September 26, 2019
5 min Read
September 26, 2019
5 min Read
and Knowing how to remove malware from a WordPress site is a skill every webmaster should have. Malware stands for malicious software, which is a general term for harmful programs and files that can compromise a system. It can damage computers, servers, networks, and websites. In this article, you’ll learn how to remove malware from a WordPress site.
Although WordPress is well maintained and secure, it does have several vulnerabilities that can expose your site and its visitors to malware threats. Hence paying attention to your site’s security is absolutely essential.
Here are some of the risks posed by malware:
As you can see, keeping your security up to date and knowing how to remove malware from a WordPress site is an absolute must!
The manual method may take a while and requires more technical knowledge, but it can give you insights on where the breach happened. If you would rather use a simpler alternative to remove malware from a WordPress site, try a security plugin instead.
Always backup your site before tweaking its core files. There are two ways to do this, depending on whether or not you’re locked out of your site.
Last but not least, keep a backup of your database stored locally as well.
We suggest downloading your backup using an FTP client or with the file manager then locally running a scan on the backup.
Use an anti-virus system and a malware scanner such as Kaspersky or MalwareBytes to diagnose and fix possible issues in your site’s files. If the scan is successful and helps locate and remove any issues, change your FTP password and re-upload site files.
There are a few actions you can take to remove malware from your WordPress site. First, you will need to access the site’s files through FTP or a file manager.
Erase every file and folder in your site’s directory except for wp-config.php and wp-content.
Afterward, open wp-config.php and compare its content with the same file from a fresh installation or wp-config-sample.php that can be found on the WordPress GitHub repository. Look for strange or suspiciously long strings of code and remove them. It’s also a good idea to change the password of your databases once you’re done inspecting the file.
Next, navigate to the wp-content directory and perform actions on these folders:
Re-download WordPress and re-upload the content to your website via FTP or the file manager.
Go to your file manager, click Upload Files and locate the WordPress zip file. After it’s finished uploading, right-click or press the Extract button and enter a directory name to define the save location. Copy everything else besides the zip file to public_html.
Alternatively, you can use hPanel’s one-click installer and edit the database credentials in the wp-config.php file to point it to your new installation.
If multiple users are running a website, the breach might have occurred through one of their accounts. It’s recommended to reset every user’s password, log out every account, and to check for any inactive or suspicious user accounts that should be deleted.
Change the passwords into long, randomized strings that can’t be breached by brute force attacks. It’s a great idea to use a password generator.
Now that you have removed malware from your WordPress site, re-install all the removed plugins and themes you had. However, be sure to leave out plugins that are outdated and no longer maintained.
While you’re at it, we advise you to install security plugins that can protect your WordPress site and easily remove malware in the future. Use one with a proven track record such as MalCare, WordFence, or Sucuri.
If you prefer a quicker way to remove malware from your site and can afford a premium service, you can purchase a WordPress security plugin.
For this article, we’re going to demonstrate how to remove malware from a WordPress site using Sucuri. But first, let’s take a look at what it offers:
You can get Sucuri from the WordPress plugin repository.
Once it is installed, you’ll need to go to the plugin’s dashboard and Generate an API Key to activate its features fully.
After your site is integrated with Sucuri’s API service, go to Dashboard -> Refresh Malware Scan. It will display a file log with any suspicious ones flagged. For this tutorial, we added suspicious code to our test site’s index.php file.
After running the scan, the file was flagged. You can select it and perform whichever action you prefer.
Although the malware has been removed from your WordPress site, you still need to ask Google to remove the site’s warning label:
You must double-check whether you successfully remove malware from your WordPress site before submitting a request. Otherwise, it will get pinned as a repeat offender, and you won’t be able to request another review for 30 days.
Malware can be a major issue that removes all credibility and trust from your WordPress site while compromising you and your users. While reviewing how to remove malware from a WordPress site, we showed you two methods:
Manual removal, for which you need to:
Or you can use plugins to fix the issues and improve your site’s security. Additionally, we also learned how to remove the warning label that can get placed on your website by Google.
With these actions in mind, hopefully, you can restore your WordPress site ASAP and keep future threats at bay.