Remove Malware from Your WordPress Site (Illustrated Guide)

Malware can cause websites to fail to load, redirect users or can be used to send spam emails. Whilst there are paid services, let me show you how you can resolve this issue in 3 simple steps for free:

If you would rather not worry about tinkering with files and code, I provide a Malware Removal Service. Please contact me for more information.

Frequently Asked Questions

What is malware?

Malware (malicious software) is any software intentionally designed to cause damage to a computer, server, or website.

How did the site get infected?

A critical vulnerability in File Manager plugin affected 700,000 websites in September 2020. It allowed hackers to gain complete access to the websites and infect them.
Other reasons for sites to get infected include

How to remove malware?

Pay for Malware removal services available from Sucuri, contact me, or follow these 3 steps illustrated below.

How can we avoid malware?

Use few plugins as possible – choose the plugins wisely.
Keep WordPress and plugins up to date.
Backup constantly (in addition to daily backups by hosting provider). I use All-in-one WP Migration to take regular backups.
Choose good web host – I use and recommend SiteGround (affiliate link). It is worth investing $2 per month in SG Site Scanner to ensure that malware and spam is detected instantly before hackers have a chance to do any damage.
Limit the number of users with full admin access to 2 or 3.
To prevent brute force attacks… do not create usernames and passwords that can be easily guessed.
– For example, it is common practice to create an account with ‘Full access’ called ‘admin’. To mitigate this, create a user account with username ‘admin’ and give it ‘Subscriber’ access.
– Use strong passwords. Avoid using the same password on multiple sites.

Identify the malware

A good host like SiteGround constantly monitors your sites and backs them up daily. When malware is detected, it is contained by your web host by limiting access to the website.

A critical vulnerability in File Manager plugin affected 700,000 websites in September 2020. It allowed hackers to gain complete access to the websites and infect them.

This was the first time any of my clients sites were hacked. The site https://iuuriskintelligence.com/ had this very popular plugin installed and hence got hacked. I received an email from SiteGround confirming the hack. This is the first step.

Email from SiteGround confirming Malware Detection

Confirm the severity of the hack.

Ask your hosting provider to provide you with severity of the infection. SiteGround staff are very helpful and they provided a list of infected URLs. Login to your hosting backend to see the Malware infected URLs for the domain.

List of Malware infected URLs for the domain.
List of Malware infected URLs for the domain

Clean the malware

The first step is to prevent access to hackers – your web host will do this automatically to prevent more damage to your site and to prevent other sites on their servers from getting hacked. If your web host has not done so, you would need to Block all access and allow only your IP address.

Remember to take a backup before you start removing malware.

Start the process by copying the infected URL list to a code editor or simple text editor (like Notepad or TextEdit). As you clean or delete the infected files, remove the same from your list.

Login to your hosting provider, either download your files using FTP or use the File Manager tool from cpanel.

I noticed that there were 3 types of infections and the treatment is dependent on the type of infection:

1. Infected file full of malicious code (not a regular WordPress file)

I noticed that there were several files that were full of malware code (no WordPress code or php at all). Such files had gibberish names that made no sense e.g. y553s0ry.php and gsdfrwf4.ico

Treatment: Having checked that the file is just I simply deleted such files via File Manager (or FTP). To delete the file, select the file and choose Delete.

Delete File using File Manager

Pro Tip: Notice in the screenshot above that infected files have a more recent ‘Last Modified’ date.

2. Infected file with minimal malicious code

I noticed that some php files were infected very minimally. I noticed that such malicious code started just after opening <?php tag on line 2 and before the opening comments. A good indication is that most WordPress (php) file start with detailed comments as indicated below.

Malware on lines 2 to 6

Select the infected code and delete it.

3. Infected file with lots of malicious code

I noticed that some php files were heavily infected. I noticed that such malicious code started on Line 1 before the opening <?php tag on line 1 and before the opening comments. A good indication is that most WordPress (php) file start with detailed comments as indicated below.

Arrow Indicating end of infected code

Select the infected code up to the arrow and delete it.

Go through the full list of infected URLs and clean or delete the infected files as required.

Keep your site clean

Having cleaned the infection, contact your web host to make your site ‘active’ again.

However, you will need to ensure that your site is loading and functioning well – at the same time you don’t want hackers to exploit your site if it is not fully clean.

Therefore, you either need to prevent access to your site or password protect the site .

Block all access and allow only your IP address

Open the .htaccess file (using File Manager or FTP) and place the following lines at the top of the file.

order deny,allow
deny from all
allow from IP.IP.IP.IP

Replace IP.IP.IP.IP in the code above with your IP address and save the file.

Password protect the website

To add password protection on your website in SiteGround, go to your Site Tools > Security > Protected URLs. This will make the website only accessible to people who know the credentials for accessing it. For more information, refer to SiteGround Tutorial on How to Password Protect Directories.

After another check, SiteGround confirmed that there was no more infection.

SiteGround staff were very supportive

I installed security plugins to monitor the WordPress installation and database.

I also updated all the plugins, removed the file manager plugin and installed backup plugins to be able to restore the site if it gets hacked in future.

I asked SiteGround staff for another scan a week later which also confirmed that malware was completely removed.

Hope that helps you! Please feel free to ask any questions via comments below.

Read more

0 0 vote
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
Do NOT follow this link or you will be banned from the site!
0
I would love your thoughts, please comment. VJx
()
x
Affordable and creative web solutions from Melbourne, AU. I build robust fast-loading WordPress sites for a fraction of the price. Call VJ on +61389867186
Address :
106 Alamanda Blvd,
Point Cook,
VIC - 3030
Australia.
Tel : +61389867186
Email : hello@vjdesign.com.au

 Logo

Image of

$600-12000