so you can choose one program as your scanning and anti-malware program and then deactivate the other.

Why Was Your Site Hacked?

You might wonder why your site in particular was hacked. Most of the time, the most important thing to know is the type of hack. From there, you can narrow it down to a particular reason. Of course, you may not want to know, but knowing why can help safeguard you from future attempts.

Sometimes it may not even be your WordPress site at all, but rather your computer. For instance, you might have an old browser extension running that has some vulnerable or secret code running in the background, and this spread and infected your website. The same applies if you have any old plugins running. Reuploading them can reinfect your site.

For this reason, it’s a good idea to:

• Inspecting backup files: Go through the backup files carefully and browse the ones that have been modified or installed recently. If there is anything that stands out or appears to be odd, inspect it further.
• Searching for specific phrases, included files, or filename: There are times when you may see a file included that looks strange a file name you don’t recognize. In other instances, you may get a particular class on a page linked to some JS code that has been hacked. So, do a google search to find out more about it.
• Raw access logs on hosting cPanel: The hosting cPanel gives you Raw Access Logs which can give details to the files that were being accessed. If you get some POST statement, which means that some data is being posted, you will get the exact data that was compromised. Sometimes, you may end up with an IP that may refer to the destination point where the data went.
• Old plugins and themes can be a reason: Usually, the hacks occur via old plugins and themes. So, make sure to update them regularly and don’t go for older themes. Keep your site up to date and don’t use any plugin that is not actively maintained.
• Search DB: Sometimes you have hidden admin users and hacked accounts in your database. So, examine it thoroughly but do back it up at a few different places before you proceed. In this case you may also need a professional to help you.

Conclusion

You definitely don’t want to just leave the hacked site online. Google will activate search console notices and can even ban your site. Check your raw access logs and look at the requests, particularly ones with the keyword POST to make sure that data isn’t leaking. You can see the raw access logs by just turning on the archive option in your Cpanel.

If you need to rely on a professional to help you secure your site and prevent other hacks from happening after following each of these steps, I invite you to reach out to us at WPDandy. We provide thorough theme, plugin and WordPress maintenance and management services, including security checks and updates to ensure that your site is working at its best, without vulnerable code or other issues slowing it down or potentially costing you that search engine ranking that you’ve worked so hard to earn!