Wordpress Malware

WordPress Malware Removal Checklist – 2024 Security Guide

WordPress Malware Removal Checklist

1. Diagnose Hacked WordPress Site 2. Be Prepared for future
3. Shut down your site temporarily 4. Regenerate WordPress salts and security keys
5. Change all WordPress passwords 6. Take Full backup of WordPress theme and other important files
7. Take WordPress Database Backup 8. Use GWT and Google Chrome to identify malware issues.
9. Search WP files for malicious code 10. Scan WP folders for malicious files
11. Find Hidden IFRAMES 12. Check User generated Content (UGC)
13. Check location of open redirects 14. Scan internal and external links of your website
15. Check Final destination Of Website traffic 16. Scan Downloadable WP files
17. Check your wp-config.php file 18. Scan your .htaccess file
19. Scan Vulnerable WP plug-ins 20. Find and delete backdoors
21. Look for hidden administrators 22. Scan your computer for Trojans & Viruses
23. Change your web hosting service provider 24. Visit and use “Code Guard.
25. An ultimate solution – intrusion tests

The majority of bloggers, regardless of experience/expertise, use WordPress on a daily basis, so the security of WordPress is of paramount importance to us all.

The WordPress security is a topic of vital importance for every website owner. Every week, Google blacklists thousands of hacked WordPress sites infected by malware of some kind. If you are conscientious, you need to put in place good practices regarding WordPress security and maintenance.

Malware Removal Checklist for Hacked WordPress

In this 2022-23 edition of Malware Removal Checklist for WordPress, we will share best tips to help find and remove malware from wordpress website.

Just, in case you have missed, have a look at our WordPress Maintenance Checklist & WordPress Security Guide too.

We believe that the security of your WP website is not just about removing malware infections but about also by risk prevention. Here is the complete checklist below: 

1. Diagnose Hacked WordPress Site

Usually, when a site is hacked, it is noticed, files are deleted, elements change, some services no longer work etc.

Whether it’s to get a feel for it or just to check, it’s interesting to analyze the server and the site looking for traces of a hacker. 

Here are 3 steps (not exhaustive) to follow. We also follow these steps at WP Hacked Help to identify malware on your wordpress site. 

  • Observe external messages from Google

The typical example comes from Google when the phrase “This site may damage your computer” or “This site may be hacked” appears in the search results.         

Sometimes it’s your antivirus that detects the site as malicious or another tool like Google Safebrowsing 

http://www.google.com/safebrowsing/diagnostic?site=mysite.com

(Note: Replace “mysite.com” by your site). 

If you use Google’s Webmaster Tools, you’ll have a google blacklist warning message

Here’s more information from Google: http://www.google.com/webmasters/hacked/ 

Your browser can also warn you:                                                                                 

The following example comes from the Chrome browser. 

  • Observe the logs

And in other cases, you observe for yourself that something is suspicious and an intrusion is likely. For this we can observe in the logs (activity records) of the web server, suspicious error messages. For this, there are many services like URL Void or Virustotal as well as log wordpress scan tools like WP Hacked Help

There are also classic commands to retrieve the contents of the logs directory (/var /log). 

It’s easy to spot an unusual IP address because it does not match your IP address. 

  • Observe modified files

Finally, you can also see the last modified files in the last 24 hours (1 * 24) using the following Linux command :

find / directory-to-observe -mtime 1 -print | more  

Also Read – Sorry, This File Type Is Not Permitted For Security Reasons – FIXED

2 Be Prepared for future

So that it does not start again just after your recovery. Good practices must be kept in mind.

Some good practices include the following: 

  • Save regularly

Having backed up your files regularly makes it much easier to recover from an attack. So remember to backup your database, your important files and everything you need. 

  • Cookie cutter list provided by web host 

A “cookie cutter” list will not help you

They say the experience is an excellent teacher and that’s so true, especially when you’re having such an awful experience as malware attacks and there’s no one to help you.

  • You contact your host and he sends you a list of control clubs to repair the malware by yourself.
  • You contact Google and you receive a list of cookies again to repair the malware yourself.
  • You follow these instructions and sometimes remove yourself from malware.

But most of the time, these lists do not work. 

Why cookie cutter list wont help you?:

  • First, to follow the instructions given in this list, you must understand your CMS (Content Management System).

You need to know what you are playing with and how it will affect the performance of the website.

A wrong move and you can end up deleting the files from your website or the entire database.

  • Second, you need to know exactly where to look and what to do to fix the malware problem.

Despite recent malware attacks on Russian websites despite the use of security services, I was quite convinced that I could no longer rely on such services.

These services purport to protect your website from malware, which in my opinion constitutes a marketing scam.

They scan your website and alert you to malware, but they do nothing to prevent your site from becoming infected.

Most of them only scan your website once a day, and one day is enough for a hacker to inject malicious software into your website. 

One day is also enough for Google to issue a malware warning for your website.

In fact, none of these services can alert you to malware problems faster than Google, in my experience. 

I hired many of these so-called malware protection companies and they all failed miserably to find and alert me about malware problems in time.

In fact, the best malware scanner is ‘Google Chrome‘. 

Google Chrome detects malware faster than any paid malware scanner.

I have done a lot of work and research to ensure the security of my website for our visitors.

In this pursuit we came up with the idea of WordPress malware scanner. You can lay your hands on it and check it out here. 

3. Shut down your site temporarily

Temporary closure of the site, once you detect malware on your website, remove it to prevent hackers from exploiting it.

There is no point working on a live website while hackers are injecting malicious code at the same time from the other end. But beware, at times a site gets struck in maintainence mode, in that case you must read our article on How to Fix WordPress Stuck in Maintenance Mode.

Follow the steps below to get your site under maintenance in a user-friendly way for SEO:

Step 1: Create a “Maintenance mode” on Web page and name it 503.php.

Put following PHP code at the very top of the page (before the <html> tag:

<?php

header(“HTTP/1.1 503 Service Temporarily Unavailable”);

header(“Status: 503 Service Temporarily Unavailable”);

header(“Retry-After: 3600”);

?> 

WP Maintenance Mode plugins

WP Maintenance Mode

Maintenance Mode

This code will return the 503 response header that tells the search engine that your website is temporarily unavailable.

The “Retry-After” setting tells search engines to try to crawl the website after 3600 seconds (or 1 hour).

Note: Google also recommends that you return status code 503 when your website is under maintenance.

Also insert the Google Analytics tracking code in the main section of page 503.php to track visitors to the website during idle time.

Related Read503 Service Unavailable Error in WordPress

Step 2: Add the below given lines of code at the top of your .htaccess file:

RewriteEngine on

RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111

RewriteCond %{REQUEST_URI} !/503.php$ [NC]

RewriteRule .* /503.php [R=302,L]                                   

The code in the .htaccess file will redirect all pages of your website to page 503.php.

Thus, no matter which page a visitor accesses on your website, he/she will be automatically redirected to page 503.php. You can find out How to Fix WordPress Stuck in Maintenance Mode easily.

Also Read – How To Setup WordPress Two-Factor Authentication

4. Regenerate WordPress salts and security keys

WordPress uses four different security keys to encrypt information stored in users’ cookies and to make your website more difficult to decrypt.

These secret keys are randomly generated character strings and are used with four different salt types (which are also randomly generated character strings).

You can see security keys and salts by opening your wp-config.php file:

You must change all these security keys and salts to invalidate all cookies configured for your website and make your website more difficult to hack again.

One caveat here is that all users who can connect to your website will then need to reconnect.

You do not have to remember or store these keys as your usual passwords.

But make sure you do not share them either.

You can change the value of these keys manually (using a long and complex character string generated randomly, as shown in the image above), or using the official wordpress salt key generator.  

5. Change all passwords associated with your WordPress

To prevent hackers from making more use of your website, change the passwords linked with your WordPress admin panel, hosting control panel, FTP account, and more specifically your database.

You can change the password for your database by going to the Database section of your hosting control panel.

When you change the password for your database, you must immediately modify your wp-config.php file and update the password as well.

If you do not do this, you will receive an error message “Error establishing a database connection” when you attempt to access your website through the web browser.

Open your ‘wp-config.php’ file via ‘File Manager’ and locate the section that looks like this example:

/* The name of the database for WordPress */

define(‘DB_NAME’, ‘putyourdbnamehere’);

/* MySQL database username /

define(‘DB_USER’, ‘usernamehere’);

/* MySQL database password /

define(‘DB_PASSWORD’, ‘yourpasswordhere’); <=Update your password here

/* MySQL hostname */

define(‘DB_HOST’, ‘localhost’);

Also Read –  How To Change Your WordPress Username? – 3 Easy Ways

6. Full backup of WordPress theme and other important files

Although your website has been infected, it still contains valuable data.

You do not want to lose this data if something goes wrong during the cleaning process and you end up deleting/corrupting all your files.

If you want to make a backup of your WordPress site, first make a backup of the / wp-content / folder via your FTP.

This folder contains all your plug-ins, themes, images and videos.

Then make a backup of the following files, specific to a particular WordPress installation:

  • wp-config.php – This file stores information from your database such as the database name, database username, database password, and so on. You can find this file in the root folder via your FTP.
  • .htaccess – Another important file for server access control. You can find this file in the root folder via your FTP.
  • favicon.ico – This is the favicon file of your website. You can find this file in the root folder via your FTP.
  • robots.txt – This file is used to give instructions on your site to crawlers/web robots. You can find this file in the root folder via your FTP.

Also ReadWordPress Ransomware Removal & Prevention – GUIDE

7. Backing up WordPress database

Your WordPress database contains all your pages, blog posts and comments.

If your database is corrupted or deleted, you will permanently lose all your pages, blog posts, and comments.

To resume your database, go to the Database section of the hosting control panel, and then click the icon of the type of database (MYSQL or MSSQL) that you want to back up: 

You will see Actions Menu from there select ‘Backup’

Note the backup file name and its location

The location of the file is usually / _db_backups.

Once the backup is complete, navigate to the folder where your database file is located (in our case, / _db_backups) via your FTP and download this file.

Make sure you have the latest updated database file in your folder before uploading it via FTP. 

Take back your website, database and other important files at least once a month and before upgrading to the latest version of WordPress.

Make at least two copies of the backup files/folders and store them on different hard drives in case a backup is deleted/corrupted. At WPHH we make sure to take backup of every malware infected website.

Also Read – Fix Error Establishing a Database Connection in WordPress

8. Trust Google Webmaster Tools and Google Chrome to quickly identify malware issues.

Chrome browser detects malware faster than any expensive scanner.

Always use Google Chrome browser to visit you website and other web pages just for that reason.

It can detect malware very quickly, sometimes even before the malware warning is enabled in Google Webmaster Tools.

Sometimes you can prevent Google from labeling your website as infected or remove google blacklist warnings if you act quickly and immediately remove the malicious code/files from your server.

Visit the Google Safe Browsing Diagnostic page of your site: https://www.google.com/safebrowsing/diagnostic?site=www.mywebsite.com.

Replace mywebsite.com with your domain name.

This page allows you to get clues about malware issues. 

Here, malware is hosted on the websites delimited by the rectangle above and links to these websites have been secretly inserted into your website somewhere by hackers.

You must find these links and delete them from your files.Hackers usually put these links somewhere in your WordPress theme. Scan Malware in WordPress Themes and Plugins

Anyway, sign in to Google Webmaster Tools now for more details on your malware issues.

Go to Health> Malware and see the sample URL containing malware.

Sometimes, with these sample URLs, you can quickly search for and delete malicious files on your server.

Use the Find tool (under the Google Search Console Health menu) to detect malware that you cannot detect otherwise through a browser, but one that has been served to Google.

9. Search Files For Malicious Code

Sometimes hackers do not download malicious files instead, insert malicious code into your existing WordPress files.

In particular, hackers target these files to insert malicious code that can survive updates / re-installation of WordPress, such as your theme files. [NOTE – scan php files for malicious code]

Malicious codes are usually inserted through the IFRAMES and NOSCRIPT tags. [NOTE – scan javascript for malicious code]

So, look specifically for these items in your files.

The malicious code can be used in the form of a link to an executable file (such as .exe, .cmd, etc.) or a malicious script that downloads software or redirects users to sites that host malware.

Also Read – WordPress Malware Redirect Hack

10. Scan WP folders for malicious files

You can also use our malware scanner below

  1. Download a new copy of the latest WordPress and store it on your hard drive.
  2. Now browse the WordPress files in the different folders on your hard drive to get an idea of ​​the data, which is usually included in a typical WordPress installation.
  3. Once you have browsed the folders, access your web server via FTP and look for suspicious files (files that should not be there but are present) in / wp-content /, / wp-admin / and / wp -includes / folders.

For example, the css.php file is usually not present in the / wp-includes / CSS / folder of a typical WordPress installation.

But if you find one, it’s probably malware.

Make a backup of this file, and then delete it from the server so that you can restore the file in the event of a malfunction in the functionality of your website.

Comparing the name & number of files on your server with the name/number of files in the new WordPress installation is a great way to search for malicious files.

The “upload” folder under/wp-content/ is one of the hackers’ favourite places to store malicious files.

So, keep checking this folder.

Also Read – “This Account Has Been Suspended” – Fixed

11 Find Hidden IFRAMES.

Search for IFRAME tags with width = 0 and height = 0 in the HTML code of your web pages.

They are invisible IFRAMES and are usually located at the top or bottom of the HTML code of a web page.

Search for a strange code.

Search for blocks of numbers, letters, and unintelligible symbols in your files’ code and delete them.

For example.

%wwwww%xxxxxx%yy%%%\u9900\u

These are encrypted codes commonly used by hackers to hide malware.

Use the “custom features” of WordPress to search for malicious code.

12 Check User generated Content (UGC)

User generated content areas such as comments that are commonly used to inject malware.

Use the “custom filters” of the “Screaming Frog SEO” spider to search for spam words (like viagra, buy, porn, casino, insurance, work from home, etc.) on your website.

You can also use the site command: search on Google.com to search for spam on your website.

For example: site: www.abc.com Real Estate will return all pages (if any) containing the word “Real Estate” on your website.

Also watch for search query reports in Google’s Webmaster Tools.

If your website generates a lot of impressions for search terms like “casino”, it may be affected by malware / spam.

13 Check location of open redirects

Open redirects are redirects left open to the arbitrary destination.

Hackers often abuse it to redirect visitors to your website to websites hosting malware.

Look for URLs such as: www.abc.com/db.php?url=

I did not find an easy way to solve open redirect issues.

You must use your web developer or system administrator.

14 . Scanning of internal and external links of your website

Analyze all your internal and external links and search for links to unknown sites.

Typically, the website hosting malware has the unintelligible name such as bacxwq and ends with .ru (sorry for Russia).

You can scan your links using Screaming Frog, Google Webmaster or tools like “Open Site Explorer”.

15 . Check exact location, where your website leads the traffic

If you track exit (or outbound link tracking) at the site level, you can easily know where your website is sending traffic.

16. Scanning of all downloadable files required

Check all the files that can be downloaded from your website. Sometimes hackers modify these files to add malicious code. Find and also delete the following files from your web server.

They are all kind of malicious files that are used to spread malware:

  1. /wp-includes/js/jquery/jquery.js
  2. /wp-content/upd.php
  3. / wp-content / themes / [theme name] /temp/e9815adced6d3.php (or similar)
  4. wp-includes / xmlrpc.php and wp-includes / css / css.php
  5. wp-admin / upd.php and wp-includes / css / style.php
  6. Delete all image files, zip files and other files that are no longer needed. They could have been compromised.
  7. Delete all plugins that are no longer used and WordPress themes (from the / wp-content / folder) that are no longer used.

Note: Use Robotto() tool to monitor any changes in your robots.txt file.

17 . Check your wp-config.php file

This file usually contains 92 lines of code and ends with the following code:

require(‘./wp-blog-header.php’);

…Delete this portion…

?>

So delete everything in between these two lines of code.

18 . Scan your .htaccess file

This file is one of the hackers favourite and is commonly used to add malicious code.

The code is usually added to redirect visitors to your website to the website that hosts the malware.

While looking for the malicious code in this file, be sure to check the entire file from top to bottom.

Sometimes the malicious code starts after hundreds of blank lines in your .htaccess file. Also See – fix wordpress .htaccess hacked

This is done to prevent the code from being detected.

19 . Scan Vulnerable WP plug-ins

Timthumb is a PHP script used to resize web images in blogs.

This script is not malicious in itself but is commonly used by hackers as a mechanism for transmitting malware.

Some WordPress plugins use Timthumb and are vulnerable to hackers.

Use the WordPress Vulnerability Scanner plugins to identify WordPress plug-ins that use timThumb.

You must either remove these plugins or update them with the latest version.

Also Read –  Best WordPress Security Plugins 2024 [Updated List]

20. Find and delete WP backdoors

Once your website has been hacked, the first thing to do is install malicious code called “backdoor.”

These backdoors are developed so that a hacker can use them to find access to your site.

Sometimes, several backdoors are installed in case one of them is lost during manual removal or upgrade.

If your website has already been hacked, it is still possible that a backdoor is installed on your website and can be used to regain access. 

You must check each WordPress template file, each plugin, and the database to find such backdoors. But it takes a lot of time and is not very effective. If you miss something, you have left your backdoor open to hackers. 

So I suggest you to-

  • take your theme files, your database and other important files (such as .htaccess, robots.txt, wp-config.php) and delete all the files, plugins and folders in your directory. WordPress.
  • Delete the directory structure of your blog completely, then install the new version of WordPress.
  • Do not rely on reinstalling or upgrading your WordPress.
  • Although reinstallation/upgrade can replace files with malicious codes with new code, this does not always remove malicious files already placed on your web server.
  • Analyze your theme files, your database file and other important files with the anti-virus / anti-malware software installed on your system before downloading them back to your web server.

Also Read – How To Find and Fix Backdoor in WordPress

21. Look for hidden administrators on your website

Find users with administrator privileges, but you cannot recognize.

Sometimes hackers get administrator rights to insert malicious code/files on your server.

If you find such administrators, delete them. Read more on How To Delete Hidden Admin User In WordPress?

22. Frequent scanning of the computer

Regularly scan your computer to find and remove malicious files, Trojans, and viruses.

Sometimes your website’s files are infected/re-infected due to the presence of malware on your computer’s hard drive.

Note: There is a general misconception among webmasters that they malicious robots can be stopped via the robots.txt file. Malicious robots/spam robots ignore the robots.txt file 

23. Change your web hosting service provider

That’s what I did after GoDaddy taught me all the tips of the book to get rid of malware.

When you ask GoDaddy to help you remove the malware, you get the following pathetic copy-and-paste response:

We cannot help you remove malware from your server. Consider removing your site immediately to avoid infecting visitors and act quickly to identify/remove it. -Godaddy

To irritate even further, they never forget to add the following line at the end of each email:

Please let us know if we can help you any other way

Sincerely

Godaddy

Online Support Technician

Sometimes the vulnerabilities belong to the web hosting service provider.

These wordpress vulnerabilities can take the form of server configuration issues or security vulnerabilities on the hosting platform, making your website vulnerable to hacker abuse.

Choose a local host (so you can easily call him in case of emergency) and average size. Avoid web hosts who boast of having tens of thousands of customers. Their processing time is extremely slow and, to be honest, the majority of them do not care about you. If you operate a WordPress website, choose a web hosting provider that specializes in “Secure WordPress hosting for small business sites.” I would recommend Host & Protect, they provide secure web hosting for small business sites.

This can help you a lot to solve some problems related to WordPress. You will be dealing with a staff who knows WordPress well. Avoid using a shared hosting. Shared hosting accounts are nowhere as secure as dedicated hosting accounts.

Here’s an awesome guide on Medium which you would definitely want to read – How To Select & Understand Web Hosting? –  A Pocket Guide 

24. Visit and use “Code Guard.”

Codeguard.com is the only service which is found useful so far to diagnose malware problems on time.

I am not a subsidiary of Codegaurd, but I have found it useful.

Whenever it detects a change in the code of your website, it automatically makes a new backup and notifies you by email.

You will receive email alerts when you add a new blog post because there will be one or more files added to your web server.

You will receive email alerts when you add/remove plugins because, again, files will be added/deleted on your web server.

And of course, you will receive email alerts if someone secretly adds a malicious file to your web server.

You should pay close attention to these emails and never neglect them.

I did it and I have paid the price.

Look for changes that look malicious or unknown.

So, for example, if a file such as css.php is added somewhere on your web server, you should search for it and delete it immediately because it is not a standard WordPress file and is most likely malware.

25. An ultimate solution – intrusion tests

Even if you follow all the steps explained so far to remove the malicious code/files from your website, there is no guarantee that your website will not be hacked again.

Hackers can create new backdoors for access by exploiting security vulnerabilities in WordPress theme, hosting platform, or network.

To prevent your website from being hacked again, you need to hire someone or an intrusion-testing company.

These people will assess the security of your WordPress theme, your hosting platform, and your network by deliberately exploiting security vulnerabilities.

This type of test is also called ethical hacking because testers act as hackers to look for security flaws on your website.

Intrusion tests pay off and can help you greatly in preventing other malware attacks.

Once you are assured that your website is free of malware, change all your passwords, WordPress security keys, and salts again.

Delete the ‘Website Maintenance Page’ and put your website online.

Submit a request to the Google Webmaster Tool to review your website by visiting Health> Malware> Request a Review.

In about a day, Google will remove malware warnings from your website, provided that it does not detect any malware.

If not, malware will remain aware and you will be notified via Google’s Webmaster Tools “Review Status.”

Check the security of WordPress in 30 seconds

WordPress has become the most widely used platform in the world with market shares of around 25% of all existing websites. The community is impressive and the possibilities are almost endless. The counterpart of all this is that WordPress has also become the most attacked platform in the world and often nothing is done to protect themselves. However, with a few simple modifications, you could protect your site against most common attacks by the hackers such as:

  1.  Malicious Code Injection WordPress “Banco De Oro Hack
  2. Web Shell PHP Exploit
  3. WordPress Arbitrary File Deletion Vulnerability
  4. WordPress Pharma Hack
  5. WordPress hacked redirect
  6. WordPress Backdoor Hack
  7. Japanese Keywords SEO Spam WordPress

Read above-given blogs to enlighten yourself regarding most famous hacks exploiting WordPress security is available here and avoid losing hundreds of hours of work!

How to recover a hacked site?

It depends a lot on the backup and prevention work that you did before. If the previous point allowed you to know who entered or at least how it entered your server, you can delete / correct the files in question to “patch” the flaw.

If this is not a problem for you and you prefer to opt for the brutal solution, you can reinstall your server but be aware that if you reinstall over a fallible site, the hacker will return without problems. 

  • Analyze the server and the site

A rather safe but expensive way to have your server and site scanned. For this there are so-called vulnerability scanners free and paid are available online.

Making an intrusion test is also the job of ethical hackers, there are various types of services including the black box security audit (the hacker is not aware of the internal system) and the security audit in white box (the hacker knows the inner workings). These services are often reserved for large companies, but having acquired knowledge in hacking you will still be able to analyze your site or server to detect and foil yourself most attacks. 

  • Install intrusion detection tools

These tools are divided into two main groups: The first check intrusions at the machine level, the second check intrusions at the network level.

Among them, the most popular is probably Snort, and you will have to maintain safety rules. 

  • Update again and again

Often vulnerabilities are patched via security updates. So install any updates and eventually observe if the patches in updates correct the vulnerabilities encountered. 

  • Changing passwords

No matter how secure your site was, you now need to change all the passwords. It means the passwords of your account (and all other accounts) on the site and the server, the password of the database, etc. To secure a site by leaving a word of the pass to the pirate, is to allow him to return without worries. 

Download Our Free PDF Here

YOU GOT OUR BACK

To put it simply, WP Hacked Help will check a set of important points for the security of your site that is unfortunately very often ignored: Also refer to our detailed guide on how to secure your wordpress in 2024.

  1.  Is your version of WordPress visible in your source code?
  2.  Do you limit the number of login attempts to your administration interface?
  3.  Is your wp-config file protected?
  4.  Are your directories accessible to everyone?
  5.  It’s simple and fast! Enjoy!

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)

Tags: fix malware infected website malware removal checklist wordpress malware remove checklist for wordpress remove malware checklist remove malware from website free scan php files for malicious code scan website for malware checklist website malware scanner google