Remove the Malware Infection

Now that you have information about malware locations, you can remove malware from WordPress and restore your website to a clean state.

Pro Tip: The best way to identify hacked files in WordPress is by comparing the current state of the site with an old and known to be clean backup. If a backup is available, you can use that to compare the two versions and identify what has been modified.

Some of these steps to clean your WordPress site require web server and database access. If you are not familiar with manipulating database tables or editing PHP, please seek assistance from a professional Incident Response Team member who can completely remove WordPress malware.

Clean Hacked WordPress Files

If the malware infection is in your core files or plugins, you can fix it manually. Just don’t overwrite your wp-config.php file or wp-content folder and be sure that you make a full backup beforehand..

Custom files can be replaced with fresh copies, or a recent backup (if it’s not infected). Here are some additional tips & tricks that you can use with WordPress.

You can remove any malicious payloads or suspicious files found in the first step to get rid of the hack and clean your WordPress site.

How to manually remove a malware infection from your WordPress files:

  1. Log into your server via SFTP or SSH.
  2. Create a backup of the WordPress site before making changes.
  3. Identify recently changed files.
  4. Confirm the date of changes with the user who changed them.
  5. Restore suspicious files with copies from the official WordPress repository.
  6. Open any custom or premium files (not in the official repository) with a text editor.
  7. Remove any suspicious code from the custom files.
  8. Test to verify the site is still operational after changes.
website malware removal

Clean Hacked Database Tables

To remove a malware infection from your WordPress database, use your database admin panel to connect to the database. You can also use tools like Search-Replace-DB or Adminer.

How to manually remove a malware infection from your WordPress files:
  1. Log into your database admin panel.
  2. Make a backup of the database before making changes.
  3. Search for suspicious content (i.e., spammy keywords, links).
  4. Open the table that contains suspicious content.
  5. Check the error log.
  6. Check website url at virus total
  7. Manually check c-pannel cor-files
  8. Manually remove any suspicious content.
  9. Test to verify the site is still operational after changes.
  10. Remove any database access tools you may have uploaded.

Beginners can use the payload information provided by the malware scanner. Intermediate users can also manually look for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.

Secure WordPress User Accounts

If you noticed any unfamiliar WordPress users in your website, remove them so the hackers no longer have access through them. We recommend having only one admin user and setting other user roles to the least amount of privileges needed for the task that needs to be carried out by that person (ie. contributor, author, editor).

How to manually remove suspicious users from WordPress:
  1. Backup your site and database before proceeding.
  2. Log into WordPress as an admin and click Users.
  3. Find the suspicious new user accounts.
  4. Hover over the suspicious user and click Delete.

If you believe any of your user accounts were compromised you can reset their passwords. One of the ways to do that is using the Sucuri WordPress plugin.

Remove Hidden Backdoors in Your WordPress Site

Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked WordPress sites.

Often backdoors are embedded in files named similar to WordPress core files but located in the wrong directories. Attackers can also inject backdoors into files like wp-config.php and directories like wp-content/themes, wp-content/plugins, and wp-content/uploads.

Removing malware

Backdoors commonly include the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file

These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions or by not removing all of the malicious code.

The majority of malicious code we see in WordPress sites uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it’s very rare to see encoding in the official WordPress repository.

It is critical that all backdoors are closed to successfully stop a WordPress hack, otherwise your site will be reinfected quickly.

Remove Malware Warnings

If you were blacklisted by Google, McAfee, Yandex (or any other web spam authorities), you can request a review after your WordPress site has been cleaned and the hack has been fixed.

How to remove malware warnings on your site:
  1. Call your hosting company and ask them to remove the suspension if your website has been suspended by your hosting provider.
    • You may need to provide details about how you removed the malware.
  2. Fill in a review request form for each blacklisting authority.
    • ie. Google Search Console, McAfee SiteAdvisor, Yandex Webmaster.

With the Sucuri Website Security Platform, we submit blacklist review requests on your behalf. This helps ensure your site is absolutely ready for review. Some reviews, however, such as web spam hacks as a result of manual actions, can take up to two weeks.

See the Sucuri Dashboard in action.Explore Demo

Protect Your WordPress Site From Future Hacks

In this final step, you will learn how to fix the issues that caused your WordPress to be hacked in the first place. In the next step we will discuss

Manually Replace WordPress Core Files

Leave a Reply