WordPress Hacked? Malware Removal | 101
WordPress Hacked? Malware Removal | 101
The consequences of malware extend far beyond simply receiving an email from Google or your host administrator alerting you to its presence. Malware can damage your reputation and cost you customers and profits. To add insult to injury, paying an admin you trust to remove website malware can cost hundreds of dollars – sometimes over a thousand.
Removing website malware yourself is in fact easy to do with basic cpanel knowledge. A good host administrator will often offer customer support if you are a do-it-yourselfer. Here are some suggestions for what directories and files to look at and what to identify should your business be attacked by malware.
Remove Website Malware In This Four-Step Process
- Isolate threat
- Resecure users
- Resecure Root
Depending on skill or preference, you can operate through command line tools to SSH or use the GUI interface web browser cPanel option provided by your host administrator to edit, delete and replace files.
STEP ONE: Quarantine Your Website
You won’t need tools for this first step. Isolate the threat and alert your host provider, requesting that they quarantine your website. This will ensure that any malicious code or files are isolated from the rest of the network and can be safely removed without damaging other files. Your host will effectively back up your /public_html directory where any malware may reside. That is where you will do all of your work. You have the option to skip quarantining your site and work directly in your /public_hmtl directory, but you will risk augmenting your problems by mistakenly destroying files.
STEP TWO: Change passwords
Issue new passwords to all user accounts associated with the website. You can go as far as issuing new usernames. Consider providing usernames and passwords offline, such as by direct phone calls.
STEP THREE: Repair/Replace Files and Update Software
Update website software, including the website’s content management system (CMS) and any plugins or themes. Ensure that all website components are up-to-date.
Recovering your site begins with logging into your website’s control panel (cPanel) and navigating to the File Manager. You should be familiar with your /home directory. Here is where you will find a copy of your /public_html directory which may be renamed to something as simple as /public_html.quarantine.current-date.
It’s worth repeating the contents of this backup directory hold your hacked site. You will clean this up, and upon completing that task, place the contents back into the /public_html directory.
STEP FOUR: Repair From Your Quarantined Copy
In short, your site files will remain in place with a full backup copy at /root level, similarly named. Ex. /public_html.quarantine.current-date. It won’t be a compressed copy. You will want most, but not all of the files. To be clear, you’ll download them all, but you won’t re-upload them all.
Once you’ve clearly identified your quarantined website copy, open it. Highlight all the files within it and select ‘compress’ at the top of the screen. This will prompt a dialog box to which you should select the /root directory. Compress the file for your platform. For example if you are a windows user, choose the.zip file type by selecting the Zip Archive radio button and mouse-click the ‘Compress File(s)” button.
Name the saved version referencing it as a backup:
Download it locally. Uncompress it so you can work with the files individually.
Keys To Your Work
You are going to start first by comparing WordPress core files to known clean copies. Clues to finding the hacked files are larger file sizes, recent date stamps (last modified), and multiple files sharing the same recently modified date.
Don’t Want To Inspect Each File?
You can alternatively replace all your core files which include:
- All the individual files at root level of the public_html directory except for your /wp-config.php file, but do inspect that file! Examples at root to replace are index.php, license.txt, etc…
- The /wp-admin directory
- The /wp-includes directory
To replace only these files and these directories of files, download a copy of the WordPress core files at WordPress.org and simply replace or overwrite the old with the new. Here’s how:
Unpack WordPress locally and re-compress (zip) only the three items listed above in the blue text. They are the /wp-admin directory, the /wp-includes directory, and all the root files except for the wp-config.php file. Name it what you like, but for the sake of this instructional, let’s call it, new-core-files.zip
While still in cPanel’s File Manager, delete all the old files on your web server in the /public_html directory except for /wp-content (that’s your website!) and /wp-config.php file.
You should only see two items listed on your web server in the /public_html directory:
Now upload the compressed file (new-core-files.zip) holding the three clean replacement copies back to your root directory through the cPanel File Manager using the ‘upload’ function. Once it’s up, extract the directories and files.
Last. You may delete new-core-files.zip
In theory, you should be back to good again. There may be some plug-ins that are corrupted which you can remove and reinstall.
However, if one or more plug-ins were breached, you may get an error code printed to your page with a pathway listing the plug-in(s). In which case, you’ve found your breach. Rename those plug-in directories to be sure, and once your page displays properly, you can delete the plug-ins that posed a threat and re-install a newer version if you still trust that provider. You may encounter small issues like rebuilding your permalinks.
STEP FOUR: Change Admin Passwords
Change FTP and SSH passwords for your website to prevent future access by malicious actors.
After cleaning your site, adding a helpful plugin like Wordfence (even the free version) can help prevent and clean up future Malware attacks.