WordPress Malware Removal: How to Clean a Hacked WordPress Site

WordPress is a hugely popular platform for websites, but that popularity leaves it prey to hacking. This constant threat – the introduction of malicious code aka malware, viruses, trojans, spyware, ransomware…(deep breath)…backdoors, spam – must not be taken lightly, yet the fact is that the owners of many websites either do not consider it, or place their heads in the sand, until it’s too late.

So…what then? Resolving a WordPress Hack and removing malware is, to a greater or lesser extent, something of a bind. But with a bit of knowhow and a lot of patience, it is quite achievable.

Signs you’ve been hacked

Of course, someone with an inane-sounding username leaving even more inane-sounding comments does not necessarily point towards a hack. Yet anyone who has suffered one will know all-too-well that face palm moment of realisation when the ugly truth hits home. Here are a few of the more obvious signs:

• An increased use of server resources; a slowing down of server performance;
• Message alerts saying that your website has been infected;
• The content in your page header and footer suddenly advertises drugs, pornography etc with little or no thought given to presentation;
• The theft of user and/or customer information;
• The sending of bulk spam emails;
• The website is listed by Google and anti-virus software providers as being unsafe;
• Website users contact you to say that they are being re-directed to a malicious website;
• Your host contacts you with suspicions of WordPress malware. They themselves might have been contacted, by someone telling them that your site’s URL featured in a spam email they received.

Steps to take

Take down your website

Displaying a hacked website to the world isn’t going to do anybody – apart from the perpetrators themselves, of course – any good. Replace it with a ‘Website under maintenance’-type page by adding some PHP code right at the top i.e. before thetag:

<? php
header(“HTTP/1.1 503 Service Temporarily Unavailable”);
header(“status: 503 Service Temporarily Unavailable”);
header(Retry-After: 3600”);
?>

A 503 error message will then be returned, which also tells search engines that the website is down. The ‘Retry-After’ header tells search engines to come back after 1 hour.

You will also need to modify the .htaccess file (see later for more information on this file) so every page on your site defaults to the 503 page:

RewriteEngine on
RewriteCond %{REMOTE_ADDR}!^111\.111\.111\.111
RewriteCond %{REQUEST_URI}!/maintenance503.php$[NC]
RewriteRule .*/maintenance503.php[R=302,L]


Perform a backup

Backup your site files and MySQL (or MSSQL) database ASAP in a .zip file as, for obvious reasons, many hosts would simply prefer to delete it as a soon as a hack has been confirmed.

Your host might have a backup ‘snapshot’ system available, but if not then either FTP or a backup plugin can be used to make a copy. Speaking of which, also be sure to save your FTP account.

When performing a backup, the areas to concentrate on are:

• The wp-content folder, which contains all the uploads, themes and plugins your site uses;
• The wp-config.php file, which stores database information such as name, username and password;
• The .htaccess file, which helps control server access. This file is invisible and the only way of knowing if you backed it up is to view your backup folder using either an FTP program (like FileZilla) or code editing application that lets you view invisible files;
• ico, which is your website’s shortcut icon;
• txt, which gives site information to web crawlers.

Find the cause of the hack and remove WordPress malware from your site

You need to do this for a very simple reason: to ensure that it doesn’t happen again. But it is easier said than done!

The process is a methodical one, with some trial and error thrown in. Depending on your patience and expertise, it may eventually be worth getting professional help in. But before you get your hands dirty, there are a few important things to know:

• You can delete plugins without destroying your site. They can simply be reinstalled, and any that have been deleted without being reinstalled will be disabled by WordPress. Do not delete individual files in wp-content/plugins, however, since doing so can damage your site. Instead, delete entire directories.
• Most WordPress users only have one theme running in wp-content/themes. Other theme directories (if present) can be deleted unless a child theme is also being used – in which case there will be two theme directories present, which should be retained.
• Besides wp-content, the wp-admin and wp-includes directories are to be found in the root folder. It is rare that either directory has new files added to it. If they do, therefore, then there is a strong chance that these files are part of the hack.

The logical way to hunt down rogue files is to compare the name and number of files in your hacked WordPress installation with a clean version. There are tools available (such as Beyond Compare) that can help you do this.

One way hackers can get in is to access a subdirectory that contains old WordPress versions and backups. The site might be up to date and have a security plugin but the hacker can still use this so-called ‘backdoor’.

A very good piece of advice here is to avoid keeping old versions of your site in the same directory as the live version.

Use the command window

Hackers can insert malicious code into files that survive updates/re-installation, such as those relating to themes.

If the Secure Shell security protocol (SSH) runs on your server, sign in and perform a few command line operations such as ‘find’ and ‘grep’ to see which files have been recently modified. If they have – and if you know no-one has modified them without good reason – then the changes would point to a hack. For example:

find . -mtime -2 -ls

…will search the current directory and subdirectories for files modified in the last two days.

To search a specific directory for files modified in the last two days:

find /home/woobro/mysite/ -mtime -2 -ls

A good idea is to repeat searches by rolling back the days; sooner or later you will encounter modified (and quite possibly hacked) files. Now the files have been identified, they can be edited, thus allowing you to remove the WordPress malware.

‘grep’ is a perennial when searching through files at the command line. Since hackers often exploit the prevalence of base64, for example, the following command will list files in which such strings occur:

grep -ril base64 *

Running the command without the ‘l’ option would reveal the contents of files containing base64 strings:

grep -ri base64 *

Of course, the string “base64” occurs in code that has not been hacked. So the search may have to be narrowed down:

grep -include=*.php -rn . -e “base64_decode”

Here, a recursive search for the string “base64_decode” is being performed on .php files. The results will include the line number, providing helpful context that may point towards WordPress malware.

Besides “base64_decode”, you can also use grep to check for the following strings, which are all synonymous with a hacked WordPress site:

• iframe
• exe
• isadmin
• inurl
• eval
• gzuncompress

Remember, though, that context is everything: such phrases are also used in legitimate code.

You must always search the wp-content directory, since this is the repository for files and resources, plugins, themes, images, etc. In general, FileZilla is useful if you want to filter out a specific file type (such as .php files) and delete them in bulk.

The ‘find’ and ‘grep’ commands can also be used in tandem: to discover which files have been recently modified; and to see what has been modified. So if you find a string that has obviously been changed, use ‘grep’ on all files:

grep -irl “ha ha we got you!” *

There is a tendency towards patterns in WordPress malware code e.g. how often it is found in the uploads directory. Using the find command, we can exclude image files in this dictionary in favour of malicious ones:

find public_html/wp-content/uploads/ -type f -not -name “*.jpeg” -not -name “*.jpg” -not -name “*.png” -not -name “*.gif” >malicious-uploads.log

The command’s output is saved in a log file called “malicious-uploads.log” in the current directory.

Besides the command window…

…another way of discovering whether files have been modified recently is to access them via FTP and sort by modification date.

trong>Other tips when searching for the cause of the hack

• Check IFRAME and NOSCRIPT tags, into which malicious code is often inserted. It might point to an executable file or a script that downloads yet more WordPress malware or redirects users to spam sites. In particular, look out for IFRAME tags with height and width set to zero.
• User areas, such as comment sections, can also be hijacked. Using the ‘site: search’ command on Google.com is a good way of finding spam words on your website: ‘site:www.woobro.com casino’ would search for the spam word ‘casino’
• Check for links (internal and external) to unfamiliar spam sites. They tend to have random names containing multiple letters and numbers;
• Check the .htaccess, wp-config.php, index.php and any downloadable files you might have. All are favourite targets.
• Open the Raw Access Logs using WordPress’s cPanel to find out what files the hackers were accessing (look for POST statements in the log files). This can offer clues as to what exactly was compromised and when. You might also find the IP address accessing these files to discover where the hacker was coming from.
• Check your WordPress site’s registered users (if you have any). Some hackers register and then execute malicious scripts that target themes and plugins. The Stop Spammers plugin can be used to delete them.

Perform a full scan

While the above steps can help remove WordPress malware from your directories, they might not be 100% successful. It is recommended, therefore, that you also use a WordPress security plugin to run an advanced scan to clean your site.

An advanced scan means advanced knowledge: the plugin vendor will know WordPress inside out and so the plugin should be able to identify an infection, even if it’s new. They will be aware of known infections, have knowledge of patterns and/or signatures, as well as access to other sources that hold known spam URLs, malware and infections.

Select the most advanced scan available and, depending on how successful your efforts at the command line have been, more infected files may result.

Edit any such files one by one or delete them. The latter course of action might seem final – but remember that, if you have made a mistake, you do have a back-up to hand. In particular, check core, theme and plugin files. The scanner may have options to compare the file with the original version and to repair it.

After checking each file, run another scan and continue iteratively until the scanner reveals a clean bill of health.

Another example of anti-malware is Spybot Search And Destroy while CodeGuard automatically creates a backup and alerts you when it detects changes in your website’s code.

Re-install WordPress

Use the latest version. The same applies for your themes and plugins, which, since they are a prime source of vulnerability, can easily introduce malware. You may have, for example, downloaded them free of charge from an unreliable source.

Go to the original source this time and download new folders and files beneath /wp-content/themes/ and /wp-content/plugins/ respectively.

Upload relevant (and untainted) content (such as images) from your backup and also reset permalinks via the cPanel: Settings menu-> Permalinks and click ‘Save Changes’.

Change all your site passwords

This should apply to:

• Users, including administrator privilege;
• The access password to your hosting panel;
• FTP;
• The user of the database.

The last two steps can be done via the cPanel: Database menu-> MySQL Databases-> Current Users-> Change password.

You must also update wp-config.php as well. Open the file, find the following line, and change the password:

/** MySQL database password */

define( ‘DB_PASSWORD’, ‘password_here’ );

(Whilst in wp-config.php, it’s also worth taking the time to have a quick look for any text that might be suspicious.)

Always use passwords at least 8 characters long, including numbers and special symbols. This will protect you from hackers that try dictionary words. Avoid the sort of information (date of birth being an obvious example) that pertains to your private life.

In general, try and use unique passwords for different accounts and change them as often as you can.

Change the security keys and salts

WordPress uses four different keys for security purposes. They also encrypt information stored in cookies. Four different types of salt – which encrypt passwords – are also used. Both are auto-generated character strings and are held in the wp-config.php file.

Use the official WordPress Security Keys Generator to change the values of the keys and salts.

Google Chrome

Chrome is arguably as good as a scanner for detecting WordPress malware and can do so faster than Google Search Console, which produces a host of tools and reports to help you measure your site’s search performance and also fix issues.

This means that, if you act fast enough, you can even prevent Google from flagging your site as having malware. A quick response is even more important now that Google enforces a 30-day ban on site reviews to prevent repeat offenders.

But what if Google Chrome still says my site is suspicious?

If this is the case, you must remove it from Google’s Safe Browsing list:

• Sign into Google’s Search Console;
• Add your site (if you haven’t already);
• Verify it, following the instructions given;
• Select your site on the ‘Webmaster Tools’ home page;
• Click ‘Site status’, then ‘Malware’;
• Click ‘Request a review’.

How do I check whether my site is listed on Google’s Safe Browsing List?

Go here and enter your site’s URL (plus a sub-directory if necessary). The Google Safe Browsing list is, in fact, two lists: a malware list and a phishing list.

What if other virus removal systems still say my site is suspicious?

You may also need to keep track of whether the most common WordPress virus removal software (e.g. ESET, McAfee Site Advisor) packages are also saying that your site is still infected. This is known as ‘whitelisting’ and the vendors will have instructions on what to do.

Phew…you’ve fixed it

Your website has had its WordPress malware removed and you can take your maintenance page down. But you must now make sure the hack remains a one-off:

• Keep your WordPress version, plugins and themes up to date at all times, since the latest versions will stand a better chance of guarding against the latest vulnerabilities;
• Install a WordPress malware security plugin and use it regularly;
• Install a WordPress activity log plugin to keep track of everything that is happening on your website;
• Install the Login Lockdown plugin to prevent hackers targeting your WordPress admin login details.
• Remember to always use ‘strong’ passwords and (better still) change them from time to time;
• Delete any old WordPress installations you may still have;
• Make regular backups (once a month) since this is the best way to restore the site in the event of a hack. It doesn’t matter if you’ve even changed the theme yourself, with backup files you can keep the tweaks. Install a plugin for backup and recovery;
• Consider changing hosting – particularly if a) the cause of the hack turned out to be another website on shared hosting; and b) if the host has been less-than helpful during the WordPress malware cleanup process;
• If you’re deadly serious about not getting hacked again then perhaps you could hire a hacker – or rather an ethical hacker – to give your site the once over and identity potential weak spots.