How to Remove WordPress Malware: Manual and Automatic Malware Removal

How to Remove WordPress Malware: Manual and Automatic Malware Removal

Because of its popularity, WordPress has become a popular target for cyberattacks. Indeed, 70% of the 40,000 WordPress websites listed in Alexa’s Top One Million are vulnerable to hacking attempts.

Defaced web pages, links to malicious websites, Google blocklist warnings, and white screens of death are some of the most common signs of a hacked site. If you notice any of these signs on your WordPress site, it has most likely been compromised or infected with malware.

Once you’ve determined that you have a hacked WordPress website, take immediate action to recover it. We’ll show you how to remove malware from a hacked website manually.

Download WordPress Security Checklist

Learn More About Malware With Hostinger Academy

Learn what malware is, how it works, some of the most common types of malware, and how to protect your devices and websites.

Subscribe For more educational videos! Hostinger Academy

Step 1. Prepare for WordPress Malware Removal
Step 2. Reinstall WordPress Core Files
Step 3. Compare Infected vs Clean WordPress Installation
Step 4. Clear Out PHP Files from Uploads
Step 5. Look For Backdoors Within Your Files
Step 6. Inspect the SQL Database File
Step 7. Review the Code for Each Page and Post
Step 8. Remove Your Website from URL Blocklists

While recovering a hacked WordPress site is possible, the process requires decent technical knowledge in website maintenance and hosting.

If the following tutorial seems too challenging for you, we recommend using a WordPress malware removal plugin or hiring a WordPress malware removal specialist.

1. Prepare for WordPress Malware Removal

First things first, keep in mind that you can fix your hacked WordPress site. While it might take some time and effort to recover it, know that you can get over such an incident. Therefore, it’s important to stay calm and follow the appropriate recovery procedure.

Before removing malware from your WordPress site, take these preparation steps to ensure the safety of your data:

Step 1. Restrict Access to the Website

If your WordPress site has malicious redirects to shady, unsecured websites, chances are it’s been hacked. If left unchecked, your infected WordPress site can prompt visitors into accessing dangerous sites and leaking their personal details.

Restricting access to your WordPress site will help prevent the further spread of the hidden malware currently infecting it. Perform this step by editing the .htaccess file through your hosting control panel’s File Manager or an FTP client such as FileZilla. In this tutorial, we’ll be using Hostinger’s File Manager on hPanel.

So here’s how to do it if you’re using Hostinger’s WordPress or any other type of hosting:

  1. Navigate to File Manager under the Files section.
The File Manager button on hPanel
  1. Access the public_html directory and scroll down to locate the .htaccess file. If the file isn’t present, create a new default .htaccess file.
  2. Add this code snippet to the .htaccess file to block all access except yours:
order allow,deny

deny from all

allow from [your_IP_address]
  1. Save the changes.

Pro Tip

Make sure your IP address is static. Otherwise, you’ll need to update the .htaccess file periodically.

Step 2. Create a Backup

Creating a backup of the hacked site will make it easier to identify malware. By comparing the WordPress files of the good backup with those of the post-hack version, you’ll be able to locate malicious code much faster.

Follow these steps to back up your WordPress site files and database using Hostinger hPanel’s one-click backup and restore system:

  1. Navigate to Backups under the Files section.
The Backups button in hPanel
  1. Click on the Select button within the File Backups section. Select a date from the drop-down menu and click Next Step.
The Backups section on hPanel. Files backups button is highlighted
  1. Check the box next to the domain you want to back up, then select Download all files.
  2. Once the server finishes preparing the download, click Download Backup.
  3. After backing up your website files, do the same for your WordPress database. Click on the Select button under the Database Backups section and pick the desired database from the drop-down menu. If you don’t know your WordPress database name, locate it first.
The Backups section on hPanel. Database backups option is selected
  1. Select Show databases to display the backup logs. Pick a date and click Download.
The backup logs that have been generated over time. User can pick one to download.
  1. Once the server finishes preparing the download, click Download Backup.

Step 3. Check Available Backups

This step should be easy for those who have done their due diligence as website administrators. If you couldn’t restore the WordPress site using the infected backup file, the older version can serve as your Plan B, allowing you to recover pre-hack data and start over much faster.

Otherwise, we recommend contacting your web host to see if they have a backup of your website files. Depending on your hosting provider, you might have pre-hack backup files automatically generated. Hostinger, for example, offers daily and weekly backups with its shared hosting plans.

Step 4. Update All Passwords and Access Keys

Many hackers use malware to commit brute force attacks to crack administrator accounts’ login credentials. Changing your passwords can slow them down and minimize the chances of another security risk wreaking havoc on your WordPress site.

Make sure to use strong passwords and avoid reusing them on more than one account at a time. There are plenty of online password generators like Secure Password Generator and Random Password Generator that can help you create unpredictable passwords with various combinations of letters and numbers.

The following are some of the accounts that need a password reset at the soonest opportunity:

  • Hosting account ‒ most hosting providers, including Hostinger, put the password change feature on the account information page.
  • FTP accounts ‒ having your FTP accounts compromised will allow hackers to launch FTP bounce attacks. Minimize this risk by changing the password of both your primary and secondary accounts.
  • SSH accounts ‒ change your account passwords and setup SSH keys to prevent hackers from accessing your website data.
  • WP-Admin credentialschange your admin password and the login credentials of other WordPress user accounts that have access to your site’s backend.
  • WP Salts ‒ changing your WordPress Salt keys will help keep your login details hashed, strengthening your WordPress account against brute force attacks.

Important! If you have personal accounts with the same password as your hacked WordPress site, change them as well.

Step 5. Update WordPress

61% of hacked WordPress sites are running an outdated WordPress version. By keeping your CMS up to date, you’ll eliminate vulnerabilities that hackers can exploit to attack your website.

Here’s a checklist of the software and files you need to update:

  • WordPress versionupdate your WordPress to the latest version via the Updates tab of your WordPress admin dashboard. Hostinger users can update their website version through the hPanel dashboard.
  • Themes and plugins ‒ the update prompt of outdated WordPress plugins and themes should appear in the Updates section. Don’t forget to eliminate potential security issues by deleting unused themes and plugins.
  • PHP version ‒ Hostinger users can update their PHP version via the PHP Configuration menu under the Advanced section of the hPanel dashboard.

Expert Tip

Unsupported plugins and themes are major security risks as they don’t receive patches to remove any vulnerabilities. Always check when your extensions were last updated. If there have been no updates and activities in the development log in the past six months, it’s safer to uninstall the plugin or theme and look for an alternative.

Editor

Leonardus Nugraha

Content Specialist

Step 6. Check for Recent Changes and Access

Your WordPress site logs keep track of all the traffic and changes made on the server. Checking the logs for suspicious activity around the time of the hack makes identifying rogue accounts and infected files easier.

First, analyze your changelogs by running the find command on SSH:

find . -type f -name '*.file_extension' -ctime n

Replace the file_extension value with the file type you want to check. We recommend searching for JavaScript and PHP files as both file extensions are common targets of malware injection. Add a positive or negative value to the n placeholder to determine the search scope.

For example, the following SSH command displays any PHP files added or modified three days ago:

find . -type f -name '*.php' -ctime -3

As for the access logs, Hostinger users can check them via Analytics under the Performance section of the hPanel dashboard. Open the Access logs tab to see a list of your website visits. You can filter the results based on the chosen time frame.

The display of access logs, showing a list of website visits

Step 7. Remove Symlinks

Symbolic links or symlinks are file types that point to another file or directory, serving as shortcuts. While they provide multiple access points, hackers can exploit them to launch symlink attacks and gain access to your root directory.

Run this command via SSH to unlock symlinks from your files and directories:

find . -type l -exec unlink {} \;

Step 8. Reset File and Folder Permissions

Limiting the number of users with an administrator role is a great security measure to prevent hackers from accessing confidential site files. In the event of a security breach, we recommend resetting file and folder permissions to their default values to flush out WordPress users with invalid access privileges.

The file permissions settings should be accessible via your hosting account dashboard. Hostinger users can access them via the Fix File Ownership menu under the Other section. After checking the confirmation box, click Execute to set all file permissions to the default values ‒ 644 for files and 755 for folders.

The Fix File Ownership page on hPanel

The recommended 755 folder permissions mean that the owner of the files within these folders can read, write, and execute them, whereas other WordPress users only have read and execute access rights.

Step 9. Scan Your PC with Antivirus Software

The cyber attack might target your WordPress site initially, but there’s no telling if the malware infection hasn’t spread to your PC. Scanning your PC with antivirus software will help remove a potential malware infection and prevent it from compromising your hardware.

Here are some of the best antivirus solutions that come with a malware scan feature:

2. Reinstall WordPress Core Files

After doing the prerequisites, it’s time to reinstall WordPress. If you still have access to your WordPress dashboard, navigate to Updates and click on the Re-Install Now button.

Otherwise, you can use an FTP client to reinstall WordPress core files manually. Here are the steps Hostinger users should take:

  1. Log into your hPanel dashboard, head to Websites, and click Manage next to your domain name.
  2. From the left sidebar, select Files File Manager, and choose Access files of (your domain).
  3. Locate the wp-content folder within the root directory, right-click it, and select Download.
Downloading the wp-content folder via Hostinger File Manager
  1. Go back to the hPanel dashboard, navigate to Websites, and click Manage next to your website.
  2. Select WordPress from the left menu, and scroll down to Site Installs.
WordPress installer in hPanel
  1. Click Install and fill in the installation details.
  2. Go back to your File Manager and refresh the directory list.
  3. Re-upload the wp-content folder you downloaded earlier to the root directory. This step allows you to keep your plugin and theme files.

3. Compare Infected vs Clean WordPress Installation

At this point, you’ll have both infected and clean WordPress files. Put those files in two separate folders and compare the content via your FTP client. FileZilla has a Directory Comparison feature you can use to streamline the process. If you have a lot of files to go through, consider using Beyond Compare.

Pay close attention to JavaScript and PHP files as they are ideal hosts for malware. Then, upload as many clean WordPress files to the website as needed and periodically check whether the site works properly.

Alternatively, use the diff command in SSH to compare the infected and clean folders:

diff -r wordpress-clean/ wordpress-infected/ -x wp-content

Be on the lookout for any files that have been changed or added recently.

4. Clear Out PHP Files from Uploads

As malicious PHP files might be the cause of your hacked site, removing PHP files from your Uploads folder is an essential step of the compromised WordPress website cleanup process.

You can do so manually via an FTP client by locating Uploads in the wp-content folder. Most FTP clients like FileZilla offer a filter function that will make this process easy. Another way to do it is to use the find command in SSH:

find . -name "*.php"

5. Look For Backdoors Within Your Files

Hackers might embed backdoors in files to create security vulnerabilities within your WordPress site, so it’s important to remove any hacked files that carry them.

Backdoors often look similar to WordPress core files. wp-config.php and files within plugins, themes, and uploads folders are the most popular targets of backdoor injections.

To identify potential backdoors, check your files for these PHP functions:

  • base64
  • exec
  • move_uploaded_file
  • str_rot13
  • gzuncompress
  • eval
  • stripslashes
  • system
  • assert
  • preg_replace (with /e/)

Use the following SSH command to detect any hacked files located within your directories:

find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("

The following command will locate image files with backdoor functions:

find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

Lastly, use the command below to locate infected iframes:

find . -type f -name '*.php'| grep -i '<iframe'

Important! Some plugins use these functions in their operations, so make sure to test any changes made. We recommend downloading original plugin files and comparing their code with the files you’ve downloaded from the hacked site to avoid deleting essential functions.

6. Inspect the SQL Database File

Your database isn’t immune from malware injections. After making sure your WordPress core and content files are clean, the next step is to take a closer look at your database.

First, export your MySQL database as an .sql backup file with phpMyAdmin. Using a text editor like Sublime, inspect the file for malicious content. Don’t delete suspicious entries from your database backup file. Instead, take note of their location and proceed to the next step.

7. Review the Code for Each Page and Post

In this step, look for malicious entries within your posts, pages, and comments sections. Check their revision history to detect any suspicious activity.

Look closer at places where you found suspicious entries during Step 6. Remove all the malicious code using a text editor and reformat the content if needed.

While you’re at it, delete spam messages you’ve found during the cleanup process.

8. Remove Your Website from URL Blocklists

At this point, your WordPress site should be free from malicious code. All that’s left to do is to remove your website’s URL from Google’s blacklist.

You can do so through Google Search Console. Navigate to your admin dashboard and open the Security & Manual Actions -> Security issues tab. Select I have fixed these issues -> Request a review to have Google review and re-index your WordPress site.

Keep in mind that Google can take a couple of days to process the blocklist removal request.

Verify Your Website

Consider checking out How to Add a Domain to Google Search Console to verify your website ownership and request a review.

How to Remove WordPress Malware Automatically

Hostinger provides an extra layer of security by integrating Malware Scanner into hPanel. The built-in tool automatically scans websites for suspicious files and fixes or removes them from the server.

Navigate to Security Malware Scanner menu on the left sidebar of your hosting dashboard. If the tool found harmful files, you would see a summary of the last scan ‒ including the number of malware files detected, removed, and cleaned.

Malware scanner tool in hPanel

There is also a malware indicator on the hosting dashboard so that you can see your website security condition at a glance.

Malware scanner status in hPanel dashboard

Hiring a WordPress Malware Removal Service

Various WordPress plugins offer top-notch features to remove malware from WordPress sites and protect them from future malware infections. However, when dealing with complex malware, professional help might be necessary.

Hiring WordPress security services is recommended if you lack the technical expertise required to perform the processes explained above.

A WordPress security expert can ensure the malware removal process is done correctly. Furthermore, you can have them patch your WordPress site’s security vulnerabilities, ensuring it performs optimally.

Freelance platforms like Upwork, Fiverr, and Codeable host tons of professional WordPress experts available for hire. Here are some tips to help you find a WordPress malware removal specialist:

  • Write a clear job description ‒ doing so will help set the expectations, budget, and required skills.
  • Review candidates’ portfolios carefully ‒ having insight into an applicant’s past experience will give you a better idea of their skills, expertise, and whether they’re up for the task.
  • Browse past client reviews ‒ make sure a candidate’s work ethic and communication style match your preferences. A good contractor should provide you with regular status updates and be transparent about the entire process.
  • Use references ‒ ask your friends or contacts to suggest trusted experts whom they have worked with.

Conclusion

Removing malware from your WordPress website can be done in numerous ways. You can do it manually if you have the technical expertise and time needed to perform the cleanup process.

WordPress security plugins can streamline the process and add additional security measures to prevent future malware attacks. If all else fails, you can hire a WordPress security expert to do the work for you.

Regardless of the preferred method, it’s best to take action as soon as you can. While it’s possible to recover a hacked website, the cyber attack can harm its search engine rankings and your brand’s reputation if left unfixed.

We hope this article has helped you learn how to detect and remove malware from a WordPress website. Best of luck!

Author
The author

Tomas A.

Tomas provides top-notch technical advice on a daily basis to our valued customers. He also likes to create websites and do various coding side projects.