WordPress Malware Removal Guide

WordPress Malware Removal Guide – How We Do It

 

WordPress Malware Removal GuideHas your site been infected with WordPress malware? If yes, do not panic! While a malware infection is serious, a calm head (and fingers) is what you need to tackle this issue head-on, perform Malware Removal and get your site back to full health.

In this article, we will show you how our team at FixRunner cleanup 90% of the malware cleanup requests we get. Keep in mind that if you go through all steps from our guide, and the malware still exists on your website, you must hire a professional to help you remove the malware. In case you decide to hire a professional, we offer full malware removal service and you can contact our team here https://www.fixrunner.com/malware-discount/

So, Is It a Malware?

First off, what behavior did you observe to suggest malware infection?

Are you locked out of your site because your (correct) login details suddenly stopped functioning? Do you notice changes to your homepage or inside pages that you did not make? 

Do you see the dreaded ‘site ahead contains malware’ malicious url notice on Google Search? Or did you do the site:yourdomain.com search on Google (replace yourdomain.com with your real domain) and notice pages you did not create and that look fishy?

Other behaviors that can indicate WordPress malware or a hacked WordPress site include:

  • Unknown links on your site
  • A sudden drop in traffic
  • Sudden slowness
  • Site is unresponsive
  • Unknown pop ups on your website
  • Site is sending spam emails

If you notice one or more of these on your site, we have bad news and good news for you.

First the bad – your beloved site is likely infected and needs to be cleaned.

And the good, you can calm your nerves. Fixrunner has years of experience helping clients rid their site of malicious code! In this article, we will share trade secrets to help you drive out those pesky unwanted guests. By the time you’re done, your “malicious website” should be as the day you installed it!

Follow me!

Content

  1. Backup Your Site
  2. Steps to Clean Your Site of WordPress Malware
  3. Conclusion

 

Malware Removal Guide – Backup Your Site

Malware removal from WordPress sites is a pretty serious process. Something could always go wrong. If that happens, it is better to have a malware infected backup than no WordPress backups at all.

More importantly, your host may delete your site if there is threat detection for any malware infection. No questions asked.

Thus, you need to backup your site files and WordPress database before you start. Please read our WordPress Backup guide for help. If you currently have problems accessing your site, the manual backup option(scroll down in the guide) may be your best bet.

Steps to Remove Malware from WordPress Site

With a backup in hand, it’s time to fish out the malware and clean your site. 

We will take you through a complete malware removal process that includes; finding and removing malware and removing vulnerabilities (possible points of infection). You will also see steps to verify that the site is clean, and remove your site from search engine blacklists.

We will finish up by giving you tips to improve your website security. So this doesn’t reoccur in the future.

Anyone with good knowledge of WordPress can perform this process. However, you may prefer to get your site cleaned by experts to avoid diving this deep into your code, and to quickly prevent further problems.

If you prefer this option, please request our malware removal service.

banner-malware-fixrunner-v2
 
Otherwise, read on!

Scan your WordPress site with Wordfence and Sucuri

Wordfence is a WordPress security plugin that is effective to remove any type of malware from infected sites. It also provides a website firewall (endpoint protection) to prevent brute force attack and other ongoing attempts.

To begin, install and activate this plugin.

Note: If you do not have access to your admin dashboard, you may resolve that first. Read our locked out of WordPress admin guide (use the phpmyadmin option).

After activation, go to Wordfence > Scan.

In the scan page, click on Scan Options and Scheduling.

scanning WordPress site

 

Next, set the scan type to ‘High Sensitivity’ and click Save Changes. After changes are saved, click Back to Scan.

Scanning WordPress Site

 

In the scan page, scroll down and click Start New Scan. Wait for the scan to be completed (this may take some time).

Scanning WordPress site

After the scan completes, the results page will show you a list of infected files, as well as other suggestions for security, such as plugins and themes needing update.

Wordfence scan

Cleaning infected files

First we will focus on suspicious files (we will deal with updates later).

Check the list to locate infected files. For each one, you have to examine the file to find and remove the malicious code section.

Let’s illustrate with a suspicious file on our sample report.

Removing infected files

As you can see, Wordfence indicated that this file was modified. This could mean it contains malware infused code.

Click on Details to expand the view. On the expanded view, you can see the filename and the path to find the file.

Now access your site file using ftp. When connected, follow the path to locate the file and open it for editing.

Removing suspected files

Carefully scan through the file to locate anything suspicious and clean them out. Our database malware removal article gives an idea of some things you can look for (read the ‘what do you search for’ section).

As an alternative to cleaning the infected file, you can delete it and replace it with a fresh copy. For example, the file flagged above is within a plugin. You can download the plugin, extract the zip file, locate the exact file, and replace the infected file with the new one.

After cleaning the first file on the report from Wordfence, go to the next report item and repeat the same cleaning process. Do this for each file identified until you have gone through the list.

Malware removal Guide – Scanning with Sucuri Security

It is possible for one malware scanner to miss a few items that another would catch. Thus, it makes sense to repeat the malware scan process using Sucuri scanner advanced features.

Head over to the Sucuri sitecheck scanner.

On the scan page, enter your website url and hit Scan Website.

Scanning site with sucuri

The scan results should appear in a few moments.

Any malware found will be presented in the results. This result shows the page in which the malware occurs and you can use this to trace the file that is infected.

Also, clicking on More details should expand the report to show the exact malware that was found in that file.

How to scan your site with sucuri
 
Armed with this information, you can follow the instructions in “cleaning infected files” section above to get rid of all malware in this report.

Malware Removal Guide – Replace WP Core Files

In the steps above, you should have cleaned or replaced any files that were flagged during your scan. However, for good measure, it is best to replace all your WordPress core files. Doing this will help ensure you have a copy of WordPress that has not been altered.

And if there are malware hiding in any core file, this complete sweep is one of the best ways to flush them out.

To get started, download the latest version of WordPress.

When the download completes, unzip the file into a folder.

Next, connect to your site using FTP. Watch this video tutorial if you need help with this: How to Use FTP.

After connecting, you would see your site files on the right.

How to replace WP core - Malware Removal Guide

Open the folder containing your WordPress files (likely public_html).

Within this folder, locate the wp-includes and wp-admin folders and delete them. Leave the other folders.

How to replace wp core files - Malware Removal Guide

This will take some time so wait for it to complete.

After the deletion completes, on the left, open the folder containing the extracted WordPress files (the latest version you downloaded).

Within this folder, select everything except the wp-content folder, right click, and click Upload.

How to replace WP core files -Malware Removal Guide

After hitting upload, you will see a “file exists” dialog box. Select ‘Overwrite’ and tick ‘Always use this action’ and ‘Apply to current queue only’. Click OK to proceed with your upload.

How to replace WP core files - Malware Removal Guide
 
When the upload completes, you have successfully replaced your core files, and also updated to the latest version of WordPress.

Malware removal Guide – Update All Plugins

Malware enters into your site through vulnerabilities. These are parts of your code that contain loopholes that can be exploited by malicious software.

Most vulnerabilities come with plugins you install. However, the makers of these plugins often identify them and create security updates to fix the issue.

Thus, you need to update all your plugins to clean up and harden your site against malware.

To do this, login to your WordPress dashboard and go to Plugin > Installed Plugins.

In the plugins page, tick the checkbox at the top to mark all plugins.

How to update plugins

Next, click Bulk Actions, select ‘Update’, and click Apply.

How to update Plugins
 
Your plugins will begin updating. This may take some time. You will begin to see updating status for each plugin until they are all updated.

Check If All Plugins Are Still Supported

As explained above, plugins have to be updated from time to time to keep them secure and current.

However, some plugins are abandoned by developers and no longer receive updates.

Check the release dates for plugin updates. Any plugin that has not received updates for 1 year or longer should be removed. You can always get another more current plugin to provide the same functions.

Also, if you have installed plugins that you do not use, simply delete them.

To check and remove outdated/inactive plugins, go Plugins > Installed Plugins.

Starting from the top, delete all plugins that are not active.

Deleting plugins

If a plugin is activated, click View details to check the last day it received updates.

Checking the date last updated

If it has not received updates for a year or longer, you should ideally deactivate and delete this plugin

How to de Malware Removal Guide

Keep in mind that your site will lose some functionality when you do. You should prepare for this before deleting.

You may have to install another more current plugin to replace the outdated one.
 
Continue this process until your site only contains plugins you use, and that have received updates recently.

Update Current Theme and Remove Themes That Are Not in Use

Similar to plugins, outdated themes can present vulnerabilities.

Thus, you need to ensure your theme is updated. Before doing this, note that any custom template changes made directly on the theme may be overwritten after an update.

Frankly, it is bad practice to make custom changes directly on your theme templates and chances are, that is not the case for you. But you may want to make sure!

Next, to update your theme, go to Appearance > Themes.

Your active theme will be first in the list. If there is an update for this theme, you will see a notice about it. Hover over theme and click Theme Details.

Malware Removal Guide theme

On the right, you would see a notice about the update, click update now.

Also (and this is important), scan this section to see if there’s any mention of your theme being a child theme of another. If yes, note the name of the Parent theme.

How to update your theme - Malware Removal Guide

After the update completes, close the pop out to return to your theme. Now aside from your current theme, and if present, a parent theme for your current theme, delete all other themes that are not in use.

To do this, hover over a theme, click Theme Details, and then click Delete.

How to check theme details - Malware Removal Guide
 
Repeat until all unused themes are deleted.

Lastly, update your parent theme.

Malware Removal Guide – Review Server Manually for Unknown Files

After completing the core update step above, you have replaced much of the files in your WordPress install. However, your main folder (public_html in many cases) and your wp-content folder could still contain malicious code.

Thus, you need to verify the integrity of both folders by reviewing them and manually removing suspicious code. 

First the main folder. Since you already have a recent version of WordPress downloaded on your system, you can compare the files in there to the files in your main folder.

To do this, access your site using ftp.

In your site files on the right, open the main folder containing WordPress. On your local files on the left, open the folder containing the new WordPress version you downloaded.

Access your wesite using FTP - Malware Removal Guide

Check every PHP or Javascript file that is in site files on the right but not in the new WP files you downloaded.

Take special note of the ‘Last Modified’ column. If the last modification date is around the time you started noticing malware behavior in your site, then that file is a prime suspect.

You may do an extra research on any suspicious file and find the function of that file. If it appears malicious, go ahead and delete it. If you want to be extra careful, you can save a copy to your local machine before deleting it.

To check the wp-content folder, open it up in your site files on the right.

Checking WP content file

Next, you have to go from folder to folder to review PHP and Javascript files. The rules are similar. Search for recently modified files. Pay attention at the time that you started noticing malware behavior.
 
Following this process, you can identify and delete malicious files that scanners may have missed.

Scan WordPress Again to Verify Cleanness

After performing all the cleaning steps above, run another WordFence scan to verify the cleanness and file integrity of your site.
 
If you have followed the steps carefully, there should be no files flagged as “containing malware” at this point. However, if there is, you can use the “Cleaning Infected Files” instructions in the Wordfence section above to get rid of it.

Change All WP-Admin User And Hosting/Database Passwords

At this point, you want to assume that whoever created the malware in your site now has your access details. Thus, to prevent recurrence, you have to change out ALL your passwords.

For your wp admin passwords, follow any of the steps in our how to change WordPress password guide.

Your web host should have instructions on how you can change your hosting and database passwords. Please contact them, or search for their guides on these topics.

After changing your database password, you have to put the new password in your wpconfigphp file.

To do this, access your site files with FTP.

In the main site folder (usually public_html), locate the wp-config file. Once found, right-click on it and click View/Edit.

View/Edit WP config file

A text editor opens the file. Locate the ‘MySQL database password’ section and replace the old password with your new password.

Replace your password
 
Save and close the file. You will be prompted to upload the updated file. Click Yes.

Submit To Google For Review If Site Is Blacklisted

If you see “the site ahead contains malware” when you search for your site on Google, then you need to submit your site for review.

Essentially, you need to let Google know that you have cleaned your site, and they should take a look and remove the malware warning. You can do this using Google Search Console (formerly webmaster tools).
 
Please follow the steps in our fix site ahead contains malware guide (use the 3rd step in the guide).

Malware Removal – Conclusion

Dealing with WordPress malware infection is no easy process. You would need confidence (to make major changes) and care (so you don’t brick your site).

Add to that the right instructions, and you can successfully remove malware from your site.

However, prevention – like they say – is better than a cure. Thus you have to harden your site and implement a WordPress firewall to prevent malware infection in the future.

Please read our WordPress Security Guide to learn how to do this.

If you have benefited from this article, kindly share it with others.

banner-malware-fixrunner-v2