Cleaning a Hacked WordPress Site and Removing Malware
Warnings on your WordPress site, notifications of site suspension by your hosting provider or core integrity issues. These are just some of the symptoms that your WordPress has been hacked, let’s fix it.
IDENTIFY HACK
You need information to know how to clean your site: warnings on your WordPress, notifications of site suspension or other symptoms
REMOVE
How to clean your site and remove all infections, malware or backdoors that hackers have done on your website, blog or e-commerce
PROTECT
Site cleaned. Now it’s time to secure and protect your WordPress site from future hacker attacks with security continuous maintenance
Do you need urgent help?
If you want us to do it for you, our security experts will remove all malware in less than 24 hours
Step 1 – IDENTIFY HACKS
WordPress is one of the most used CMS. Because of that there are lots of hackers attacking websites using WordPress sites and their vulnerabilities. You must secure your website, blog or e-commerce and do a continuous maintenance to prevent from infections. If you have been hacked, the first you should do is scan your site to evaluate the damage.
Scan your WordPress Site
If you are a WeSecur’s Essential Plan user, you have been warned about the hack and have the scan result if you have the automated mode. If you execute the scan manually, scan your site to read the report.
WordPress Hacked Symptons
- Blacklist warnings by Google, or other authorities
- Weird or abnormal browser behaviors
- Spam in search engine content
- Notification of site suspension by your website host
- File modifications or core integrity issues
- Warnings in Google search results (SEO poisoning)
Check Core and Theme Files
Analyze core files, wp includes and wp admin. As we mentioned before, if you doubt if they are infected, you can download WordPress again and compare the files to know if you should delete something that should not be there.
The next would be the theme files. It is one of the most used points to inject malware as hackers or attackers seek to infect as many users as possible.
We recommend to check the recently modified files as probably they give you information about which ones are the hacked ones. Again, as a WeSecur user you have all this info and the analysis of the files in your dashboard.
Check your Plugins
The main target in which attackers or hackers hide malware or backdoors. Also check for fake Plugins: everything looks normal, it has the appearance of a plugin, but is actually the focus of all your problems.
WeSecur analysis also check plugins.
Check your Logs
Look for suspicious or unknown users or IPs into your logs to have more info about when and from where has been the attack.
Step 2 – FIX HACKED WORDPRESS
Before executing any action remember to backup your site. As we explained before, an effective way of finding hacked files is to compare the current state of the site with an old and clean backup. If you have a clean backup, you can use that to compare the two versions and identify what has been modified.
How to Remove a Malware Infection from your Website files
Los pasos que debes seguir son:
- 1. Log into your server via SFTP or SSH.
- 2. Create a backup of the site.
- 3. Search your files for any reference to malicious domains or payloads.
- 4. Identify suspicious or recently changed files.
- 5. Restore infected files with copies from the official repository or a clean backup.
- 6. Replicate any customizations made to your files.
- 7. Test to verify the site is still operational after changes.
If the infection is in your core files or plugins, you can easily fix this manually, just don’t overwrite your wp-config.php file or wp-content folder. Remember this is included in WeSecur’s Clean Plan.
How to Clean Hacked Database Tables
Para limpiar y eliminar malware de la base de datos, puedes utilizar el panel de administración de la base de datos para conectarte a la base de datos.
- 1. Log into your database admin panel.
- 2. Make a backup of the database.
- 3. Search for suspicious content as spammy links.
- 4. Open the table that contains suspicious content and remove it.
- 5. Test to verify the site is still operational after changes.
You can also manually look for malicious PHP functions, such as eval, base64_decode, preg_replace, str_replace, etc. These functions are also used by plugins legitimately, so be sure you test changes to not accidentally break your website, blog or e-commerce.
Remove Hidden Backdoors
This can be one of the main reasons for reinfection. If you don’t close all backdoors your site will be reinfected. Look for files named similar to CMS core files but located in the wrong directory. Usually backdoors include this PHP functions: base64, str_rot13, gzuncompress, eval, exec, create_function, system, assert, stripslashes, preg_replace (with /e/), move_uploaded_file. These functions can also be used by plugins, so be sure to test any changes to not break your site by removing benign functions.
Remove Malware Warnings
For removing blacklisting or malware warnings on your site, you probably should contact with your hosting provider and ask them to remove the suspension.
Step 3 – PROTECT YOUR WORDPRESS
Set Backups
Backups are one of the most important things to secure your web. Here are some tips to help you with the strategy:
- Better redundant and automatic: make sure you are doing at least one backup. The better two or three different locations and in a automatic process.
- Test it periodically: restore your backups as part of the process just to be sure that they will work when needed.
Secure User Accounts
We always recommend to have only one admin WordPress user and use roles for the rest of users, with less privileges. But, anyway, if you have checked your logs and you have found out any unfamiliar WordPress users, remove them. To manually remove suspicious users from WordPress:
- Backup your site and database.
- Log into WordPress as an admin and click Users.
- Find the suspicious new user accounts.
- Hover over the suspicious user and click Delete.
- Change all the passwords of users accounts. All.
Update WordPress Software
To manually apply updates in WordPress:
- Log into your server via SFTP or SSH.
- Backup your website and database.
- Manually remove the wp-admin and wp-includes directories.
- Replace wp-admin and wp-includes using copies from the official WordPress repository.
- Manually remove and replace plugins and themes with copies from official sources.
- Log into WordPress as an admin and click Dashboard > Updates.
- Apply any missing updates.
- Check your website is operational.
Secure your computer
We always recommend you to manage your site from a secure terminal. So be sure to have an antivirus program installed. All the people that access to your website, blog or e-commerce must be secure. There are several free antivirus solutions as Avira or Avast, or paid as Kaspersky or Sophos.
