Guide for non-developers | How to remove malware from a hacked WordPress site?
So, you’ve been hacked? You’re not alone. It’s a common problem that many of us face. The first thing you should do is take a deep breath and relax. This is not the end of the world. Once you have calmed down, you can take the next step and start getting your website back on track. 56% of WordPress websites are infected with one or more security vulnerabilities, according to some research.
WordPress is the most popular blogging and Content Management System (CMS) in the world. It is used by hundreds of thousands of websites, powers websites of well-known media companies like CNN and the New York Times, and is trusted by millions of people. Therefore, it’s understandable that security is a major concern.
The open-source code that WordPress runs on is constantly updated, and the software is regularly checked for vulnerabilities. Thousands of people from around the world who are experts in security are constantly finding and fixing security vulnerabilities. In addition, a large community of users report and fix the issues they find. WordPress is also used in corporate environments where security is a high priority, so the extra time and money invested in WordPress security is well worth it.
When that happens, a security attack on your site could have ugly consequences. Considering that in a large business, the website is the primary point of communication with end users, it would be very frustrating to see all that effort and work fall flat. It would directly affect your business relationship with the customer.
Your users’ data such as names, email addresses, passwords, and credit card numbers are at risk in the event of a security breach.
Did you know that Google blacklists more than 10,000 websites every day for malware and about 50,000 every week for phishing?
Is your hacked WordPress website really hacked?
If you notice that your website has been hacked, you should not wait and delay solving the problem, as it can cause serious damage to the website and the server itself.
Some of the first symptoms of a hacked WordPress website are a drop in traffic, redirection to a suspicious or unrelated website, fishing pages, unknown users, strange characters.
When a website is hacked, someone has accessed the site and altered it for their own purposes. Often a hacker adds malware or malicious content to a website, so the visitor gets infected as well.
- – Phishing content: displays content from an unrelated site to collect data and trick visitors (e.g., a fake PayPal page).
- – Defacement: displays content on the main page that makes it immediately obvious that the page has been hacked.
How to fix a hacked website
Below are the steps we take when a website has been hacked or blocked by a hosting provider.
1. First, it is most important to confirm that the website has been hacked and / or blocked.
- – a domain or IP address has been blacklisted by search engines;
- – your mail server has been blacklisted;
- – the hosting provider sent a message and blocked access to the domain because malware was found in your account, e.g. phishing site;
- – anti-virus programs on the local computer block access to your domain;
- – a hacker message is displayed instead of a web page, etc.
2. Back up the site and restore it to a previous backup.
Back up the hacked site and then restore a backup, if available, before the site is hacked or blocked.
3. Find infected files and delete malicious code.
Using a regularly updated antivirus program, scan the site’s files to find infected files and delete malicious code. It is important to detect backdoor files so that the attack is not repeated soon.
4. CMS, plugins, theme and add-ons update.
Update the CMS, plugins, theme and add-ons to the latest version to keep the sites technically correct and safe from the increasingly common hacking attacks that find even the smallest bug.
The themes, plugins and add-ons should only be used/downloaded from the official websites and not from any dubious sharing sites (so called “nulled” sites) as these often have a backdoor that makes it easier for hackers to access your domain.
It is always a good idea to scan a theme or plugin from the untrusted sources with VirusTotal before installing it on the server (your WordPress website).
5. setting up and configuring a firewall.
It is important to set up and configure a firewall, as this way we will achieve the highest protection against various attacks that can compromise the security of your website.
6. Change password for cPanel and CMS.
Change the password for accessing the cPanel and the administrator’s password for accessing the content management system. Use a strong enough password with at least 16 characters consisting of a combination of numbers, digits, lowercase and uppercase letters.
7. Back up the site after virus cleaning service and store the backup in a secure location off the server.
How to manually remove malware from a WordPress site?
If you trust the manual process more, go step by step this way – from the first point to the last:
- 1. back up your site
- 2. download and examine the backup files
- 3. run a scan on your computer
- 4. contact your hosting provider
- 5. remove the malware infection
- 6. download a fresh copy of WordPress to install
- 7. change all passwords, update security/salt keys, delete unused users, and check WordPress user roles
- 8. Change security keys – even if a potential attacker stole your password, they will be automatically logged out once you change your WordPress salt keys
- 9. Reinstall plugins and themes
- 10. Update malware scan
- 11. Remove warning notice in Google SERP;
Once you’ve removed the WordPress hack… “Prevention is better than cure”
1. update WordPress regularly
WordPress developers are constantly updating the platform and trying to close security holes. For this reason, it’s very important to keep your WordPress, theme, plugins and add-ons up to date. If you are hesitant to do it yourself – you can always hire a specialized agency to do it for you so you have the latest version.
2. always use strong passwords
Choosing strong passwords for administrator and user accounts is an important step towards administrative security. Especially if you run a blog where multiple users access administrative functions; this increases the possibility of system vulnerability.
Don’t use the same passwords for different users. Instead, each password should be unique and difficult to guess. Some plugins can help ensure that strong passwords are used for your users.
It should always be stressed that passwords should be changed regularly. Don’t let the default administrator account really be an administrator account. It is easy to predict that it will be subject to outside attacks.
3. protect your wp-admin directory
The wp-admin directory is the driver of your WordPress site. An attack on this directory can do a lot of damage to your site by crashing or causing it to crash. The best way to protect your wp-admin directory is to use a password. This means that you will use two passwords to access the control panel. One for the login page and the other for accessing the WordPress admin area.
To password protect the wp-admin directory you can use certain plugins that automatically generate an .htpasswd file, encrypts the chosen password, and configures the proper security authorities.
Adding another password means that the user can access their control panel in the account by entering two different passwords. With this extra layer of security, no one is able to access the administrator’s login page without having accurate credentials.
There is nothing wrong with having two passwords. This introduces an extra layer of security to the WordPress admin area as it encrypts your password, creates an .htpasswd file, and sets the proper security authorities.
Web Application Firewall can be very useful. Enabled WAF blocks suspicious and malicious traffic before it reaches the website. In this case, we advise you to choose the highest quality security service providers.
4. use Virusdie antivirus feature
With Virusdie Antivirus, you can do much more than just detect and remove contaminated files from your site or quarantine them.
The software cleans up malicious code (backdoors, trojans, redirects, shell scripts and other malicious code) quickly from files like PHP, JS, HTML, images and system files. It does it automatically and with high accuracy.
The website will continue to function properly once the automatic cleanup is complete.
5. Limit login attempts
One way to crack a password that hackers use is a password guessing script that they constantly try to use to log in. To prevent them from guessing the correct password, limit the number of login attempts allowed.
This will limit the number of attempts to log in with an incorrect password. If an increased number of login attempts is recorded, access to the site will be closed and you will be notified of unauthorized activity. You can easily limit the number of login attempts using the plugin Limit Login Attempts.
So is it easy for non-developers to remove malware from a hacked WordPress site?
This question is simple, but not easy to answer, as it depends on the type of infection, the approach, and your own skills. It is one of the most important things we should know as webmasters. A hacked website is like a ticking time bomb because if the website is not cleaned up, it can cause a lot of damage.
We can say that it is not trivial for non-developers to remove malware from a hacked WordPress website, but it is possible. It can be done with the help of some great security tools like Virusdie.
Security tools need to be useful from the start, rather than having a complex, confusing interface. With Virusdie, you can have it all: simple, intuitive, automatic, and cloud-based. You can do everything yourself and you don’t need to install anything.
Remember: it’s not just about cleaning the hacked website, but also about making sure it doesn’t get hacked again.
Article by Ivica Delic
founder of FreelancersTools,
exclusively for Virusdie.
Join our private Facebook group to get help from other security experts, and share your own web security experiences and expertise. Group members receive exclusive news and offers. They can also communicate directly with the Virusdie team. Join us on Facebook.