Most common steps to help clean malware from your WordPress site

Intro

In the past year, we saw more and more WordPress websites getting malware infections. For example this year we had to deal with more malware on WordPress websites than in the last 3-4 years combined.

There are a number of reasons why this happened, but mostly because of

• the increase in malicious online activity due to work from home and increased digitalization
• clients using outdated versions of WP or plugins when there were major releases to fix security issues.

I’ll try to walk you through some of the steps required to remove malware from your WordPress site. The idea is to identify the issue, remove infected files, secure the website, and update WP Core and plugins.

The most common malware types encountered are

• ads being displayed on your site
• redirect placed on your domain.

Restore from backups

The quickest way to deal with this when it happens is to restore a working version, that is not infected, from backups.

You will need a full backup (files and database) for this. Once you find a backup that works and you restore the website from it, go directly to Changing passwords and the following steps.

Wordfence scan

Hopefully, you have Wordfence installed and active on your site, if not, take a look at this article with the best Wordfence settings.

Wordfence performs scans all the time, even sends get weekly notifications with a report of what is found. You might end up ignoring these reports because most of the time it will mention that a plugin is not at the latest version available, but sometimes it will let you know that there are files present in your system that shouldn’t be there.

A nice feature that Wordfence has is scanning the files of WP Core against the official repository, if it finds extra files or code being injected into the standard files it will let you know and gives you the option to delete or restore the files to the correct version.

I would recommend performing a Wordfence scan first of all and seeing what it returns.

Remove infected files

The first thing you want to do is remove any infected files that are present on the server.

The most common place to see injection code is in wp-config.php and index.php.

The code will look something like the snippet below and it stands out easily.

/*135b6*/

@include "7ho5e/3ad7ur1az7pu2li3_h4ml7pu2li3/p0pm1ad5in7sq4/.15644f20.1co";

/*135b6*/

Remove that or remove the file altogether if it shouldn’t be there. Usually, these scripts try to call other files that are on the server or external files.

Next look for any files with a gibberish name like kjlo09s.php and so on, if you’re familiar with WP you should easily spot them. Find and delete them.

For extra caution, search for any index.php that appears in folders where it shouldn’t exist. Some malware will place index.php files in every folder. Open the file and see if it has something similar to the snippet above, if so, remove those files or clean them.

Change passwords

Once you’ve done the cleanup, change all the passwords you have.

• cPanel password
• FTP password
• PHPMyAdmin password
• MySQL password
• WordPress password
• SSH access password

Check if there is any SSH key added that shouldn’t be there.

Also, if there are any new users that shouldn’t exist: FTP, WordPress, etc.

Check Cron Jobs

If you have access to the Cron Jobs sections on your server, check the ones that are currently set.

Turn off suspicious cron jobs. Do this only if you’re experienced enough to understand how cron jobs work. 

Update WordPress Core

Now that you got rid of everything that was infected and changed all the access credentials, go ahead and update the WordPress Core to the latest version.

WordPress updates are packed with a lot of security fixes in almost every version. Having the latest version is the recommended action in most cases (unless you run a closed environment that supports some legacy code).

Update plugins and themes

Continue with the update process and do the same for plugins and themes. If you have plugins that are not supported in the latest version of WP you might want to reconsider them. Replace them with something else that is compatible and has a recent update.

Most of the malware is injected via plugins that are not updated to the most recent version.

Of course, you will need to check if anything breaks on the front end, especially when you do a theme update.

Get professional help

Don’t hesitate to get professional help when it comes to removing malware from your WordPress site.

The steps listed above are accessible for someone that has some WordPress knowledge, if you’re a simple user you might find this to be too much.

If that is the case get help with WordPress maintenance services.