If your WordPress site has been infected with malware, don’t worry – there are steps you can take to remove it and prevent future infections.
In this post, we’ll show you how to remove malware from your WordPress site, as well as some extra tips on how to secure your site against future infections.
Note: This is a very high level guide and the removal of malware can get quite involved. Always speak to a specialist of you have any doubt.
Take your site offline!
You would rather your visitors see that you’re running maintenance rather than getting redirected to some dodgy link farm.
Take your site offline straight away – your hosting provider should help with this.
Tip: In your hosting panel, check for a setting that can suspend your site.
Backup your infected site
Create a full backup of your infected site. Yes you read that right. If anything goes wrong, you can always revert back and start again.
You must backup;
- Everything in your public HTML folder (root)
- Your database (full export)
Download this backup and save locally on your computer (Mark the file as ‘infected’ or something similar).
Tip: Any decent hosting provider should have this facility. If not, use their file manager to zip all the files and PHPMyAdmin to perform an export of the database.
Extract the website files
Open the zip file containing your infected site files, extract these to a folder somewhere on your computer.
Any infected files should be safe on your computer as you will not be executing any of them any way.
But to be sure – always run up-to-date antivirus software.
Record theme & plugins
Browse the infected files under /wp-content/themes/ and /wp-content/plugins/
Make a good note of what theme and plugins you’re using. You will need this list later.
Re-download theme and plugins
Either check on the WordPress theme repository / plugin repository or the theme / plugin vendor’s website and download original files. We always go for the latest where possible.
Save these somewhere – we’ll come back to these later.
If you cannot track down the original files for any plugins or themes, maybe consider an alternative plugin or theme. If its no longer maintained or abandoned – its not worth risking your site again.
Download WordPress
Download all the WordPress files from the source and save alongside your theme and files. Again – get the latest version available.
Rebuild file & folders
Create a new empty folder on your computer
WordPress
Extract the WordPress files that we downloaded earlier and place into the new empty folder.
While you’re here, rename wp-config-sample.php to wp-config.php – We’ll come back and edit this later.
Theme
Extract the theme you downloaded form the WordPress repository or theme author’s website. Save that (and any child theme) to /wp-content/themes/ folder.
Plugins
Extract all your plugins to the /wp-content/plugins/ folder. And while you’re there, why not add in a security plugin. iThemes, WordFence, and Defender are all good contenders.
Uploads
Open the infected /wp-content/uploads/ and new /wp-content/uploads/ side by side in your file explorer.
We will need to go through each folder here and copy across any images / pdf’s only. Most other folders like caches or backups are not needed. You can always come back to this if needed.
Make sure you do not copy any files that look suspicious. You shouldn’t really have any php files in your media library for example.
Note
Where possible, do not copy plugins or themes from your old infected site unless you are 100% sure that they are clean. Having a good eye for code and dodgy files are needed here.
Review & clean database
This can get quite involved and requires knowledge of how the structure of the database is and what plugins you’re using etc. But for the most part you would need to identify and remove and suspicious links, iframes, base64_decode, shell_exec etc. Theres more detail listed on the WPDataTables website.
If your database is large in size, this can be quite a daunting and time consuming task.
If in any doubt – seek professional help.
Change hosting passwords
Change ALL your passwords at your hosting provider.
Re-create database and import
You should now have a clean version of your database.
Delete the old database and user at your hosting provider.
Create a new database and user ensuring you have a strong password in place. Record these credentials as we will need them for wp-config.php
Import your clean database.
wp-config.php
Open the new wp-config.php file and set your user and password of your new database.
Upload files
Delete all the old files in your public folder at your host. then you can now re-upload all your files from your new folder. Ensure all permissions are correct for WordPress files and folders.
Folders are usually 755.
Files should be 644 and wp-config.php should be 640.
For more details – https://wordpress.org/support/article/hardening-wordpress/#file-permissions
Test
Bring your site back online. you should see your home page with no errors. Login to wp-admin and also resave your permalinks.
Bonus bits
Don’t use nulled themes or plugins
We get it – premium themes and plugins can get expensive. But theres always alternatives out there for cheaper or even free. Nulled themes and plugins come at a cost of your reputation. Many of them are out of date, don’t receive updates and in the end, you’re not supported either.
Why not try some free alternatives from the WordPress repository.
Use a reputable hosting provider
Most hosting providers have great security practices, but some do slip through at an expense to you. If its cheap, ask yourself why. Do your due-diligence and read reviews.
Use SSL certificates
SSL certificates help you and your visitors securely establish a connection to your website. Theres no excuse not to have a SSL certificate. LetsEncrypt offer free 90 day certs as do ZeroSSL. Any good web host will offer these for free.
Use strong passwords and regularly change them
We cannot stress this enough. Having a simple password is opening your site up to brute force attacks. Check if your passwords have been breached.
Use 2FA
Most WordPress security plugins offer the ability to enable 2FA (Two-Factor Authentication). It only takes a moment to set this up and is supported by some password managers too.
Security plugins
Theres loads of them. Just a search on the WordPress repository for ‘Firewall’ or ‘Malware’ will reveal so many plugins for security.
Disable xml-rpc
We typically disable this on our hosting platform at server level. It commonly gets abused. But nearly all WordPress security plugins can disable this.
Employ a good backup strategy
Last but definitely not least – Backup!
We always start with the 3-2-1 backup strategy.
You should have 3 copies of your website, on 2 different storage platforms, with at least 1 copy being offsite.
As a bonus – we also live replicate all Spidrweb’s hosted sites to another datacentre with a different provider.
Disclaimer
While every effort has been taken to ensure that this article is accurate, it’s not a simple case that one article fits all. There can be so many different WordPress configurations and it could be something else wrong with your website other than malware infection. This is purely a guide and if you’re ever in any doubt, you should seek professional advice from a developer or security expert.
Need your site cleaning from
an infection?
