In this guide, we will understand how to remove malware from a WordPress site. First of all, though, let’s clarify what malware is and what damage it can cause to your business.
If you use the web to sell or find new customers, having a secure website (from malware and more) is essential to avoid the onset of problems and convey the confidence needed to turn a simple visitor into a regular customer.
I know how difficult it is to grow an online business. Often, I come across great sites ruined by a lack of security focus. It is a pity because with a greater level of prudence they could achieve extraordinary results.
Let’s see, then, how you can increase the security of your site and how to remove any malware that has already attacked it. But, before that, let’s understand what is Malware?
What is Malware?
Malware is short for malicious software, which is malicious code.
It is a deliberately generic term that collects a whole range of security threats such as:
- Computer viruses
- Adware: programs that place unsecured advertisements
- Spyware: software that collects information about users without permission;
- Ransomware: prevents access to web pages and demand payment of a ransom to allow browsing.
Simply put, malware is a program (often in the form of a script) created to force a computer system (a PC, server, application or website) and change its behavior.
WordPress, the world’s most popular website creation and management system, is one of the hackers’ favorite targets. The CMS is based on an open-source code structure open to anyone: a real gift for attackers looking for security flaws to exploit to sneak in with their malware. But fear not: with the right care you can secure your website and protect it from any malicious.
In order to counter these attacks, developers periodically release new versions of the main code in order to solve small problems and increase the level of security. That’s why it’s critical to keep WordPress up to date. When you choose not to update your site – out of laziness or because you’re afraid to make some mistakes – you’re then exposing your business to a threat.
With my work, I have come across hundreds of malware-infected sites that propagate over the internet taking advantage of the vulnerabilities of WordPress, its themes and plugins. Often the problem occurs due to the installation of unreliable or even “cracked” themes and plugins (nulled).
Choosing unsafe plugins is always a bad idea.
When malicious code runs on a site, it is likely to propagate as quickly as the flu. It is precisely the case to say: “prevention is better than cure” is a valid rule for both health and computer science. Avoiding getting sick is more effective than healing.
What If Your Site Has Malware?
Before we see how to remove malware from your WordPress site, let’s look at the issues they can cause when they manage to intrude.
Here are some vulnerabilities, in order of severity, that I found on WordPress sites that I came across.
- the visitor was redirected to external pages (online casino type, adult sites or other junk);
- on the pages of the site appeared advertisements not added by the owners;
- the virus executed code to mine cryptocurrencies;
- automatically sent spam emails;
- unknown users were administrators in the WordPress panel;
- users’ personal data was sent to third parties;
- links to sites that often penalize SEO.
As you can imagine, these are very unpleasant situations. At best they end up “only” to compromise the reputation of an online business, but they can also cause serious damage to the security and personal information contained on the site.
How To Remove Malware From a WordPress Site?
The number one friend of malware removal is a regular program to back up all site content. In some cases, in fact, you just need to restore a backup made before the infection and only after performing the necessary updates to fix the problem.
Yes, but it’s not enough. Unfortunately this solution is often not enough.
Sometimes a recent backup is not available or it was not performed correctly. In other cases, the malware was detected too late and therefore has already infected the recovery saves at your disposal. Not to mention those situations where the site receives continuous changes at all times, as in the case of e-commerce that updates products and orders even several times at the same time. Performing a recovery operation, in these cases, means bringing everything back to a previous situation and losing a lot of hours of work.
For e-commerce, our advice is to choose a real-time backup plan to create a full copy of the site whenever a new event occurs.
I can assure you that removing malware is a delicate operation that takes time and a lot of attention. Over the years, I have developed my own procedure that is divided into three parts:
- Preliminary analysis: to understand where the problem came from and what was compromised;
- WordPress site cleanup: to remove malware and restore corrupted files;
- Safety: to close the “failure” that created the problem and prevent it from re-occurring in the future.
Let’s go into the details and delve into our method together.
First, let’s figure out where the problem originated and how it compromised the site.
1. Initial Backup
If you suspect you have malware – perhaps because the site shows advertising banners that you have not entered or because it moves the visitor away from strange portals – the first thing to do is a full backup of files and databases.
You can do this from your hosting panel or using a plugin like BackupWordPress.
2. Site Scanning
After you create a copy, scan your WordPress site for malware. There are several plugins that help to analyze the files and the database working directly on the webserver that hosts the site and in general, this type of plugins offer greater reliability than the online scanning tools.
Here are my favorite plugins for the security of WordPress sites:
- Wordfence: Allows you to analyze files, themes and plugins comparing them with existing versions in the WordPress.org repository. In this way, the plugin can detect any changes made by the malware. Also check if your site has links to known phishing sites, a clear sign of compromise.
- Sucuri Security: Detect malware through the Sucuri SiteCheck service, as well as verify, such as WordFence, the integrity of files, links and iframes present on your site.
3. Identify Malware
Once the infected files are detected, it is very important to understand where the malware came from.
From our experience, 90% of the time malicious code exploits bugs already known and fixed by updates that have not been installed due to mismanagement of the site.
The security plugins we talked about above allow you to see malicious lines of code, that is, code with a series of strange characters (encoded in the base64 to hide the execution of the script).
If you copy and paste these lines on Google you can often trace the type of malware and understand how it propagates. We may find – for example – that the malware that hit us exploits a bug present in the old versions of Slider Revolution, one of the most frequently affected plugins.
This information will be useful later in the security of the site.
Once we’ve identified the problem, we’re going to check the damage and try to fix it as quickly as possible.
1. Clean Up Webspace
An infected site often has folders of files that are not part of the regular WordPress installation and that need to be removed.
If you are not completely sure that these are real threats, you can move folders from /public_html/ to a new one, for example, called /suspicious file/, to be kept out of the /public_html/directory, to make it unreachable via the web.
If you’re not familiar with managing WordPress folders in FTP, we recommend that you always ask for expert help to avoid errors.
2. Reload Files
At this point, thanks to the same plugin with which we found the malware, we can proceed to restore the clean files.
WordFence downloads files again from WordPress’s theme and plugin repository, but only if it’s not premium extensions purchased and downloaded separately.
The fastest solution is to reload all plugins and themes that even have an infected file.
As we said, malware sometimes adds users to your WordPress site to allow access to attackers. Check the profiles registered in the site’s control panel and delete any profiles you don’t recognize or look suspicious to you, for example with emails from “.ru” domains.
The same thing should be done for FTP users and those of hosting, another of the “entry ports” to your site.
4. Change Passwords
Now that we’ve verified the users on your WordPress backend and webspace (hosting and FTP), it’s good to change all passwords. Better not to trust a compromised site, even after we have solved the threat.
The login page of the sites is the preferred target of hackers, especially of the so-called brute force attacks. This is a series of automatic attempts to log in with random combinations of credentials.
One of the most important rules for WordPress site security is to avoid the standard nickname “admin”: it is the first name in all malware lists. Even more important is to choose strong passwords, which is difficult to guess. This means that you should not use simple words like “password” or “admin” again or elementary numeric codes like 12345: these characters are the first to be tried by automatic scripts.
To be really effective, a keyword must be ten letters or more, it must not already be used in other credentials and must contain within it:
- at least one uppercase character;
- at least one lowercase character;
- one or more numbers;
- one or more special characters such as ?, !,.
We realize that it is difficult to remember all the passwords you need nowadays: for this reason we recommend using tools like LastPass.
5. Check File Permissions
Now you should check your WordPress files and verify that they do not have incorrect or malicious read and write permissions, as explained on this page.
If you are not familiar with the permissions on the files helped with the iThemes Security plugin. Options include “File Permissions” which indicates which files or folders need attention.
6. Final Scan
It’s almost done! But are we sure? Better to check by doing a new scan with WordFence, Sucuri Security or iThemes Security.
If no more suspicious files are detected congratulations: the malware is eradicated.
Do you remember that we explained how to understand which malware hit your site? Here, this information is now needed to secure the site, to close the flaw that caused the malware to enter and prevent it from reoccurring.
1. Update All
Almost always the malware propagates by taking advantage of known bugs, present in old versions of WordPress, themes and plugins. That’s why it’s important to keep your site up-to-date and never neglect maintenance.
Attention! Sometimes a plugin or theme can’t be updated because the usage license has expired: renew it to download new versions released by developers. Keeping your site up-to-date allows you to avoid other security issues in the future. It’s a bit like playing guard and thieves, new malware is invented every day and you can’t lower the alert level!
2. Monitor Your Site
Unfortunately if the malware has not been removed completely and in the right way it could come back in no time.
That’s why we keep the site monitored for at least a week, checking WordFence reports (or other security plugins) and health status on Search Console.
In this guide, we have seen what is malware, what problems it can give, how to understand if our WordPress site has been infected and how to remove malware from a WordPress site.
Keeping a WordPress site safe requires constant maintenance and monitoring.