How to remove malware from a hacked WordPress website
In this article we will explain why and how WordPress websites are hacked. We will also give you a step-by-step plan for removing malware and cleaning up your WordPress website.
Why are WordPress websites hacked?
The most important motivation for most hackers is money. The hacked websites are used to promote commercial websites; particularly things like gambling, sex and pharmaceuticals. By hacking a website, for example, thousands of spam e-mails can be sent. Or links are placed on your website to mislead Google so that the commercial websites are placed higher in the search results. Every now and then hacks may be ideologically or politically motived.
How do you discover that your WordPress website has been hacked?
- Various links appear on the website that don’t belong there. Often these are links to websites that have to do with pornography, gambling, drugs, illegal pharmaceuticals, et cetera. Sometimes the links are hidden in the color of the background of the website so that they are not visible to visitors, but can be found by search engines.
- When you search for your own website via Google (for example ‘wpupgrader.com’ as search term), you find information about the website that isn’t yours.
- Visitors to your websites are redirected to another website. Sometimes only mobile visitors.
- Your website is being used to send spam. If this is the case you will usually get a message from your host company saying that an unusual amount of e-mail is being sent from your website.
- Organic search traffic decreases because Google no longer shows your website in the search results.
How is it possible for your WordPress website to be hacked?
To gain control of your WordPress website hackers must find some way to upload or edit a file on your server. In general there are four possible ways for hackers to gain access to your website:
- Insecure passwords; most of the WordPress hacks that we come across could have been prevented by using more secure passwords.
- Update-policy; when you seldom or never update your WordPress, your plugins and your theme you greatly increase the chance that you will be hacked.
- Insecure themes/plugins; sometimes your website can be up-to-date, and still contain an insecure theme/plugin. Always purchase plugins/themes from a trustworthy website.
- Bad hosting; you may have protected your website well yourself, but if, for example, it’s possible for your hosting company to move files between different websites then your website is not properly secured.
How to make sure your WordPress website is hack free?
When a hacker has had access to your website, it is possible that files have been added/altered, passwords have been changed and possibly even new users added. If any one of these things are not detected and cleaned up then others steps will have no effect, because the hacker will still be able to gain access and cause damage once again. For this reason, clean up must be thorough.
We will try to explain all the steps as simply as possible, but some technical knowledge is required. Make sure that you have an administrators account in WordPress, that you have FTP access (and that your know how FTP works), and that you can access the database using a program like phpMyAdmin or Adminer. The steps we are going to take are:
Backup your hacked WordPress website
You are going to clean up your WordPress website thoroughly. This means you may end up cleaning up too much and it might be better to start again. In that case it is always good to have a backup on hand. Make sure that you add both the files and all databases to your backup.
Close the doors
Make sure your WordPress website is temporarily inaccessible from the outside. Theoretically hackers could infect your website while you’re still going through these steps. This also prevents you from infecting your visitors with any malware that might be installed on your website.
You can usually block your website from your host company’s control pannel by way of a password or by using an IP filter. If you have access to your .htaccess file you can add the following code to allow one specific IP address (find our what your IP address is at WhatIsMyIPAddress.com):
order deny,allow deny from all allow from 123.456.789.123
Find the source of your WordPress website hack
It is important to find the source of the hack and the extent of the impact as soon as possible.
- Look for your plugins, themes and WordPress version in the WPScan Vulnerability Database and see if there are known vulnerabilities for the versions you installed on your website.
- Do you use Google Webmasters? Go to your dashboard and see if there are any reports of malware.
- Check your website in Google: http://www.google.com/safebrowsing/diagnostic?site=www.example.com
- Many hosting parties make access logs available. This is a list of all requests for files, saved at server level. Files placed by hackers are usually requested using a ‘POST-request’. By looking for ‘POST’ in your access log you can filter a list of of php files to further examine. Later in this article we will explain what to look for when examining php files. These files may not necessarily be infected however; a POST-request is also used when you fill in a contact form or if you log in to wp-login.php.
- We sometimes come accres situations where an old WordPress website is on the same server, for example in the file ‘old’. Often this installation will have been forgotten and no longer up-to-date, which makes the whole website vulnerable to all sorts of old security flaws.
Clean up the files on your hacked WordPress website
During a successful hack a hacker can potentially place or alter a file in every folder on your web server; not just the folder containing the infected plugin. This means that you should examine all your folders and files, and this is painstaking work. Thankfully you can limit this work to various steps. We explain how below.
Cleaning up users
Now that all the files have been cleaned up, hackers still may have access to your website. They could have made an extra admin account, for example, or have changed the password of one of the other users. Furthermore, it’s possible that the hackers got in because they were able to guess a weak password.
Go to ‘users’ in WordPress and remove any user who doesn’t belong. Set new (complex!) passwords for all other users. This way you know for certain that hackers cannot login using an existing account. Explain to existing users why it is necessary to use a complex password.
Check the database
The more advanced users among us can now take a look at the database. Using a program like PhpMyAdmin or Adminer it’s relatively easy to browse through your database.
First, you can have a look in the ‘wp_users’ table; do you still see any users that don’t belong here? Remove them by hand. Sometimes hackers are able to add an invisible user.
Then take a look at the structure of the table and compare it to the standard WordPress Database description; have any tables been added that you don’t recognize? Take a closer look. Some plugins add tables to your database. Only remove the tables that belong to plugins that have been removed.
Change all passwords
In the fifth step you changed the passwords of all your users, but hackers may have been able to discover other passwords as well. For this reason, at least change the password of your database, and your FTP account, host control panel, etc. as well. This way you don’t have to wonder if your website really is secure again. Fill in the new database password in ‘DB_PASWORD’ in the wp-config.php file.
Go live and test
Now you are ready to take your WordPress website live again. Remove the block from step one and check to see if your website can be accessed when you are not logged in, for example, by visiting your website from a different network or using your telephone without wifi.
You may still get a notification stating that your website contains malware. In this case your website has been placed on a blacklist, which means it also no longer comes up in Google searches. Use the options Google offers to put your website back in the search results.
- Google Diagnostic Center (replace www.example.com) in the url for your own domain). You can use this tool to see if your website is on the Google blacklist.
- Google Webmasters indicates if and when Google indexed a problem with your WordPress website.
- Submit a request via Google Reconsideration Tool to have Google reindex your WordPress website.
Behind the scenes at WordPress there is a large community of developers constantly working on improving the code. The advantage of this is that any known leaks in WordPress, plugins and themes are often resolved quickly when a new version is released. That’s why you should always make sure your website is up-to-date. This way you greatly decrease the chance you will be hacked again and you can perform new updates very quickly because it’s usually just a small modification.