WordPress being a so popular website building platform and based on PHP is a prime target for malware infection. At WPOrbit we’ve helped hundreds of site owners clean up their hacked sites. In this comprehensive detailed in-depth guide, we’ve outlined how you can manually cleanup your site and save $$$ spent otherwise hiring clean up services.
How to identify if your WordPress site is hacked?
Identifying whether your WordPress site has been compromised by hacking or malware may not always be obvious, but there are certain telltale signs to watch out for. Below, we’ve listed some common behaviors to help you identify that:
- Do a Malware scan using free security tools like Sucuri or Wordfence – this helps determine if your WordPress system files are infected with malware
- Watch out for suspicious administrator users under All Users area in WP Admin
- Look at list of your posts and pages in WP Admin to determine if any spammy posts have been published
- Look at your plugins list if you see any suspicious plugin that you haven’t installed
- Open your site in a private browsing window and browse the site from page to page to notice any malware popups or redirects
- Use the file manager on your web host’s website or an FTP tool to look through the main folder of your WordPress site. Normally, you’ll see folders like wp-admin, wp-content, and wp-includes. If you notice any extra folders that don’t belong there, it might mean malware has added the folder to let the hacker gain access to your site. Often these folders contain randomly named PHP files indicating it is a malware file.
How does a WordPress site get infected / hacked?
- You might have an admin user account with a weak password.
- You might have shared your WP Admin credentials to someone via email whose mail box got hacked.
- You might have a vulnerable or poorly coded plugin/theme present on your site
- You might have outdated theme or plugin/s
- Using insecure or pirated themes/plugins: Downloading themes or plugins from unreliable sources or using pirated versions can introduce malicious code into your site.
- You might be using outdated WordPress core version
- Your site might be on a shared web hosting due to which your site got infected from other compromised WP sites sharing the same server file system
- Weak file permissions: Incorrect file permissions can allow unauthorized users to modify critical files on your server, leading to security breaches.
Cleaning WordPress Malware Manually
- File access using Web host file manager or FTP
- SSH Access (optional but useful)
- Knowledge of deleting, adding, extracting files using SSH/File Manager.
To start cleaning up your site manually, the first thing you should do is create a complete backup. You can do this easily using a free plugin like Duplicator, BackWPup, or Updraft.
Once the backup is taken, you can turn off your site from public access by using a maintenance mode plugin or modifying your .htaccess file present in your WordPress root folder and entering the below line at the beginning:
deny from all
This would prevent further spreading of the malware which occurs if the site is accessed via a browser.
The next steps would be:
- Cleaning up existing themes, plugins and WP core files
- Cleaning up malicious files left by malware
- Cleaning up WP Admin (spam posts, suspicious admin users, etc)
Cleaning up existing themes, plugins and WP core files
Malware is known to modify core WP/plugin/theme files so that it can replicate it self or reinfect the site. A really important thing to do is to swap out all these files with fresh copies from original source. This way, any bad changes made by the malware will be gone.
- Download latest WP Core files from https://wordpress.org/latest.zip to your local computer disk
- Extract latest.zip on your local computer disk
- Go inside the
- Delete the folder named
wp-contentfrom the locally extracted latest.zip file.
- Select all files and make a zip file of all the remaining files (let’s call it wp.zip)
- Go to your WordPress files root folder on your server using web host file manager or FTP
- Delete the following folders and files from your WordPress root:
- Important: DO NOT DELETE THE
wp-contentfolder – it contains your site’s data.
- Delete all files in the root except wp-config.php
- Edit wp-config.php and notice if it has any suspicious code. Most of the code should be similar to what you find in wp-config-sample.php file.
- Upload wp.zip file that you created in step 1 and extract it to your servers’ WordPress root directory
- Go to the
pluginsfolder and note down names of all the plugin folders somewhere in a local text file. (example
- Go to https://wordpress.org/plugins/ and find the ZIP file of plugin you want to replace. Example: https://wordpress.org/plugins/contact-form-7/ and press the Download button.
- Delete the plugin folder and extract the latest copy of the plugin in the same location.
- Repeat this for all other plugins in the
- There could be a folder within the plugins folder which is not really a plugin but malicious code left by the malware – if you find an unknown plugin folder – delete it.
- Repeat steps 5 to 9 for themes folder under
wp-contentso that any infection in the theme is gone.
- If you’re using premium plugins or themes that aren’t available on the WordPress.org site, you’ll need to visit the author’s website to download the original zip file and replace the existing premium plugins or themes.
Cleaning up malicious files left by malware
Malware is cleverly coded to replicate itself or make a come back by leaving malicious files deep within the WordPress installation. It is important to delete all those standalone malware files to stop the infection from coming back.
- Ensure index.php files under
pluginsfolder are blank.
- In the same locations, ensure no .htaccess file is present, if so, delete them.
- Check all the folders (2024,2023, etc) within
wp-content > uploadsfolder – these shouldn’t have any files with extension .php. This could be a tiring process – if you have SSH access, you can speed it up by searching PHP files via SSH commands:
find / -type f -path "/home/xxx/webapps/yoursite/wp-content/uploads/*.php"
- Login to WP Admin > Install WordFence (free) > Initiate a scan to find out any suspicious file that might be present in wp-content folder.
Cleaning up WP Admin
By now, most of the infection should be gone. The next step is making sure WP Admin is safe-guarded from any potential security threats.
- Go to WP Admin > Users > All Users and delete any suspicious admin user
- Reset all admin user’s passwords
- Delete any spammy posts published by the malware
- Ensure themes and plugins are up to date
- If you see deleted malware files restoring themselves at the same location despite site publicly turned off – the malware might have put itself into server memory / PHP process. In this case, you can purge all server processes by contacting your web host.
- Make use of SSH to speed up the plugin/theme replace process:
rm -rf /home/xxx/webapps/yoursite/wp-content/plugins/wordfence
- Have weekly backups for your site and at least one security plugin installed.
Still struggling with malware cleanup? At WPOrbit, we offer malware clean up at just $99. Contact us to get your site cleaned up.