A Complete Guide to WordPress Malware Removal

A Complete Guide to WordPress Malware Removal

Due to the popularity of WordPress, it has become a common target of cyber attacks. In fact, 70% of the 40,000 WordPress websites in Alexa Top One Million are vulnerable to hacking attempts.

Some of the most common signs of a hacked site include defaced web pages, links to malicious websites, Google blocklist warnings, and white screens of death. If one of these indications appears on your WordPress site, it has likely been compromised or infected with malware.

Once you’ve confirmed that you’re running a hacked WordPress website, take appropriate action to recover it at the earliest opportunity. Keep reading as we will provide the steps to manually remove malware from a hacked website. We will also cover some of the best WordPress security plugins to choose from.

How to Remove WordPress Malware Manually

While recovering a hacked WordPress site is possible, the process requires decent technical knowledge in website maintenance and hosting.

If the following tutorial seems too challenging for you, we recommend using a WordPress malware removal plugin or hiring a WordPress malware removal specialist.

Step 1. Prepare for WordPress Malware Removal

First things first, keep in mind that you can fix your hacked WordPress site. While it might take some time and effort to recover it, know that you can get over such an incident. Therefore, it’s important to stay calm and follow the appropriate recovery procedure.

Before removing malware from your WordPress site, take these preparation steps to ensure the safety of your data:

1. Restrict Access to the Website

If your WordPress site has malicious redirects to shady, unsecured websites, chances are it’s been hacked. If left unchecked, your infected WordPress site can prompt visitors into accessing dangerous sites and leaking their personal details.

Restricting access to your WordPress site will help prevent the further spread of the hidden malware currently infecting it. Perform this step by editing the .htaccess file through your hosting control panel’s File Manager or an FTP client. In this tutorial, we’ll be using Hostinger’s File Manager on hPanel.

Here’s how to do it:

  1. Navigate to File Manager under the Files section.
Locating File Manager in Hostinger hPanel dashboard
  1. Access the public_html directory and scroll down to locate the .htaccess file. If the file isn’t present, create a new one.
  2. Add this code snippet to the .htaccess file to block all access except yours:

order allow,deny

deny from all

allow from [your_IP_address]

  1. Save the changes.

Pro Tip

Make sure your IP address is static. Otherwise, you’ll need to update the .htaccess file periodically.

2. Create a Backup

Creating a backup of the hacked site will make it easier to identify malware. By comparing the WordPress files of the good backup with those of the post-hack version, you’ll be able to locate malicious code much faster.

Follow these steps to back up your WordPress site files and database using Hostinger hPanel’s one-click backup and restore system:

  1. Navigate to Backups under the Files section.
Locating File Manager in Hostinger hPanel dashboard
  1. Click on the Select button within the File Backups section. Select a date from the drop-down menu and click Next Step.
Specifying the file backup data to download based on the date of creation
  1. Check the box next to the domain you want to back up, then select Download all files.
  2. Once the server finishes preparing the download, click Download Backup.
A Download Backup button will appear after the file backup data has finished preparing
  1. After backing up your website files, do the same for your WordPress database. Click on the Select button under the Database Backups section and pick the desired database from the drop-down menu. If you don’t know your WordPress database name, locate it first.
Picking a database from the drop-down menu to download
  1. Select Show databases to display the backup logs. Pick a date and click Download.
The backup logs that have been generated over time. User can pick one to download.
  1. Once the server finishes preparing the download, click Download Backup.

3. Check Available Backups

This step should be easy for those who have done their due diligence as website administrators. If you couldn’t restore the WordPress site using the infected backup file, the older version can serve as your Plan B, allowing you to recover pre-hack data and start over much faster.

Otherwise, we recommend contacting your web host to see if they have a backup of your website files. Depending on your hosting provider, you might have pre-hack backup files automatically generated. Hostinger, for example, offers daily and weekly backups with its shared hosting plans.

4. Update All Passwords and Access Keys

Many hackers use malware to commit brute force attacks to crack administrator accounts’ login credentials. Changing your passwords can slow them down and minimize the chances of another security risk wreaking havoc on your WordPress site.

Make sure to use strong passwords and avoid reusing them on more than one account at a time. There are plenty of online password generators like Secure Password Generator and Random Password Generator that can help you create unpredictable passwords with various combinations of letters and numbers.

The following are some of the accounts that need a password reset at the soonest opportunity:

  • Hosting account ‒ most hosting providers, including Hostinger, put the password change feature on the account information page.
  • FTP accounts ‒ having your FTP accounts compromised will allow hackers to launch FTP bounce attacks. Minimize this risk by changing the password of both your primary and secondary accounts.
  • SSH accounts ‒ change your account passwords and SSH keys to prevent hackers from accessing your website data.
  • WP-Admin credentialsreset your admin password and the login credentials of other WordPress user accounts that have access to your site’s backend.
  • WP Salts ‒ changing your WordPress Salt keys will help keep your login details hashed, strengthening your WordPress account against brute force attacks.

Important! If you have personal accounts with the same password as your hacked WordPress site, change them as well.

5. Update WordPress

39.3% of hacked WordPress sites are running an outdated WordPress version. By keeping your CMS up to date, you’ll eliminate vulnerabilities that hackers can exploit to attack your website.

Here’s a checklist of the software and files you need to update:

  • WordPress versionupdate your WordPress to the latest version via the Updates tab of your WordPress admin dashboard. Hostinger users can update their website version through the hPanel dashboard.
  • Themes and plugins ‒ the update prompt of outdated WordPress plugins and themes should appear in the Updates section. Don’t forget to eliminate potential security issues by deleting unused themes and plugins.
  • PHP version ‒ Hostinger users can update their PHP version via the PHP Configuration menu under the Advanced section of the hPanel dashboard.

6. Check for Recent Changes and Access

Your WordPress site logs keep track of all the traffic and changes made on the server. Checking the logs for suspicious activity around the time of the hack makes identifying rogue accounts and infected files easier.

First, analyze your changelogs by running the find command on SSH:

find . -type f -name '*.file_extension' -ctime n

Replace the file_extension value with the file type you want to check. We recommend searching for JavaScript and PHP files as both file extensions are common targets of malware injection. Add a positive or negative value to the n placeholder to determine the search scope.

For example, the following SSH command displays any PHP files added or modified three days ago:

find . -type f -name '*.php' -ctime -3

As for the access logs, Hostinger users can check them via Access Logs under the Website section of the hPanel dashboard. Open the Access logs tab to see a list of your website visits. You can filter the results based on the chosen time frame.

The display of access logs, showing a list of website visits

7. Remove Symlinks

Symbolic links or symlinks are file types that point to another file or directory, serving as shortcuts. While they provide multiple access points, hackers can exploit them to launch symlink attacks and gain access to your root directory.

Run this command via SSH to unlock symlinks from your files and directories:

find . -type l -exec unlink {} \;

8. Reset File and Folder Permissions

Limiting the number of users with an administrator role is a great security measure to prevent hackers from accessing confidential site files. In the event of a security breach, we recommend resetting file and folder permissions to their default values to flush out WordPress users with invalid access privileges.

The file permissions settings should be accessible via your hosting account dashboard. Hostinger users can access them via the Fix File Ownership menu under the Other section. After checking the confirmation box, click Execute to set all file permissions to the default values ‒ 644 for files and 755 for folders.

The Fix File Ownership menu lets user configure file permissions settings

The recommended 755 folder permissions mean that the owner of the files within these folders can read, write, and execute them, whereas other WordPress users only have read and execute access rights.

9. Scan Your PC with Antivirus Software

The cyber attack might target your WordPress site initially, but there’s no telling if the malware infection hasn’t spread to your PC. Scanning your PC with antivirus software will help remove a potential malware infection and prevent it from compromising your hardware.

Here are some of the best antivirus solutions that come with a malware scan feature:

Step 2. Reinstall WordPress Core Files

After doing the prerequisites, it’s time to reinstall WordPress. If you still have access to your WordPress dashboard, navigate to Updates and click on the Re-Install Now button.

Otherwise, you can use an FTP client to reinstall WordPress core files manually. Here are the steps Hostinger users should take:

  1. Establish an FTP connection to your web server.
  2. Locate the wp-content folder within the root directory, right-click it, and select Download.
Downloading the wp-content folder via FileZilla
  1. Log into your hPanel dashboard, navigate to Website -> Auto Installer. Select the WordPress option and fill in the installation details. Make sure to check the Overwrite Existing Files box.
Locating WordPress auto-installer in Hostinger hPanel dashboard
  1. Go back to your FTP client and refresh the directory list. Re-upload the wp-content folder you downloaded earlier to the root directory. This step allows you to keep your plugin and theme files.

Step 3. Compare Infected vs Clean WordPress Installation

At this point, you’ll have both infected and clean WordPress files. Put those files in two separate folders and compare the content via your FTP client. FileZilla has a Directory Comparison feature you can use to streamline the process. If you have a lot of files to go through, consider using Beyond Compare.

Pay close attention to JavaScript and PHP files as they are ideal hosts for malware. Then, upload as many clean WordPress files to the website as needed and periodically check whether the site works properly.

Alternatively, use the diff command in SSH to compare the infected and clean folders:

diff -r wordpress-clean/ wordpress-infected/ -x wp-content

Be on the lookout for any files that have been changed or added recently.

Step 4. Clear Out PHP Files from Uploads

As malicious PHP files might be the cause of your hacked site, removing PHP files from your Uploads folder is an essential step of the compromised WordPress website cleanup process.

You can do so manually via an FTP client by locating Uploads in the wp-content folder. Most FTP clients like FileZilla offer a filter function that will make this process easy. Another way to do it is to use the find command in SSH:

find . -name "*.php"

Step 5. Look For Backdoors Within Your Files

Hackers might embed backdoors in files to create security vulnerabilities within your WordPress site, so it’s important to remove any hacked files that carry them.

Backdoors often look similar to WordPress core files. wp-config.php and files within plugins, themes, and uploads folders are the most popular targets of backdoor injections.

To identify potential backdoors, check your files for these PHP functions:

  • base64
  • exec
  • move_uploaded_file
  • str_rot13
  • gzuncompress
  • eval
  • stripslashes
  • system
  • assert
  • preg_replace (with /e/)

Use the following SSH command to detect any hacked files located within your directories:

find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("

The following command will locate image files with backdoor functions:

find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

Lastly, use the command below to locate infected iframes:

find . -type f -name '*.php'| grep -i '<iframe'

Important! Some plugins use these functions in their operations, so make sure to test any changes made. We recommend downloading original plugin files and comparing their code with the files you’ve downloaded from the hacked site to avoid deleting essential functions.

Step 6. Inspect the SQL Database File

Your database isn’t immune from malware injections. After making sure your WordPress core and content files are clean, the next step is to take a closer look at your database.

First, export your MySQL database as an .sql backup file with phpMyAdmin. Using a text editor like Sublime, inspect the file for malicious content. Don’t delete suspicious entries from your database backup file. Instead, take note of their location and proceed to the next step.

Step 7. Review the Code for Each Page and Post

In this step, look for malicious entries within your posts, pages, and comments sections. Check their revision history to detect any suspicious activity.

Look closer at places where you found suspicious entries during Step 6. Remove all the malicious code using a text editor and reformat the content if needed.

While you’re at it, delete spam messages you’ve found during the cleanup process.

Step 8. Remove Your Website from URL Blocklists

At this point, your WordPress site should be free from malicious code. All that’s left to do is to remove your website’s URL from Google’s blacklist.

You can do so through Google Search Console. Navigate to your admin dashboard and open the Security & Manual Actions -> Security issues tab. Select I have fixed these issues -> Request a review to have Google review and re-index your WordPress site.

Keep in mind that Google can take a couple of days to process the blocklist removal request.

Verify Your Website

Consider checking out How to Add a Domain to Google Search Console to verify your website ownership and request a review.

Best WordPress Malware Removal Plugins

You have learned the steps required to remove malware from WordPress websites manually. If you’re not confident in your technical skills, consider using a WordPress malware removal plugin to streamline the cleanup process.

The following are three of the best WordPress security plugins to choose from. Feel free to pick one that suits your needs and preferences best.

1. WordFence Security

WordFence Security plugin banner

WordFence Security’s WordPress malware scanner makes removing malware from your WordPress site easy. The plugin also includes a scheduled security scans feature to automate the process, keeping your WordPress site secure without too much micromanagement on your end.

The plugin comes with a web application firewall – it is a valuable addition to your website’s security, blocking malicious traffic and preventing brute force attacks. It works alongside the malware scanner to block requests that include malicious scripts.

Additionally, WordFence Security includes login security features like two-factor authentication and reCAPTCHA. The plugin also lets you block logins using known compromised user passwords.

Upgrading to WordFence Premium for $99-$950/year will give you access to real-time IP blocklist and country blocking features, stopping all requests from malicious IP addresses or countries of your choice.

Other notable premium features include real-time malware signature updates, investigation and malware removal, post-incident blocklist removal, and search engine security cleanup.

2. All In One WP Security & Firewall

All In One WP Security & Firewall plugin banner

This WordPress security and firewall plugin offers user account security features that detect default “admin” usernames and identical login and display names. It stops username enumeration and promotes strong passwords by providing a password strength tool.

The login and user registration security functionality come with brute-force protection, automatic forced logouts, and IP lockout. You can monitor all users’ account activities, including failed login attempts, and whitelist certain IP addresses.

Additional WordPress security features include the ability to add custom WP prefixes, scheduled automatic database backups, .htaccess and wp-config.php file backups, and a file change detection scanner.

In short, All In One WP Security & Firewall is one of the best free plugins to remove malware from hacked websites and prevent future malware attacks.

3. Sucuri Security

Sucuri Security plugin banner

Like the WordFence Security plugin, Sucuri comes in free and premium versions. The free plugin offers basic WordPress security features like file integrity monitoring, security hardening and activity auditing, remote malware scanning, blocklist monitoring, and post-hack security actions. Unfortunately, the website firewall is reserved for premium users.

The premium version costs $199.99–$499.99/year and provides unlimited malware and hack removals by Sucuri security experts. All plans include a cloud-based web application firewall, website security scans every 30 minutes to 12 hours, and post-cleanup basic reports.

Sucuri can also notify you when your WordPress site is blocklisted and submit a removal request on your behalf. The CDN speed enhancement feature will boost your search engine rankings post-malware infection.

Hiring a WordPress Malware Removal Service

Various WordPress plugins offer top-notch features to remove malware from WordPress sites and protect them from future malware infections. However, when dealing with complex malware, professional help might be necessary.

Hiring WordPress security services is recommended if you lack the technical expertise required to perform the processes explained above.

A WordPress security expert can ensure the malware removal process is done correctly. Furthermore, you can have them patch your WordPress site’s security vulnerabilities, ensuring it performs optimally.

Freelance platforms like Upwork, Fiverr, and Codeable host tons of professional WordPress experts available for hire. Here are some tips to help you find a WordPress malware removal specialist:

  • Write a clear job description ‒ doing so will help set the expectations, budget, and required skills.
  • Review candidates’ portfolios carefully ‒ having insight into an applicant’s past experience will give you a better idea of their skills, expertise, and whether they’re up for the task.
  • Browse past client reviews ‒ make sure a candidate’s work ethic and communication style match your preferences. A good contractor should provide you with regular status updates and be transparent about the entire process.
  • Use references ‒ ask your friends or contacts to suggest trusted experts whom they have worked with.

Secure Your Website

Consider checking out How to Secure WordPress guide to help you identify and patch security vulnerabilities within your site.

Conclusion

Removing malware from your WordPress website can be done in numerous ways. You can do it manually if you have the technical expertise and time needed to perform the cleanup process.

WordPress security plugins can streamline the process and add additional security measures to prevent future malware attacks. If all else fails, you can hire a WordPress security expert to do the work for you.

Regardless of the preferred method, it’s best to take action as soon as you can. While it’s possible to recover a hacked website, the cyber attack can harm its search engine rankings and your brand’s reputation if left unfixed.

We hope this article has helped you learn how to detect malware on your WordPress website and get rid of it. Best of luck!

Was this tutorial helpful?

Author
The author

Tomas A.

Tomas is a senior customer support agent at Hostinger. Besides providing top-notch technical advice on a daily basis, he likes to create websites and do various coding side projects.