Short for “malicious software,” malware is a generic term used for a variety of online attacks designed to infiltrate and damage computer networks against any user’s will. The term can include spyware, ransomware, data breach, trojans, and more.
Despite the growing awareness about the threats posed by malware attacks, they continue to increase year by year. A recent report found that over 4.8 billion malware attacks have occurred in just the first 6 months of 2019.
A successful malware attack can negatively impact any business in multiple ways, including:
- Loss of confidential business data
- Lower website speed and performance
- Decrease in incoming traffic and sales conversions
- Redirection of incoming website traffic due to an unsolicited external website
- Drop in Google SEO ranking or even blacklisting
- Loss of customer loyalty and brand trust
- And more…
Be it a blogging site or an online business, it is imperative for any website owner to secure their WordPress site at all time. In the unfortunate event of websites getting hacked, businesses be equipped to immediately get rid of the malware infection and restore their websites in quick time.
In this article, we shall focus on how a WordPress-powered business website can get rid of a malware and how they can guard against future attacks.
Let’s first look at all the steps you need to execute to remove the malware:
- Detect the malware infection on your WordPress website.
- Remove the malware or clean your website and database files.
- Reinstall the WordPress tool along with all the plugins and themes.
- Reset login passwords for all users.
- Rescan your WordPress website to check for any remaining malware code or backdoors.
Before executing these steps, make sure to back up your wordpress site completely. You can use a backup tool to automate the backup process and store the backups in a safe and secure location.
Step 1 – How to Detect a WordPress Malware Infection
The first step is to check whether your WordPress website has been compromised by malware infection. Due to multiple types of malware infections, identifying a hacked website can be very complex and could take weeks to complete.
For a quick start, here are some common indicators to know if your website has been hacked:
- Your website could experience a sharp drop in loading speed, or there is a drastic reduction in incoming traffic.
- You receive an email from your web host suggesting your website could have a malware infection. Alternatively, your website account could be suspended by your web host service provider.
- Google your website and see if your search results contain Japanese characters
- Your website could be blacklisted by Google or no longer appears on any search results.
- Incoming website traffic could be redirected to another suspicious or phishing website.
- Your “admin” user detects a large number of unknown plugins and unauthorized users added to the WordPress account.
If you are witnessing any of these issues, it’s the best time to scan your website for any malware infections. Leading security plugins like Sucuri or MalCare, MalCare’s deep-clean scan can intelligently detect both known and unknown or new variants of malware. The advantage is that the same tool can also be used to remove the malware variant detected on your website.
You can also use diagnostic tools to check if Google has blacklisted your WordPress website. For example, the Google Transparency Report (or Google Safe Browsing technology) can indicate if and why your website has been blacklisted. For this, you need to visit the Safe Browsing link and enter your website URL on the webpage.
Another manual method of detecting malware is by checking if core WordPress and database files (located in WordPress installation folders like wp-admin, wp-content, and wp-includes) have been modified. Ideally, these core files must not be modified. You can deploy an FTP tool to check for malware in these core WordPress folders.
Additionally, you can check for recently modified files (that could be hacked) using an FTP tool or an SSH terminal. For example, if you are using an SSH terminal, run the following command to identify all files modified in the past 15 days:
$ find ./ -type f -mtime -15
After completing these manual methods, if you do come across any modified files (for example, the “wp-config.php” file) or folders, take care not to overwrite or replace them with another file or folder.
Next, we shall see how to remove any malware infections from WordPress files and database.
Step 2 – How to Remove a WordPress Malware Infection
Now that you have detected the presence of malware on your website, you can proceed to remove the malware and restore your website to its previously clean state. For a manual cleanup process, you can choose to replace the infected files with fresh files (after downloading a new WordPress version) or with corresponding data from a recent backup version.
Here’s how you can manually remove malware from infected website files:
- Sign in to your WordPress server using any FTP tool.
- Next, make a list of all the recently modified WordPress files.
- Replace the modified files with the corresponding files from the WordPress download or backup.
- Edit any customized files using a text editor by removing any suspicious code.
Similarly, you can manually remove malware from infected database tables:
- Sign in to your WordPress database administrator panel.
- Search for any suspicious database tables containing spam keywords or suspicious links.
- Manually delete the suspicious entries or content from the database tables.
In addition to malware removal, you also need to find and remove any backdoors that are left behind by hackers to enable repeated hacking of the website. These backdoors continue to exist even after a website cleanup is completed.
Hackers often embed backdoors into website files that sound similar to the core WordPress files but are located in different folders. For example, backdoors could be injected into the wp-config.php or folders like /plugins, /themes, and /uploads. Backdoors could also be injected into common PHP functions like:
- And so on…
Manual cleanups of a hacked WordPress website require technical know-how and knowledge. Additionally, smart hackers can hide malicious code using other keywords that cannot be detected by such manual methods. A much better alternative is to install and deploy an automated malware removal tool or plugin that does this job for you.
Step 3 – Reinstalling the WordPress and Plugins/Themes
After performing the malware cleanup, your next step is to reinstall WordPress along with the latest versions of the WordPress plugins/themes. You should always be careful when choosing a WordPress theme or plugin and ensure that it regularly updated. Outdated plugins and themes are a major security vulnerability.
Download and reinstall the latest available WordPress version in the default “public_html” folder or in any subfolder where it was previously installed. After installing, edit the wp-config.php file in the fresh install to include the database credentials (as configured in the previous install). This ensures that the new WordPress installation is configured in the prior database files.
Next, reinstall the existing WordPress plugins with the latest available versions from the WordPress plugin repository or the respective third-party plugin website. Do not reinstall any plugins that have been abandoned or no longer being used.
Finally, for WordPress themes, reinstall a fresh copy of all the themes from the official WordPress theme repository or third-party theme website. For any customized themes, refer to the existing backup copy of the theme and replicate the changes in the installed theme.
Step 4 – Reset all Usernames and Passwords
The next step is to reset all your existing user credentials. Before doing that, you must manually remove any suspicious users from your WordPress account. Login to the WordPress admin account and delete any such users from the “Users” section.
Finally, log in to WordPress account as an “admin” user and reset all the current usernames and passwords.
Step 5 – Rescan Your Cleaned WordPress Site
As the final step in malware removal, you must execute a complete malware scan once again to ensure that there are no longer any malicious code or backdoors in your clean website.
While a manual scan of the website can be time-consuming and unreliable in finding the latest backdoor variants, security plugins are much more time and cost effective in finding and removing backdoor.
How to Prevent Future Malware Attacks
After a complete cleanup of your malware, you want to ensure that your WordPress website does not get hacked or compromised again in the future. To ensure this, you can take some precautionary measures, including:
- Regular updates of the WordPress version and installed plugins/themes to their latest version
- Switch your website to a more secure web host provider
- Download and install plugins/themes only from trusted sources like the official WordPress repository
- Download and install a WordPress security plugin that can protect your website from a variety of attacks.
A hacked website can seem like the end of your online business. That is why it’s important to actively protect your site from hackers. However, despite the challenges, hacked WordPress websites can be restored to normal with timely corrective action. Backups are a great way to ensure you always have something to fall back on.
Make sure you have a comprehensive and reliable backup strategy at all times. The easy availability and use of automated plugins like MalCare or Sucuri that combine both security and backups can go a long way to make sure your website and business are always on.
Author: Nickey BlogVault
Akshat Choudhary has always prided himself on his ability to teach himself things. Since starting BlogVault, Akshat has transformed his side-project into a profitable venture that is scaling new heights in the Indian startup space. Being a member of the WordPress community for almost a decade, Akshat is keen on understanding the areas where users struggle. Akshat's core belief behind building any product is making sure the end-user doesn't need assistance and to assist them in the best possible manner if they do.