It’s common for websites to contain vulnerabilities and be prone to infections at any time. Paying for an additional service to have it removed can be costly. Instead, you can learn about malware removal on your own. In this guide, you will learn how the step-by-step process of removing malware, fixing the vulnerabilities and removing websites from the blacklists.

Before Starting the Malware Removal Process

Before starting the WordPress malware removal process, you will need to lock down your website. This is to ensure that during the process, only you will have access to the website. This can be done through your hosting service to put the site into a maintenance mode. If you can’t find it, there are other ways to lock down your website:

Apache

Open your .htaccess, sometimes called htaccess.txt, file and write the following lines on top:

order deny,allow
# Deny access from all IPs
deny from all
# Allow access from specific IP
allow from YOUR IP ADDRESS

Nginx

Open your nginx.conf file and write the following lines:

location / {
# allow your IP below
allow 127.0.0.1;
# drop rest of the world
deny all;
}

1. Install Anti-virus Software on All Computers From Where the Site is Accessed

It can be common that your FTP access, /wp-admin/ username and password credentials are leaked through the keylogger or computer virus. Having antivirus software installed on the computer from where you access the admin panel or log into your hosting server or FTP is essential.

Using the antivirus software, scan your computer for possible malware. Be sure to also take a look at your operating system security settings to make sure that the firewall is turned on. It also helps to frequently update your operating system, web browsers, and browser extensions.

2. Change All Access Codes (Hosting, SSH, FTP, MySQL, WP Users)

To prevent your credentials from leaking, you should change them one by one. Change your hosting panel password, then revoke all FTP accounts and create new ones with pre-generated passwords. If your host doesn’t automatically do it, use a password management tool such as LastPass to generate a secure password.

Changing WordPress Admin Panel Credentials

Through your WordPress admin panel, delete all inactive accounts then edit each active account one by one to suspend all sessions and generate new passwords.

Changing Database Credentials

When changing the MySQL or a database password, you will also need to update this information on your wp-config.php file.

Changing Salts

Salts are used to safeguarding stored passwords from being read. After a breach, a new salt is generated for each password and it’s important to replace the old salts with the new ones in your wp-config.php file.

We recommend changing these codes on a regular basis to improve your website security (every 3 – 6 months). You can manually generate the Salt keys from WordPress.org secret-key service.

3.  Fully Backup Your Website

It’s always important to download all of your file server content and database to a local environment as safety. This can be done with SFTP, SSH, or through PhpMyAdmin panel.

SFTP

This method is a secure version of FTP, which is used for transferring files from one database to another. Access codes are found in your hosting account as the regular FTP access codes. SFTP port is 22 while FTP port is 21. You can access the service with a client such as FileZilla for this.

SSH

Some hosting servers will give you SSH access to make things much easier. It will generate a .zip file with all your files on your hosting account, which can later be downloaded directly over SFTP.

After logging into your WordPress website with SSH access, perform the following:

zip -r backup-pre-cleanup.zip

Database

Through your hosting service, you can find the PhpMyAdmin which allows you to manage the database. You can easily export the entire database within the PhpMyAdmin panel. Save this to the same folder, “backup-pre-cleanup”.

You can also export your database via SSH with the following command:

mysqldump -p -h hostname -u username database > backup-pre-cleanup.sql

After exporting it with SSH, be sure to download this to your local environment and delete it from the file server.

4. Analyze Logs and Recent Changes

Logs are great to detect changes and analyze for incidents. You will be able to download access logs from your hosting service. With the logs, you will need to open it with a software such as Sublime Text and search (control + F) for “POST” method. Look at the dates to see if any PHP file has been added to the server. Also, look at events around suspicious behavior to see if you can catch anything.

You can also check which PHP files have been recently updated by running the following command through SSH:

find . -type f -name '*.php' -ctime -7

To see if any JavaScript files have been added or modified, run the following command:

find . -type f -name '*.js' -ctime -7

To see all the files, permissions, and attributes that have been modified in the past 7 days, you can run this command:

-ctime -7

You can change the number lower/higher depending on the need while:

-7 = modified in less than 7 days

+7 = modified more than 7 days ago

5. Update Your PHP Version

Updating your PHP version to 7 will not only secure your website, but it will make your website run twice as fast compared to PHP 5. It also has a 50% better memory consumption, so you should quickly upgrade to the latest version.

6. Update Your WordPress Installation

Don’t ignore the WordPress installation notifications. Your website can get infected if it has outdated code, plugins, or themes installed. Websites with too many plugins or weak passwords are common reasons why WordPress websites get hacked.

Remove Unused Plugins and Themes

You should deactivate and remove any plugins and themes that aren’t in use. By just deactivating it, it will still stay on the server and can still be exploited if it’s vulnerable. We recommend removing software that isn’t being used to reduce the risks of outdated and vulnerable software.

7. Set Proper File Permissions

By default, all folder permissions in WordPress should be 750 while all files should be 640. The only exception is wp-config-php which can be as low as 400. Avoid having any file or directory set to 777.

You can change all folder permissions to 750 through SSH with the following command:

find /path/to/your/wordpress/install/ -type d -exec chmod 750 {} \;

You can change all file permissions to 640 through SSH with the following command:

find /path/to/your/wordpress/install/ -type f -exec chmod 640 {} \;

You can change wp-config-php permission to 400 through SSH with the following command:

chmod 400 /path/to/your/wordpress/install/wp-config.php

8. Remove Symbolic Links

Access can be gained to root or higher folders in your hosting server if vandals try to symlink folders. Please be sure there are no symlinks before changing file and directory permissions. If a symlink goes undetected and you try to delete the linked folder, you might end up deleting all the files in your server. To avoid this from happening, use the following command through SSH and wherever you see the suspicious folder:

find . -type l -exec unlink {} \;

9. WordPress Malware Removal Through Files

There are various things you can do to detect suspicious files automatically and manually. We recommend doing as much as you can to be sure that WordPress malware removal is done correctly.

Manually Compare Clean and Infected Files

Create a new WordPress installation and install the exact same plugins and themes to ensure that everything runs at the same version. Create a new folder to your local environment named “Compare” and add 2 folders inside the folder called, “Clean” and “Infected”. Using SFTP, download the new WordPress installation and save this to the “Clean” folder. Now open your previous backup, find the WordPress installation, and copy it to the “Infected” folder.

Now download Beyond Compare to compare the two folders while keeping your main focus on PHP and JavaScript files to see which are different from the original. Open your SFTP access to the original website and open the “Clean” folder locally.

If Beyond Compare is telling you that index.php files are different in these two folders, move as many files from “Clean” folder to your website and see if the website is working properly after replacing each one. If the website breaks, then revert it by uploading the same file back to the server form the “Infected” folder.

If you feel comfortable with the terminal, you can also use a command through SSH like this:

diff -r wordpress-clean/ wordpress-infected/ -x wp-content

Removing PHP Files From Uploads Folder

PHP files should never be in the uploads folder, but they can end up there whenever a vulnerable upload functionality if being exploited.

To remove the PHP files from the uploads folder, open up your SSH terminal and navigate to /wp-content/uploads and run the following command:

find . -name "*.php"

Finding and Removing Backdoors and Malware

Web-shells, also known as backdoors, and malware are often hidden to avoid detection from automatic malware scanners. They can be removed manually with the following steps:

Some functions that are commonly used in backdoors and malware are:

eval(), base64_decode(), gzinflate(), str_rot13()

To locate these files, open your SSH terminal and run the following command:

find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("

Use this command to look for backdoored image files:

find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

And iframes:

find . -type f -name '*.php'  | grep -i '<iframe'

To automatically remove backdoors and malware, you can use OWASP web malware scanner, Ai-Bolit malware scanner, and PHP malware scanner. Be sure to manually compare clean and infected files to ensure there are no suspicious files left.

10. WordPress Malware Removal Through The Database

It’s common for malware to be injected into the database and loaded to the website through posts, pages, comments, and other website content. There are different ways to perform WordPress database malware removal.

Searching for Suspicious Content From the .SQL Database Backup

Open the .SQL file directly with Sublime Text and use Control + F to find malicious content from the database.

Search for iFrames: <iframe

Search for base64: base64_decode

Search for eval(): eval()

Search for scripts: <script

List all the malicious findings and try to understand where they are located. Don’t delete them directly from the database backup. Proceed to editor one-by-one and select Text mode, then delete malicious code and if needed, reformat the content. Look at the comments and delete possible spam.

Searching for suspicious content via PhpMyAdmin

If you have access to PhpMyAdmin, you can directly search for similar entries with the search option. If you’ve detected a malicious content, try to understand where it was added. Then, proceed to editor one-by-one and select Text mode, then delete malicious code and if needed, reformat the content. Look at the comments and delete possible spam.

11. Check the Site Manually and From a Search Engine Perspective

View your website as a visitor to see if you can find anything suspicious or if the website isn’t performing well. Also try looking up your website on search engines, such as Google, with the query “site:mywebsite.com”.

If you see weird characters or suspicious Canadian offerings in Google results, then your website is probably infected with SEO malware that is only visible on Google and other search engine crawlers.

Install User-Agent Switcher extension for Google Chrome, which allows you to see your site from the search engine perspective. You can set a custom user-agent from the extension settings, the most popular user-agent used by Google bot is:

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Try visiting your website again with the Googlebot user-agent and don’t see different content, then you have successfully removed the SEO malware. If it still looks weird, then go through the malware removal process again.

After the Malware Removal Process

Restore Public Access to the Website

After removing the malware and you feel confident that your website is now clean, remove the restrictions from your website. If your hosting server blocked your access, ask them to rescan your website and to restore public access to your website.

Ask to be removed from Blacklists

You can check to see if your website has been blacklisted by any AV vendors or search engines by using VirusTotal. If you’re blacklisted by Google Safe-browsing, you can log into Google Webmaster Tools and request a rescan.

If you’ve been blacklisted by AV vendors or other search engines, simply contact them to request a rescan.

Disable PHP execution in /uploads/ and /cache/ folders

Add the following codes in your configuration to prevent PHP usage inside /upload/ and /cache/ folders.

Nginx:

# Deny access to PHP files in any /uploads/ or /cache/ directories
location ~ /uploads/(.+)\.php$ { access_log off; log_not_found off; deny all; }
location ~ /cache/(.+)\.php$ { access_log off; log_not_found off; deny all; }

Apache:

Create a .htaccess file to /upload/ and /cache/ folder and write following inside both of the files:

# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
deny from all
</Files>

To prevent future malware infections from happening, be sure to keep your WordPress updated and use a secure hosting service. Have a managed firewall that is always updated with the latest security risks to avoid potential threats. Since WordPress sites are constantly attacked by botnets and hacking scripts, hide default admin panel and disable file editing options directly from the WordPress admin panel. This can be done by adding the following code in your wp-config.php file:

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

Sharing is caring!

Published by Hans Desjarlais

Founder @ Themely, entrepreneur and travel addict. Always learning, maverik at heart, speaks 3 languages and hope's to go to space one day.

Leave a Reply

Your email address will not be published. Required fields are marked *

Error: Please enter a valid email address

Error: Invalid email

Error: Please enter your first name

Error: Please enter your last name

Error: Please enter a username

Error: Please enter a password

Error: Please confirm your password

Error: Password and password confirmation do not match