Search Google for almost any “how to remove malware or hacks from WordPress” and almost all searches will produce how-to guides that start with “download this WordPress malware removal plugin.” But what if your site is so badly infected you can’t access the backend, or can’t access the website at all? This post will give you all a basic overview of our process for removing malware. Each case is different, sometimes it will take a few moments, other times hours or days.
Some of these hacks are getting so nasty. The best decision we ever made was starting daily backups and retaining them for at least 365 days. This way if you get hacked on say Tuesday the 20th, you can go back to the 19th or 18th, and restore that version. Once it is restored you can lock it down and update all plugins, themes and core files and move on. For larger sites, it may not be possible to restore a 3 day old site when the database is constantly changing, but having backups nevertheless is always helpful.
If you have children, I like to think of our method the way I do my children when they are arguing. I don’t try to solve their problems or change who they are when they are being irrational, I simply separate them. That normally solves 90% of the disputes with my children. The way we deal with WordPress malware is similar, we separate everything and deal with each part of the CMS in their own containerized environment.
Getting Started With WordPress Malware Removal
Always remember to backup up everything you do incrementally in between each step, you may need to go back and re-do what you did multiple times.
Before we start exporting files always spin up a new VM, don’t use your actual Windows machine as infections can spread this way to your local PC. As a webmaster it is always recommended to have a few virtual machines running on your PC, on a local server or in the cloud. I personally use Hyper-V and Windows Subsystem for Linux. Windows makes it super easy to transfer files from Windows to Linux by mounting the entire filesystem inside of Windows Explorer.
Export the Filesystem
Export the file system to a VM on your PC, you can do this a number of ways.
- in Linux you can just tar the entire directory, and send it to yourself
- use a manager like cPanel
- you can also rsync the directory to another VPS to deal with it there
Open these files up (again, inside of a quarantined environment) and do some basic hygiene. I like to use an offline Windows machine. We can’t allow any of these files to execute or replicate while we are in maintenance mode so again, use an offline VM. Double check you don’t have any old wp-content2 folders laying around, delete any local backups that may be inside plugin backup directories. And for gods sake, make sure you don’t have any old versions of websites inside these directories. I’ve seen entire Joomla/Drupal installs inside a WordPress directory with malware leaking everywhere.
Replace Core WordPress
Next we are going to do a huge dump and a fresh WP install/upgrade in one. It is basically like following the official WordPress documentation for a manual upgrade. It goes a little something like this: (inside a quarantined environment of course)
- backup everything again just in case
- delete wp-admin
- delete wp-includes
- delete everything inside your wp root except wp-config.php and .htaccess. We are going to look at .htaccess a little later.
Ditch as many plugins and themes as I can. You can always put those back later.
The deconstruction phase is complete. At this point, most of the malware has most likely been deleted but we are going to be sure by moving on to the next step.
Finding Malware on your WordPress Site
Scan for malware locally. Be sure that your virus definitions are updated. New malware is discovered every hour of every day, so this is important. Windows 10/11 will actually does a great job of scanning for malware. Simply by downloading an archive of your WordPress system to a Windows PC will trigger a Windows Defender Scan where it will locate any malware on your site.
During a recent malware audit for our clients, we found a myriad of malware in just a few seconds:
If you are handy with Linux, you can use a program like maldet or clamav to scan for malware. This is highly recommended. I’ll be honest I’ve had instances where Windows found more malware than maldet/clamav and some where maldet/clamav found more than Windows.
If you’ve found any malware, quarantine it and delete it.
Re-Install Plugins
Manually locate all of the plugin manufacturers and re-download all of them so you have a fresh/official copy of them. Be sure to note any API keys, passwords and what-not that you might need.
Re-download your WordPress theme from the official repository and replace it.
After you are sure that you’ve scanned for malware in your wp-content folder, add that back to your local repository.
Start putting plugins back inside your local repository.
**At this point you should now have:
- a fresh WordPress install
- fresh plugins
- fresh themes
The only thing left is your wp-content folder, which should be squeaky clean after scanning it. If you see a file or group of files you are unsure of, upload it to VirusTotal, which is a very well known web tool to scan for malware.
Database Cleansing and Password Updates
The next part is tricky, we need to export your database. I like to export it as a plain text file.
Export the database as text. start searching / curling for <iframes, base_64_decode, eval() and others . If you do find these references it is not always easy to remove them. They really need to be combed through one by one. I’ll normally restore the infected db and browse it using a db client and start removing rows, or entire groups of tables at times one by one.
For best practice, change all user passwords. this might be a huge deal if you have 100s or 1000s of users, but if your site is hacked you have to assume the user accounts are compromised, esp admin ones.
Go a step further and change the MYSQL username and password. Once the site is live you can also change the database prefix.
We aren’t going to go into WordPress hardening here, but definitely make sure you have a decent WordPress security plugin enabled.
There are so many more steps you can take. You can scan your server logs to find IP’s that accessed any of the infected files and block them for instance.
If you find any files that are suspicious or you think look odd, upload the files to Virus Total. You can also use Virus Total to check an actual website.
We recently found some malware on a website and gave this a try, Virus Total does a great job of historically archiving anything you upload to view at a later date. Check it out:
https://www.virustotal.com/gui/file/efc177d627f6bf7ee252a2e67ccce59efa31e788ae94a0a7a88cbb2c6311f4f8
You can check your site URL on virus total and it will give it a cursory scan to check for malware. It works decent, but not as good as scanning all of your files manually on Windows or Linux since Virus Total cannot access secure directories.
We will also take a deep look at your .htaccess file, assuming you are using Apache. Make sure it is backed up. Your .htaccess might look way different than mine. Some .htacccess files have 100 or more lines of instructions in them, especially if you are using SEO plugins, CDN plugins, and security plugins.
To be safe, I would delete everything and replace it with something default like this:
# BEGIN WordPress
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
After we are sure there is no funny business in your .htaccess file, it can be replaced.
find . -type f -mtime -90
This will check for files modified in the past 90 days, or 30 days etc. If we see something out of place it might help us in our search for malware.
Closing Thoughts
Performing regular maintenance and practice basic hygiene you should be fine.
In most scenarios, if you do regular maintenance on your website and keep your core WordPress, theme and plugins up to date you won’t have any issue recovering from an infection.
On the other hand if you have an old WordPress website with an old theme that is no longer supported, and that theme is hacked there may be an issue. If the theme can’t be repaired or fixed a new theme (and really a new website) may need to be applied. This can definitely be costly, and is one reason we recommend using a mainstream theme that receives updates all of the time.
Key Points
- always backup your website
- do regular maintenance on your website
- update your plugins, themes, and core WordPress
- use basic website hygiene
Get Social!