How to Remove Malware from a WordPress Website: Step by Step Guide
A malware can be the worst thing to happen to your WordPress site. Removing malware from a hacked website is not a tough job if you know what you are doing and how to do it. Following the instructions from this article you can easily remove malware from a WordPress site and harden its security to make sure it doesn’t happen again. In this tutorial guide, I am going to explain the two different ways of removing malware from your WordPress site and the instructions to how to prevent this from happening in future.
What is Malware and How it can Harm your WordPress Website?
WordPress is said to be the most well-maintained and robust platform. However, hackers keep finding vulnerabilities to get access to WordPress from time to time. Moreover, it is certainly the most popular platform, which makes it an easy target for a hacker. Therefore, you need to pay attention to your WordPress site’s security as it’s an absolute priority. There are several ways to detect malware in your WordPress website and to find out if your site has been hacked or infected with a malware. To effectively remove the malware, it is important to detect the root cause of the malware. When a malware infects a WordPress site, you might experience following symptoms-
- Compromised sensitive data like user’s credentials, payment information, etc.
- Unwanted and unauthorized access and changes to your site’s content.
- Your URL getting redirected to suspicious and untrustworthy websites encouraging spams and other harmful content (like drugs, pornography, and other illegal activities). Sometimes, it might appear as dark text on a dark background, which is not visible to human eyes but the search engines can see it.
- Spams being spread from your site in form emails or suspicious links. You need to pay special attention here because it will only show the spam content to your visitors or search engine crawlers but not to the website on front.
- Unnecessary resource consumption, more than usual.
- Google marking your WordPress site as unsafe on the search results or browsers which can have a negative impact on your SEO rank as well.
As you can see, ignoring the security of your WordPress site can have some pretty nasty consequences. Therefore, the security of your WordPress site should be utmost priority.
Tip: If you want to create your own WordPress website and can’t afford a developer, you can build your own WordPress site with TemplateToaster WordPress theme builder, which also offers free ready-to-use WordPress themes.
How to Remove Malware from a WordPress Website Manually?
Go for the manual method if you are ready to invest your time and efforts on your WordPress website. It is helpful in giving insights on where the breach happened so that you can prevent it from happening again in the future. Here is a step-by-step guide to help you remove malware from your WordPress website-
Follow these simple steps to remove malware from WordPress website
Step 1: Create a backup of your site
Once you are convinced that your site has been infected with a malware, create a backup of your site immediately. You can use FTP client, your web hosting provider’s backup service, backup plugins or any other way to download a copy of your entire site including the website files, media files, database, themes, plugins, etc. the reason you need to pay immediate attention is because your web hosting provider may delete your entire site anytime if they detect malicious content. This is the standard procedure in some cases to prevent other systems on their network from getting infected. Once you have a copy of your website, you can move to the next step knowing that if anything goes wrong, you at least have a copy of your site.
Step 2: Run a scan on your website and downloaded files to identify malware
I’d suggest you to run the scan on your locally downloaded backup. You can use a good antivirus system and a malware scanner like McAfee to detect and fix malware problems associated with your website files. If the scan is successful then remove the detected virus or malware from your WordPress site files and change your password and re-upload site files. Otherwise you can also use an antiviru WordPress Plugin to find and remove malware from your host itself.
Step 3: Remove the detected Malware
WordPress save your login data in “wp-config.php” and files in “wp-content” folder. Here in this step I will advise you to delete all WordPress files except these two. Now erase every file and folder in your site’s directory excluding wp-config.php and wp-content folder. Then, open wp-config.php and compare its content with the same file from a fresh installation or wp-config-sample.php. Try to locate any strange or suspicious long strings of code and remove them. After that, go through the wp-content directory and perform following tasks for these folders-
- Themes: Check for suspicious code or delete everything except your current theme.
- Plugins: Save a name list of all your installed plugins and delete the subfolder. You can redownload and reinstall your listed plugins.
- Uploads: Look for anything that you’ve not uploaded yourself in past and remove it.
Step 4: Download the latest copy of WordPress to install
Once you are done with cleaning the core files of your site, download the latest copy of WordPress copy re-upload it to your WordPress website using the file manager tool or FTP. Navigate to your file manager, click on Upload File, browse the WordPress zip file on your computer. After it successfully uploads, right-click and choose the Extract option and enter a directory name to define the save location. Copy everything except the zip file to public_html.
Step 5: Change the WordPress default ‘Admin’ account and password
If you have multiple admin users added on your WordPress admin panel, then it is possible that the breach may have occurred through one of the accounts. Reset the password of every account and log out every account. Moreover, remove the default ‘Admin” username as it is literally the first guess of any hacker. Look for the suspicious user accounts and delete those. Also, change the username and passwords from generic to long, randomized strings that can’t be breached by brute force attacks. You can also use a password generator to create stronger passwords. Also, don’t forget to change the password of your databases and update it in your config.php too.
Step 6: Re-install themes and plugins
After cleaning your core site files and removing malware from your WordPress website, it is time to re-install the plugins and themes you had. I’d suggest you to leave out the plugins that are no longer supported by its developer or haven’t been updated in a long time. Such plugins or themes can open your site to security threats and vulnerabilities. While you are at it, I’d also suggest you to install WordPress and activate some security plugins on your WordPress site. Having some effective security plugins can prevent this from happening in the future. Also, check out these 10 tweaks that can increase the overall security of your WordPress website.
Step 7: Harden your WordPress security
Take the security of your WordPress site a notch up with some WordPress security hardening tips:
- Pick a solid WordPress hosting provider that offers great performance as well as security services.
- Get reputable themes and plugins that are still being maintained and being updated from time to time to patch security and performance vulnerabilities.
- Don’t use ‘Admin’ username as it is the more targeted username and can be easily breached by the hackers.
- Use password generators to get stronger passwords to avoid the ‘hit and trial’ method of security breach.
- Use secure protocols like HTTPS or SFTP that take extra measures when it comes to the secure transmission of the content of your site over the network.
- Limit login attempts to a maximum of 3 times. A legitimate user should be able to get the username and password right within three attempts. Whereas a maximum 3 attempts are not enough for an illegitimate user to break into your WordPress admin panel.
Read this guide for more tips on hardening the security of your WordPress site.
Check out the best WordPress website builders.
Step 8: Review suspicious User Accounts
Check user accounts for any unauthorized or unfamiliar users. Remove any suspicious accounts and change the passwords for existing ones.
How to Remove Malware from a WordPress website Using a Plugin?
If you prefer a quicker and less technical way of removing malware from your WordPress website, then you should go for this method. Look for an adequate plugin like Sucuri or Wordfence to remove malware from your WordPress website. I personally like Wordfence plugin for the security of a WordPress website, It offers a free as well as a paid version. It comes from a reputed source and has over 2 million active downloads. It is a complete suite of features to secure your site and prevent security attacks. Moreover, it comes with a powerful malware scanner that regularly keeps your site in check to prevent it from getting infected in the first place. It scans your WordPress plugins, themes, core files and other content as well. Moreover, it also offers a powerful 2-factor authentication to your WordPress site. For the sake of this tutorial, I am going to take Wordfence as an example to explain how to remove malware from a WordPress site using a plugin. If you have any other security plugin, it should have similar process as following-
- Install the plugin and activate it on your site.
- Scan your WordPress site using the Wordfence malware scanner to detect any malicious code or malware on your website.
- It will detect the compromised files and will replace those files with the original copies.
- After cleaning your site, it runs a check on the search engine database to see if your site has been blacklisted.
- Reinforces your site’s security to prevent malware attacks in the future.
When you use a good security plugin, all you need to do is install the plugin and follow the above steps. The plugin will do the rest to keep your site secure.
Remove the blacklist warnings after removing malware from WordPress website
Google is enforcing a 30-day ban on site reviews to prevent repeat offenders from distributing malware. However, it doesn’t mean you need to give up on your site. If your website gets compromised, Google puts a ‘infected notification’ on your site to let the visitors know that they are entering a compromised site. Once you have cleaned your site, you should notify Google about it. Basically, you will ask for a review of your site and after Google reviews your site and determines that it is not compromised anymore, it will remove the ‘infected notification’. Follow the given steps to remove the site’s warning label-
- Visit Google Search Console and register your site.
- Verify your site using URL prefix or Domain.
- Scroll down to locate Security & Manual Actions on the left tab. Click on the drop-down menu and select Security Issues.
- You will see the report on your site’s security, select Request a review to let Google review your site for any security vulnerabilities.
Ensure that your site is free of any security issue before requesting a review. Or else it can label your site as a repeat offender and you will not be able to request another review for the next 30 days.
Weakly coded WordPress themes are also an entry point for hackers sometimes. So got your theme from a reputed developer/company or you can create your own theme or complete website with our WordPress theme generator. We also offer lots of free WordPress themes.
Removing malware from WordPress website : Conclusion
As you see, removing malware from a WordPress website is not that complex. You should be able to recover your WordPress site by following the instructions carefully. I hope this tutorial is helpful to you. If you still have any doubt or issue, feel free to comment below. I am always ready to help you out!
Build a Stunning Website in Minutes with TemplateToaster Website BuilderCreate Your Own Website Now