Malware Removal Guide in WordPress – How We Do It
Has your site been infected with WordPress malware? If yes, do not panic! While a malware infection is serious, a calm head (and fingers) is what you need to tackle this issue head-on, perform Malware Removal and get your site back to full health.
In this article, we will show you how our team at FixRunner perform 90% of the malware cleanup requests we get. Keep in mind that if you go through all steps from our guide, and the malware still exists on your website, you should hire a professional. We offer a complete removal service and you can contact our team here
[thrive_2step id=’36527′]Remove your WordPress malware by professionals. Check our limited time offer here![/thrive_2step]
So, Is It a Malware?
First off, what behavior did you observe to suggest malware infection?
Are you locked out of your site because your (correct) login details suddenly stopped functioning? Do you notice changes to your homepage or inside pages that you did not make?
Do you see the dreaded ‘site ahead contains malware’ malicious url notice on Google Search? Or did you do the site:yourdomain.com search on Google (replace yourdomain.com with your real domain) and notice pages you did not create and that look fishy?
Other behaviors that can indicate WordPress malware or a hacked WordPress site include:
- Unknown links on your site
- A sudden drop in traffic
- Sudden slowness
- Site is unresponsive
- Unknown pop ups on your website
- Site is sending spam emails
If you notice one or more of these on your site, we have bad news and good news for you.
First the bad – your beloved site is likely infected with a virus and needs to be cleaned.
And the good, you can calm your nerves. Fixrunner has years of experience helping clients rid their site of malicious code (virus)! In this article, we will share trade secrets to help you drive out those pesky unwanted guests. By the time you’re done, your “malicious website” should be as clean as the day you installed it!
- Backup Your Site
- Steps to Clean Your Site of WordPress Malware
- Scan your WordPress site with WordFence and Sucuri
- Replace WP core files
- Update all plugins
- Check if all plugins are still supported
- Update current theme and remove themes that are not in use
- Review server manually for unknown files
- Scan WordPress again to verify cleanness
- Change all wp admin user and hosting/database passwords
- Submit to Google for review if site is blacklisted.
Malware Removal Guide – Backup Your Site
Malware removal from WordPress sites is a pretty serious process. Something could always go wrong. If that happens, it is better to have a malware infected backup than no WordPress backups at all.
More importantly, your host may delete your site if there is threat detection for any malware infection. No questions asked.
Thus, you need to backup your site files and WordPress database before you start. Please read our WordPress Backup guide for help. If you currently have problems accessing your site, the manual backup option(scroll down in the guide) may be your best bet.
Steps to Remove Malware from WordPress Site
With a backup in hand, it’s the right moment to fish out the malware and clean your site.
We will take you through a complete removal process that includes; finding and removing malware and removing vulnerabilities (possible points of infection). You will also see steps to verify that the site is clean, and remove your site from search engine blacklists.
We will finish up by giving you tips to improve your website security. So this doesn’t reoccur in the future.
Anyone with good knowledge of WordPress can perform this process. However, you may prefer to get your site cleaned by experts to avoid diving this deep into your code, and to quickly prevent further problems.
If you prefer this option, please request our malware removal service.
Otherwise, read on!
Scan your WordPress site with Wordfence and Sucuri
Wordfence is a WordPress security plugin that is effective to eliminate any type of malware from infected sites. It also provides a website firewall (endpoint protection) to prevent brute force attack and other ongoing attempts.
To begin, install and activate this plugin.
Note: If you do not have access to your admin dashboard, you may resolve that first. Read our locked out of WordPress admin guide (use the phpmyadmin option).
After activation, go to Wordfence > Scan.
In the scan page, press Scan Options and Scheduling.
Next, set the scan type to ‘High Sensitivity’ and Save Changes. After changes are saved, go to Back to Scan.
In the scan page, scroll down and press Start New Scan. Wait for the scan to be completed (this may take some time).
After the scan completes, the results page will show you a list of infected files, as well as other suggestions for security, such as plugins and themes needing update.
Cleaning infected files
First we will focus on suspicious files (we will deal with updates later).
Check the list to locate infected files. For each one, you have to examine the file to find and eliminate the malicious code section.
Let’s illustrate with a suspicious file on our sample report.
As you can see, Wordfence indicated that this file was modified. This could mean it contains malware infused code.
Go to Details to expand the view. On the expanded view, you can see the filename and the path to find the file.
Now access your site file using ftp. When connected, follow the path to locate the file and open it for editing.
Carefully scan through the file to locate anything suspicious and clean them out. Our How to scan WordPress for malware article gives an idea of some things you can look for (read the ‘what do you search for’ section).
As an alternative to cleaning the infected file, you can delete it and replace it with a fresh copy. For example, the file flagged above is within a plugin. You can download the plugin, extract the zip file, locate the exact file, and replace the infected file with the new one.
After cleaning the first file on the report from Wordfence, go to the next report item of this removal tool and repeat the same cleaning process. Do this for each file identified until you have gone through the list.
Scanning with Sucuri Security
It is possible for one malware scanner to miss a few items that another would catch. Thus, it makes sense to repeat the malware scan process using Sucuri scanner advanced features.
Head over to the Sucuri sitecheck scanner.
On the scan page, enter your website url and hit Scan Website.
The scan results should appear in a few moments.
Any malware found will be presented in the results of this removal tool. This result shows the page in which the malware occurs and you can use this to trace the file that is infected.
Also, clicking on More details should expand the report to show the exact malware that was found in that file.
Armed with this information, you can follow the instructions in “cleaning infected files” section above to get rid of all malware in this report.
Replace WP Core Files
In the steps above, you should have cleaned or replaced any files that were flagged during your scan. However, for good measure, it is best to replace all your WordPress core files. Doing this will help ensure you have a copy of WordPress that has not been altered.
And if there are malware hiding in any core file, this complete sweep is one of the best ways to flush them out.
To get started, download the latest version of WordPress.
When the download completes, unzip the file into a folder.
Next, connect to your site using FTP. Watch this video tutorial if you need help with this: How to Use FTP.
After connecting, you would see your site files on the right.
Open the folder containing your WordPress files (likely public_html).
Within this folder, locate the wp-includes and wp-admin folders and delete them. Leave the other folders.
This may take a while, so wait for it to complete.
After the deletion completes, on the left, open the folder containing the extracted WordPress files (the latest version you downloaded).
Within this folder, select everything except the wp-content folder, right click, and press Upload.
After hitting upload, you will see a “file exists” dialog box. Select ‘Overwrite’ and tick ‘Always use this action’ and ‘Apply to current queue only’. Click OK to proceed with your upload.
When the upload completes, you have successfully replaced your core files, and also updated to the latest version of WordPress.
Malware removal Guide – Update All Plugins
Malware enters into your site through vulnerabilities. These are parts of your code that contain loopholes that can be exploited by malicious software injecting malware, spyware or even ransomware.
Most vulnerabilities come with plugins you install. However, the makers of these plugins often identify them and create security updates to fix the issue.
Thus, to execute Malware Removal, you need to update all your plugins to clean up and harden your site against malware.
To do this, login to your WordPress dashboard and go to Plugin > Installed Plugins.
In the plugins page, tick the checkbox at the top to mark all plugins.
Next, click Bulk Actions, select ‘Update’, and Apply.
Your plugins will begin updating. This may take some time. You will begin to see updating status for each plugin until they are all updated.
Check If All Plugins Are Still Supported
As explained above, plugins have to be updated from time to time to keep them secure and current.
However, some plugins are abandoned by developers and no longer receive updates.
Check the release dates for plugin updates. Any plugin that has not received updates for 1 year or longer should be removed. You can always get another more current plugin to provide the same functions.
Also, if you have installed plugins that you do not use, simply delete them.
To check and remove outdated/inactive plugins, go Plugins > Installed Plugins.
Starting from the top, delete all plugins that are not active.
If a plugin is activated, press View details to check the last day it received updates.
If it has not received updates for a year or longer, you should ideally deactivate and delete this plugin
Keep in mind that your site will lose some functionality when you do. You should prepare for this before deleting.
You may have to install another more current plugin to replace the outdated one.
Continue this process until your site only contains plugins you use, and that have received updates recently.
Update Current Theme and Remove Themes That Are Not in Use
Similar to plugins, outdated themes can present vulnerabilities.
Thus, you need to ensure your theme is updated in order to perform successful Malware Removal. Before doing this, note that any custom template changes made directly on the theme may be overwritten after an update.
Frankly, it is bad practice to make custom changes directly on your theme templates and chances are, that is not the case for you. But you may want to make sure!
Next, to update your theme, go to Appearance > Themes.
Your active theme will be first in the list. If there is an update for this theme, you will see a notice about it. Hover over theme and click Theme Details.
On the right, you would see a notice about the update, click update now.
Also (and this is important), scan this section to see if there’s any mention of your theme being a child theme of another. If yes, note the name of the Parent theme.
After the update completes, close the pop out to return to your theme. Now aside from your current theme, and if present, a parent theme for your current theme, delete all other themes that are not in use.
To do this, hover over a theme, click Theme Details, and then Delete.
Repeat until all unused themes are deleted.
Lastly, update your parent theme.
Malware Removal Guide – Review Server Manually for Unknown Files
After completing the core update step above, you have replaced much of the files in your WordPress install. However, your main folder (public_html in many cases) and your wp-content folder could still contain malicious code.
Thus, you need to verify the integrity of both folders by reviewing them and manually removing suspicious code.
First the main folder. Since you already have a recent version of WordPress downloaded on your system, you can compare the files in there to the files in your main folder.
To do this, access your site using ftp.
In your site files on the right, open the main folder containing WordPress. On your local files on the left, open the folder containing the new WordPress version you downloaded.
Take special note of the ‘Last Modified’ column. If the last modification date is around the time you started noticing malware behavior in your site, then that file is a prime suspect.
You may do an extra research on any suspicious file and find the function of that file. If it appears malicious, go ahead and delete it. If you want to be extra careful, you can save a copy to your local machine before deleting it.
To check the wp-content folder, open it up in your site files on the right.
Following this process, you can identify and delete malicious files that scanners may have missed.
Scan WordPress Again to Verify Cleanness – Malware Removal
After performing all the cleaning steps above, run another WordFence scan to verify the cleanness and file integrity of your site.
If you have followed the steps carefully, there should be no files flagged as “containing malware” at this point. However, if there is, you can use the “Cleaning Infected Files” instructions in the Wordfence section above to get rid of it.
Change All WP-Admin User And Hosting/Database Passwords
At this point, you want to assume that whoever created the malware in your site now has your access details. Thus, to prevent recurrence, you have to change out ALL your passwords.
For your wp admin passwords, follow any of the steps in our how to change WordPress password guide.
Your web host should have instructions on how you can change your hosting and database passwords. Please contact them, or search for their guides on these topics.
After changing your database password, you have to put the new password in your wpconfigphp file.
To do this, access your site files with FTP.
In the main site folder (usually public_html), locate the wp-config file. Once found, right-click on it and press View/Edit.
A text editor opens the file. Locate the ‘MySQL database password’ section and replace the old password with your new password.
Save and close the file. You will be prompted to upload the updated file. Click Yes.
Submit To Google For Review If Site Is Blacklisted
If you see “the site ahead contains malware” when you search for your site on Google, then you need to submit your site for review.
Essentially, you need to let Google know that you have cleaned your site, and they should take a look and remove malware warnings. You can do this using Google Search Console (formerly webmaster tools).
Please follow the steps in our fix site ahead contains malware guide (use the 3rd step in the guide).
Malware Removal – Conclusion
Dealing with WordPress malware infection is no easy process. You would need confidence (to make major changes) and care (so you don’t brake your site).
Add to that the right anti malware instructions, and you can successfully eliminate any virus from your site.
However, prevention – like they say – is better than a cure. Thus you have to harden your site and implement a WordPress firewall to prevent malware infection in the future.
[thrive_2step id=’36527′]Remove your WordPress malware by professionals. Check our limited time offer here![/thrive_2step]
Please read our WordPress Security Guide to learn how to do this.
If you have benefited from this article, kindly share it with others.