Clean your Website Malware with  Step-by-Step WordPress Malware Removal Guide By FixyMonk

Being the most popular content management system (CMS), WordPress is really a victim of attacks in the cyber world. Safe enough the CMS is, yet it is the website owners who need to practice strong security measures so that the occurrence of threats are reduced.

You notice that your WordPress is hacked because there are unauthorized re-directions or changes in the content, then it is malware that might be infecting your site. If left unchecked, it may cause serious issues, including data loss and even site downtime.

In this Guide, we are going to explain several methods for WordPress Malware Removal. You’ll learn how to make this in a manual, automatic, or with the help of the third party, thus making your choice most plausible according to your needs.

Symptoms of WordPress Malware Infection

WordPress Malware Removal Guide

The malware is developed to perform various functions ranging from data corruptions to stealing. As such, symptoms shown by the malware can also be the variety of form. However, some can prove to be a good heuristic that it’s time to begin with WordPress malware removal.

Some common signs of a WordPress malware infection are:

Blacklisting: Your WordPress website being blacklisted by search engines like Google, Bing, Yahoo, etc due to malware. You can verify it manually by searching your website in one of the above search engines.

Traffic drop: The sudden fall in user traffic on your website can be because of malware or due to the search engine blocklist, as mentioned above.

Hosting account suspensions: When your hosting provider suspends your account for spreading malware, this makes for a strong sign. You will be getting a notification from the hosting provider about your website suspension and citing the issue.

Pop-ups & Malverts: Your WordPress site starts spitting out strange pop-ups and advertisements which contain links to not so preferred websites.

Server overuse: Adblockers claim your WordPress site is being used for cryptocurrency mining, or the website is using too much GPU power though the user traffic is low. Or users complain that the WordPress site is eating up too much of their CPU power.

Rogue users: You discover new admins surfacing in your website’s database, or you keep getting locked out of your own site. In most instances, such admin/user accounts have unusual usernames.

Fishy files: There are some fishy files in your site, coming with obscure, unreadable long names at the back of folders named wp-admin and wp-includes. They run repeatedly through Cron jobs.

Security alerts: The Astra Security receives an email from it stating the presence of malware on your website recently.

File modifications: The sensitive files like header and footer file have been modified as a result of the existence of base64 encode and some other obfuscation in it

Sending spam: Users are receiving spam emails from your domain and your domain is listed in one of the spam blacklists.

Foreign characters in web pages: Japanese characters appear on the website or in the search results for the website.

What to do before removing malware on wordpress

Before the process of the removal of malware in WordPress, make sure to change all of your passwords, including your WordPress dashboard, FTP, SSH hosting service, etc. This is because this is how the attacker will be unable to use your existing password if it has already been stolen. In addition, moving forward, it is highly recommended to have two-factor authentication procedure. Now, before we begin the actual process, we have to take two more steps which are as follows:

  • Backup your file and database
  • Turn on the maintenance mode
  • Check and remove infected plugins and themes
  • Remove infected files (start by comparing the files)
  • Scan the database
  • Follow security recommendations

Step 1: Backup First

It is imperative to back up all your site data before WordPress malware removal such that in case something goes wrong, it can be used for restoring. In case you are using a hosting service, it is likely that they are providing a backup service. Get in touch with your hosting provider for further information. WordPress site backup will be done in two steps that are the files backup and the database backup.

Files Backup

There are many ways that file backup can be done in WordPress, some of which are mentioned below:

1. Plugin: UpdraftPlus is free of cost and perhaps the most popular when it comes to the backup plugin. To take a backup by using it

  • Install it on your website from this link at WordPress, and activate it.
  • Now take the backup using it and store the backup at a safe location.

2. SSH: To take a backup of your WordPress website via SSH

  • Access your website through SSH.
  • And run the command: zip -r wp_backup.zip /directory-name
  • Here wp_backup is the name for your backup file and directory-name is the directory you want to backup. Then download the backup to a secure location.

3. SFTP

  • Connect to your WordPress site through an SFTP client, say FileZilla.
  • Drag and drop the folder from the remote site panel to the local site panel.
  • This will start your backup process and may take some of your time, depending on your connection and website speed.

Database Back-Up

Few methods of creating a back-up of your database before you try to remove malware from your WordPress site are mentioned below:

1. Plugin: As explained above, UpdraftPlus can also be used to update your site’s WordPress database through the plugin.

2. PHPMyAdmin: In case you have PHPMyAdmin installed, it can also be used to create a database back-up. Here’s how to do it:

  • Sign in to your WordPress site and click on the PhpMyAdmin tool.
  • Place the mouse cursor over the WordPress database and click the Export tab.
  • Select Quick and your database download will start at the local default location. Save it safely.

3. SSH

  • Connect to your WordPress website using SSH.
  • Enter the following command: mysqldump -p -h hostname -u username database > wp_backup.sql
  • This will export the database to a file called wp_backup.zip. Download it from the server and save it somewhere safe.

When you are done saving the copy of your WordPress files and database locally, delete the copy from the server if it is there.

Step 2: Enable the maintenance mode

At this point, it is time to put your WordPress site into maintenance mode, so no more changes will take place during the course of removing WordPress malware. It will also let your users know that maintenance is in progress and why your website is down.

Unlike most of the CMSes, WordPress does not have an inbuilt option to put the website in maintenance mode. Therefore, it can be achieved with various plugins. Here is one example in that regard:

  • Download and install the Coming Soon plugin on your WordPress site.
  • This plugin will be shown together with other plugins labeled SeedProd, so use it to activate the maintenance mode.
  • This plugin also allows personalizing coming soon messages and logo for your website.

Step 3: Remove Malicious Plugins and Themes

You can also delete, for elimination of malware, infected WordPress plugins directly in the directory: wp-content/plugins/. You may find and delete the infected themes and their child themes as well from the directory(wp-content/themes/>. Then reinstall your original plugin or theme. From now on, in the future versions avoid using null themes and plugins because most of them contain malware. Ensure you use only the best-reputation plugins and themes that are frequently updated by the developer.

Step 4. Delete infected files:

Since each file in WordPress has different functions, the average user might not know whether code is good or malicious. Moreover, all types of malware behave differently, so discussing all of them would be out of scope for this article. Since there is no magic pill that works on all infected files, we have compiled a list of articles regarding common malware infections and how to fix them in detail, which are as follows:.

Second, clean up the sitemap.xml file. Which is generally found in your root directory i.e. www.example.com/sitemap.xml. Delete all suspicious links or spammy characters inside it.

Step 5: Clean the database

SQL queries can be applied to clean the database. To do so, you would need MySQL console or phpMyAdmin access. Now Regex will come in handy. Suppose all the malicious entries in the table wp_posts reside in the column post_content and end with the word <script>. Then they can be replaced within a query like this:

However, if the malicious code is in the middle of the post then a more complex regex will be needed. Similarly, replace the table name wp_posts with different tables for WordPress malware removal.

WordPress Malware Infection

Automatic Process

Automatic removal of malware from your WordPress site makes use of security plugins that detect and move the malwares to a sandbox where it is contained and removed. Below are five of the top security plugins available for this purpose, each one being different from the others, and differing levels of protection:

  1. Wordfence Security: Provides firewall and malware scan services, repairs files, and offers real-time endpoint protection.
  2. Sucuri Security: Offers a comprehensive security plugin that includes malware scanning, activity auditing, file integrity monitoring, and website firewall.
  3. iThemes Security (formerly Better WP Security): Focuses on preventing security breaches with over 30+ ways to secure and protect your WordPress site, including malware scanning.
  4. MalCare Security: Known for its automatic deep scanning and one-click malware removal, it ensures minimal performance impact.
  5. All In One WP Security & Firewall: A user-friendly, all-encompassing security plugin that adds a firewall and uses security scanners to check for malicious codes.

These plugins are invaluable tools for keeping your WordPress site safe. They automate the process of malware detection and removal, thereby helping maintain your site’s integrity and reducing the risk of future attacks.

Manual Technique

Check for outdated Plugins and Themes.

One of the most common reasons for WordPress malware is plugin exploits. As not updated for a long time, old plugins and themes grow vulnerabilities. If you have not updated any plugins/themes for a long time, in that case, the plugin/theme is probably the reason behind your WordPress malware infection. So, go to your WordPress dashboard and check if it shows any plugins or theme updates.

To confirm if a plugin/theme exploits, check the support forums to see if people who use the same plugin have requests for help in fixing malware. If that is so, then the vulnerability of the plugin is exploited in the wild and you might be one of its victims so it’s time for WordPress malware removal.  Moreover, if your WordPress site has been blacklisted in any search engine, such as Google, by using webmaster tools, you will be able to understand why the hack was detected on your website. You can reDfer to this article on how to do that

Files

Check recently modified files too, to find the malware. The command might look as follows if you have logged in your WordPress using SSH:

find . -mtime -2 -ls

Here, you can change the value 2 to any number as per your choice to see files modified from that many days. However, sometimes malware obfuscates itself using base64 encoding, you can search that too using the following command via SSH, which will save the output to a file name hiddencode.txt:

Next, decode the base64 online and check whether the code looks malicious or not. Additionally, you can also compare your WordPress files from the originals for changes made. You do this by downloading a fresh copy of WordPress (making sure it’s of the same version you are using) then use an online tool which checks one by one the difference between the original files and your WordPress files. If you find modified files that contain spam links or harmful functions like eval, exec, strrev, assert, etc, then you must execute WordPress malware remover.

Database

Search through the tables of your WordPress site for any spammy links or characters that your website shows. SQL commands might come in handy for that. To execute them, you will need access to the MySQL console of your website. Open that and select the WordPress database using the command:

USE wordpress_db ;

Here replace wordpress_db with the name of your WordPress database. Thereafter, run the following queries.

These will list all the posts of WordPress containing hidden iframes and javascript. Similarly, run the same commands by changing the table name wp_posts to other tables. If you are an average user and don’t know any SQL commands, use a tool like PhpMyAdmin. Given below is an example of searching a malicious link in tables.

WordPress Malware Removal

Hiring a WordPress malware removal service

Having malware on your WordPress can be pretty stressful and hard to handle; more so when dealing with complex or persisting infections. A professional malware removal service like Fixymonk can be the difference maker in such circumstances.

At Fixymonk, we undertake full cleanup of your WordPress website so that no malicious code is left behind to wreak havoc on the site. We have experts who understand how to remove malware from a website in a safe manner, neither altering the integrity nor functionality of your website. This is done with such precision that no critical files meant for the operations of your site are accidentally deleted.

We understand that not everyone has budget for development agencies. So we made it flexible enough to be according to the various constraints put on the pocket. Fixymonk can also get you one reliable, trustworthy, and less costly freelancer from Upwork or Fiverr if someone wants to have an economical option available. We draft clear-cut job descriptions to attract the right talent.

It is important for portfolios to be reviewed and feedback checked in the selection of freelancers for recovery efforts in your site. In malware situations, it is also crucial to act quickly to avoid damage or loss of data. If recommendations are needed, Fixymonk can provide suggestions from a network of experienced developers who have a history of rapid response with excellent service.

Trust the experts at Fixymonk to secure and restore your WordPress site so that you can focus on doing what you do best-running your business.

Fix your website in minutes