Has your WordPress website been hacked? Does it redirect users to nasty offers and unsecured sites? Have you noticed spammy content appearing in your Google search results? Now, this could be the result of some malware. If this is the case, don’t fret. In this article, we will explain how to clean your site if it has been hacked and infected with malware, spam, backdoors, etc.
Though removing malware from a WordPress site is an exhausting task, it is really important for the existence of your website. If you believe you have been hacked, first make sure that you have literally been hacked. Sometimes users think that their site has been attacked when their website misbehaves, or some other technical issue occurs. Also, site owners might see spam comments and can’t tell the difference between that and a hack.
- Some signs to identify if your site is hacked
- Steps for removing malware from a WordPress site
- Step 1: Backup the files and Database in your site
- Step 2: Examine the Backup Files
- Step 3: Delete all the files in public_html folder
- Step 4: Reinstall WordPress
- Step 5: Restore passwords and permalinks
- Step 6: Reinstall Plugins and Themes
- Step 7: Upload images from the Backup
- Step 8: Install and Run Security Plugins
- Some Frequently Asked Questions
Some signs to identify if your site is hacked
- You receive complaints from your viewers that they are being redirected to a malicious or spammy website. Give special attention to these because many hacks will disclose that you are the site administrator and not show you anything spammy but will be visible only to your visitors or to the search engine crawlers.
- If you are seeing spam surfacing in your site header or footer that contains advertisements for things like pornography, drugs, illegitimate services, etc. Often these will be inserted into your page without any prior notice, so it might appear as dark text on a dark background and not be very visible to us (but the search engines can see it).
- You search for a site on Google and you see pages or content that you don’t recognize and that looks malicious.
- You receive a message from your hosting provider that your website is doing something malignant or spammy. For example, if your host tells you that they are getting reports of spam email that has a link to your website, it indicates that you have been hacked.
Steps for removing malware from a WordPress site
Step 1: Backup the files and Database in your site
Once you have made sure that you have been hacked, back up your site instantly. Use FTP, your hosting provider’s backup system or a backup plugin to download a copy of your entire website. If possible, backup the full site using the web host’s site snapshot feature as this will be the most thorough backup of your entire server. However, it might take some time to download the entire files. You can also use a backup plugin if you can log in to your site.
The wp-content folder of your site is the most essential folder on your server as it contains all your uploads. You can also do a manual backup through an easy process. Click here to get the detailed steps for backing up your database and files manually.
Also read: Top WordPress Backup Solutions
Step 2: Examine the Backup Files
Once the site is backed up, download the backup to your personal computer. Select the zip file to open it and check the following:
- The WordPress Core files: Download WordPress from WordPress.org and check out the files in the download and see if they are same as your WordPress core files.
- The wp-config.php file: This is important as it contains the name, username, and password to your WordPress database which we will use in the restore process.
- The wp-content folder: Make sure that you check at least these three folders in wp-content, i.e themes, uploads, and plugins. If you are able to see your theme, plugins, and uploaded images, it indicates that you have a good backup of your site.
- .htaccess file: This will be unviewable. The only way to know if you backed this file is to view your backup folder using an FTP program (like FileZilla) or code editing application (like Brackets) that lets you view invisible files within the application’s interface.
- The database: You should have an SQL file that is an export of your database. We are not going to delete the database in this process, but it’s good to have a backup.
Step 3: Delete all the files in public_html folder
After assuring that you have a fair and complete backup of your site, delete all the files in your public_html folder (except the CGI-bin folder and any server related folders that are clearly free of hacked files) using the web host’s File Manager or through FTP. If you are hosting more than one site on the same account, you can assume they have all been affected as well. So it is better you clean all the sites, back them, download the backups, and do the following steps for each one.
Also read: Sureshot Tips to Protect Your WordPress Site from Cyber Attacks
Step 4: Reinstall WordPress
Reinstall WordPress using the one-click option in your web hosting. Refer the backup of your site, edit the wp-config.php file on the new install of WordPress to use the database credentials from your former site. This will link the new WordPress installation to the old database. It is not recommended to re-upload your old wp-config.php file as the new one will have new login encryption salts and will surely be free from any hacked code.
Step 5: Restore passwords and permalinks
Log in to your site and restore all user names and passwords. If you see any users you don’t recognize, your database has been compromised, and you need to contact an expert to ensure there is no unwanted code that has been left in your database. Go to Settings > Permalinks and click Save Changes. This will restore your .htaccess file, so your site URLs will work again. Be sure when you deleted files, you didn’t leave any hacked .htaccess files behind.
Step 6: Reinstall Plugins and Themes
Reinstall all your plugins from the WordPress repository or download from the premium plugin developer. Don’t try to install old plugins and the ones that are no longer maintained. Similarly, reinstall your theme from a fresh download. If you customized your theme files, refer your back up files and replicate the changes on the fresh copy of the theme. Do not upload your old theme, as you may not recognize which files have been hacked.
Also read: 3 Different Ways to Install WordPress Themes and Plugins
Step 7: Upload images from the Backup
You need to get your old image files copied back to the new wp-content > uploads folder on the server. But be careful that you don’t copy any hacked files in the process. For that, you will have to carefully examine each and every folder in your backup and make sure there are only image files and no PHP files or JavaScript files or anything else you did not upload to your Media Library.
Step 8: Install and Run Security Plugins
Run the Anti-Malware Security and Brute-Force Firewall and scan the site thoroughly. Also, scan the site with Sucuri’s SiteCheck to make sure you didn’t miss anything. Install and activate a security plugin like MalCare Security, Astra Security, Shield WordPress Security or Solid Security (formerly iThemes Security). Check through all its settings.
MalCare comes with an intelligent scanner that correctly identifies new and complex malware and points out its location. Shield will notify you in the future if any core files have changed. iTheme Security has a strong focus on identifying plugin vulnerabilities, outmoded software, and weak passwords. Also, it is always better to scan your own computer for viruses, trojans and malware.
Also read: Best WordPress Security Plugins
Conclusion
Congratulations if you have managed to clean your site! Now you need to make sure it doesn’t get hacked again. There are many services such as Codeguard.com that helps you to identify malware issues on time. Whenever it detects any change in your website code, it automatically generates a new backup and notifies you through email. So always keep an eye on the emails and never overlook them.
Some Frequently Asked Questions
How do I know if my website is hacked?
You may receive complaints from your web hosts that some spam emails have links to your website or your customers may complain about them being re-routed to spam websites. You may also see ads for unethical things like pornography and drugs in your website. We have also done a detailed article on how to check if your WordPress site is attacked.
Why are WordPress Websites attacked often?
WordPress is an open-source CMS platform powering over 37% of websites on the internet. As the code is openly available which is the greatest benefit and purpose of open source, it also gives hackers an option to find and exploit vulnerabilities. Not updating the WordPress, plugins or themes also makes the life of hackers much easier. You can read about the top reasons why your website is hacked here. But you can definitely make your website secure by following good maintenance practices.
How can I protect my WordPress site?
You can take precautions with plugins and themes – download them from WordPress Repository, avoid nulled versions, keep them updated, uninstall unnecessary plugins and themes. You can also get a reliable hosting provider, strengthen passwords, do routine website security audits, install security plugins, analyse website performance etc. And always prepare for the worst by keeping several backups.