WordPress Malware Removal

Wordpress malware removal

Over the past few years I have recovered >20 malware infected WordPress sites and luckily I have never encountered one I couldn’t fix. The requirement to remove malware from Wordpress sites, often as a matter of urgency, has given me an insight into the architecture and components of the WordPress installation. So I have put together a brief guide to help readers fix their WordPress sites (contact me if you need more help).

WordPress architecture

First, to understand how to fix a WordPress site it is important to understand the basic components of a WordPress site (aside from the LAMP stack it runs on). In very simplistic terms the components are as follows:

  1. SQL database (contains all site settings, text content, menu structures etc)
  2. Series of files and folders found in the root (public_html) directory, which the sites domain points to (lots of php files and folders, many of which are hidden and inaccessible from the outside world). These must be further broken down into:
    1. Core WordPress files/folders (which are the same for all WordPress sites with a couple of exceptions)
    2. wp-content directory contents (which is unique to all WordPress sites; this folder contains uploads, images, themes, plugins etc in a series of sub-directories)

Its also important to understand what happens to a WordPress site when it gets hacked. In my experience when a site gets infected usually any combination of the following happens:

  • Many of the WordPress original php files get injected with malicious code
  • Malicious php files appear throughout many directories of the site
  • Malicious html files appear throughout many directories of the site (often thousands)
  • Malicious users are created with administrator logins
  • Malicious plugins are installed
  • If other sites are sharing the same hosting account (home directory is shared) they can also become compromised
  • Files can get deleted (although luckily this doesn’t normally happen)
  • The database can become damaged (although luckily this normally doesn’t happen)

Ofcourse the best course for recovery is to delete the infected site and restore the site from an uninfected backup but quite often a good backup is unavailable (as has often been the case with my clients).

When no good backup is available we must look to recover what is left. I generally follow the below steps:

Step 1. See how the site behaves and inspect the files on the server

When a site is hacked typically either the site is down, a message that showing the site is hacked is displayed, malicious links are inserted into the site, php errors are dispalyed or sometimes the site doesn’t display it is hacked. We also may or may not be able to log in to the administrative dashboard.

We then need to inspect the files on the server and look for any unusual looking files throughout the directories. Also, we need to look at the contents of the php files and look for anything that appears out of place. Quite often malicious code is easy to spot as it looks clearly different from regular code (thankfully).

Depending on what we find can point us in the direction of sometimes easy fixes. However, for the purposes of this guide I will assume the site is completed infected and full of malicious files.

Step 2. Archive the infected website

The first thing I do is do a complete backup of the infected website (all files/folders in root directory) and also export a copy of the database.

Step 3. Take the infected site offline

The best way to do this in our case is to replace the .htaccess file with a new one that contains the following code (be sure to backup the old one):

RewriteEngine on

RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111

RewriteCond %{REQUEST_URI} !/503.php$ [NC]

RewriteRule .* /503.php [R=302,L]

A .htaccess file with the above code in the root (public_html) directory of the site will stop the website or any file on the website from being publicly accessible and put the site offline.

Step 4. Make a development copy of the site

I make a development copy of the site by reinstalling the site on another server (or hosting account). However, take note that I do not put all files back on the server and upload the database (so I do not make an exact copy of the site). Instead, I install a fresh copy of WordPress, which provides me a clean uninfected site to start with (remember the majority of files on a WordPress installation outside of the wp-content directory are common to all WordPress sites). Then I delete the wp-content directory and drop all tables in the database of this new install. I then copy the wp-content folder from the original site and import the original database. I then need to find the options database table and go through all records and update the sites base URL (domain/IP) and the root directory of the server to match the new development environment (I use phpMyAdmin for this). I then need to edit the wp-config.php file and set the database table prefix so that the new WordPress install will work with the imported database records. After that I need to inspect the wp-content directory and sub-directories to see if any obvious malicious files have been copied across. If I come across anything malicious in themes or plugins I make a note of all the themes and plugins used and delete their folders (I download the original theme/plugin files directly from the WordPress repository or the authors website and replace later). Any other malicious files anywhere in the wp-content directory also should be deleted.

Step 5. Open the development copy and login to the administrative area

I then proceed to see if I can access the development version of the site. The homepage and WordPress login page should now be accessible. I then login and the first thing I do is go to Permalinks and click save, which will rebuild all inner page links and make inner pages accessible again. The site should now be fully working and accessible.

Step 6. Check for malicious plugins/themes

I then check to see if any plugins or themes were deleted from previous steps. If so there will be a notification that the files cannot be found. In this case simply download any plugins or themes that are missing and all of their settings should automatically be restored as they are in the database we imported. I then check to see if any malicious plugins have been installed by viewing the list of plugins, if I find anything that I dont recognise I research it and if I cannot conclude what it is I delete it.

Step 7. Check for malicious users

Then, I check to see if any unknown users have been created (with administrative access). If I find any I delete them.

Step 8. Use Wordfence

Then, I install Wordfence, go through the entire setup of Wordfence, put the scan settings to high sensitivity and to check everything and then run a Wordfence scan. Once the scan is finished it will then tell me if there are any malicious files remaining or if anything has changed. Quite often false positives might show up but they should be easily distinguished. If anything is found it should only be from the wp-content directory and the files should be fixed or deleted. If any plugin or theme directories are found to have infected files, the entire directory should be deleted and the plugins/themes should be downloaded again and reinstalled.

I then setup Wordfence’s firewall and adjust the security settings to prevent an attack.

Step 9. Update everything

Make sure WordPress core, all plugins and themes are updated to the latest versions. If there are any custom or paid plugins special attention may need to be provided there to make sure they weren’t what compromised the site.

Step 10. Change login username + password

One final step should be to change the username and password for every administrator that logs in.

Step 11. Restore the original site

By now the site should appear to be completely restored to how it was before it was hacked. Now, the recommended course of action is to move this development site to replace the original. Once that is done, hey presto your site should be back up and running again.

Need WordPress malware removal help?

If you have a WordPress site to fix and you dont want to do it yourself, or the above guide doesn’t work for you I can fix your site for a fee.

Please contact me directly if you need help as I offer a WordPress malware removal service to fix any hacked site. My work is guaranteed for 3 months (provided you keep the site updated) and if I cant fix it I will give you a full refund.