Malware can be a word that sends chills down your spine, but it is something that you should not be afraid of. If malware has infected your website files or database, then there are steps you can take to clean up the malware and get back on track with running your business. In this blog post, we will discuss how to remove malware from WordPress websites in order to make sure that everything is clean and safe for visitors again!
What to do if you can still log in to your WordPress admin panel
Step One: Check If Your Website Is Hacked
If you don’t have a security system in place that alerts you of malware there are a couple of simple manual ways that you can check to see if your website has been hacked.
- Visit the WordPress dashboard by going to “admin” with your URL followed by “/wp-login”. If WordPress does not allow you accesss and redirects back to another page or domain, this means that someone may have hacked WordPress and you will need to follow the steps below.
- If WordPress does not allow you access to your site’s url at all and it redirects to another page or domain, this means that someone may have hacked WordPress and you will need to follow the steps below.
Since you shouldn’t leave their website unprotected, we recommend having a secuirty solution installed at all times. Preferably you’d want one that automatically scans, cleans, and repairs your site such as the ShieldFREE and ShieldPRO plugin. When malware is found they also log the infection so you can see what is actually going on with your site.
Step Two: Make Sure That All Updates Are Installed
The first step in removing malware from WordPress websites is to make sure that all updates are installed. Updating WordPress can help you remove any security vulnerabilities and patches for the WordPress software itself, which helps to prevent a problem before it happens.
To update your WordPress site visit the WordPress dashboard. From there click on “Updates”, then select how many plugins need updating (if applicable), and finally click on “Update Plugins Now.”
On that same updates screen, if any theme needs updating or if there is an update for WordPress itself be sure to update them.
A good security measure is to reinstall your WordPress version if you think there might be a malware injection.
Step Three: Disable Plugins And Temporarily Delete Additions On-Site
In order to properly diagnose where the malware could be coming from, it is important to temporarily disable any WordPress plugins or additions that your website uses. To do this visit the WordPress dashboard. From there click on Plugins from the sidebar menu. Find all of the WordPress plugins you are using and then follow their instructions for disabling them in order to clean up malware.
What to do if you can not log in to your WordPress admin panel or install a security plugin
If you have a backup
- Restore your files and database with a backup that allows you to log in and access the WordPress dashboard
If you don’t have a backup
- Download/take a backup of your files in the /wp-content folder and then download a backup of your database
- Change all passwords for backend credentials immediately
- Log in using FTP software if allowed; Delete any malware found before restoring previous uploads of clean content
- Check file permissions settings and make sure they are what they should be or set them up according to standard values if necessary.
- Using WordPress or another web editor, disable the plugins that are not currently in use on-site
- If you need to completely clean your codebase or you can’t find all the infected files:
- The easiest way to clean your codebase is to download the latest version of WordPress
- Download/save these core files from your hacked website:
- wp-content/uploads folder
- If you have a child theme download it’s folder & files
- If you have a custom plugin(s) download it’s folder & files
- In the root directory, your wp-config.php file
- In the root directory, your .htaccess file
- Be sure to check all of the files you downloaded for malicious code. If you find anything abnormal, backup that file then remove the code from the infected files before you save them.
- Change your security keys:
- Open your wp-config.php file use the online generator to generate new keys for the file. You don’t have to remember the keys, just make them long, random and complicated.
- You can change these at any point in time to invalidate all existing cookies.
- This does mean that all users will have to login again.
- Once you have all the above core files in a safe location, checked them for malware and changed the secuirty keys, delete all the files from the root directory of your website.
- After you delete all the files, upload the fresh WordPress files in the root directory.
- When the WordPress files are done uploading, upload the core files you saved from your hacked website to the appropriate directory in your codebase.
- Once all the files are uploaded, you should be able to login to your site. If not, check your .htaccess file for any redirects or settings that might hinder it. Sometimes you might have to use the basic .htaccess file until you get your website up and running.
- Since you did not reupload your plugin files, you might need to go and reinstall them fresh from the WordPress repository in the Plugins menu. The ones missing should be listed when looking at your plugins page. Be sure to save that list, or reference your backup files to see which ones you need to reinstall. Try not reupload old plugin files, they might be infected with malware.
- Choose new usernames and passwords for your WordPress admin users
Resources
Backup plugins/services:
- Updraft
- Back WP Up
- Your hosting provider
Malware removal plugins/services:
- Click here to read our full comparison of the top malware removal and security plugins.
- If you don’t want to read it, our ShieldFREE and ShieldPRO plugins offer the best overall security measures and pricing so that you don’t have to worry about your website going down from a hack. It scans and cleans your site automatically for you!
If you have further questions about anything in particular here just shoot us a message or leave a comment on this post!
To get quick help and advice from your Shield community, jump into our Facebook group.
Until next time.
Paul and the team.
Do you scan and clean malware with de Pro version?
Hi,
Shield’s Malware scanner will examine every single PHP file on your site (WP core, plugins, themes – including premium ones).
If there’s code in there that could be malicious, it gets flagged. You can schedule the scanner to run, remove, and repair files automatically as often as every hour.
Thanks,
Jelena
If wp is installed in a directory and malware is getting placed in the index file in the root, can security plugins or app firewalls prevent the uploads of malware to the root?
Hi Elle,
The Malware scanner will discover all sorts of malware patterns embedded in your PHP files, wherever they’re hidden on your WordPress site.
It focuses on the following:
– scanning of all PHP and Javascript files and folders under your WordPress ‘ABSPATH‘ – this is the directory that contains your wp-admin, wp-content and wp-includes folders.
– automatic repair of WordPress core files
– automatic repair of WordPress.org plugins and themes
If your index.php file is modified – infected with malware, it’ll be detected by the scanner instantly. Scanner will also detect malware files injected into root. Here are examples (modified/malware infection in the index.php file and malware file injected to the root /public folder):
https://www.screencast.com/t/walGD15yM
If you’d like to get more information about our Malware Scanner, please feel free to check out our blog post here.
Thanks,
Jelena
ShieldPRO is winning me over. Love your approach to your clients.
Thanks a bunch for your awesome feedback, Riaan.
We’re glad to hear that ShieldPRO is making a difference for you.
Our goal is to provide top-notch security service and support, so hearing your positive feedback is truly rewarding.
Cheers! 🙂