Menu
Sucuri has devoted years to helping WordPress administrators identify and fix their hacked websites. We have put together this guide to walk WordPress owners through the process of identifying and cleaning a WordPress hack. This is not meant to be an all-encompassing guide, but if followed, should help address many of the infections we see.
Contents
The first step to removing malware from your WordPress site is to identify the type of hack. This will help you narrow down the infection to make it easier to find.
You can use tools that scan your site remotely to find malicious payloads and malware. For example, Sucuri has a free WordPress plugin that you can find in the official WordPress repository. You can also scan your site with tools online to find the location of malicious content and payloads.
SiteCheck is a completely free option to quickly scan your site for malware and other security issues.
To get started, simply enter the URL of a website, click Submit, and SiteCheck will begin a remote scan of the domain’s public pages.
A remote scan will browse the site to identify potential security issues on your WordPress site. Some issues may not show up in a browser. Instead, they manifest on the server (i.e., backdoors, phishing, and server-based scripts). The most comprehensive approach to scanning includes remote and server-side scanners. For more detailed results, you can have Sucuri’s team run a server-side scan of your web property.
If the remote scanner isn’t able to find a payload, continue with other tests in this section. You can also manually review the iFrames / Links / Scripts tab of the Malware Scan to look for unfamiliar or suspicious elements.
If you have multiple WordPress sites on the same server, we recommend scanning them all (you can also use SiteCheck to do this). Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their sites in their own hosting environments.
This external tool provides insights into what is loading on your WordPress site. From here, you can review all page requests being made when your site is loaded which can help you narrow down any malicious/unwanted domains loading on your site.
There are a variety of different methods available to help you review externally loading domains for your website.
Our professional incident response team can have your WordPress site cleaned quickly. We’re here for you 24/7/365!
WordPress installations are made up of many core files that stay consistent between versions. Most core files within WordPress should never be modified. There are core files located within the webroot, along with the wp-includes and wp-admin directories. An integrity check will need to be performed to ensure that no core files have been maliciously modified.
There are a few different ways to manually check if core files have been modified on a CMS based website.
If you notice modifications to your core file, it may be infected. Continue checking more core files as others may have also been infected. If nothing has been modified, your core files are clean.
$ diff test1.txt test2.txtSometimes, minor changes to these files may not indicate a hack — this is rare but can happen. However, obfuscated code in a core file is an indicator that there may be something malicious located there. Obfuscated code is written in such a way that requires decoding to understand, and is often used by attackers when trying to hide their malicious code.
If you come across obfuscated code in your files, here are some tools to help decode the content:
New or recently modified files may be part of the hack. There are many ways to check recently modified files, like reviewing cPanel or SSH.
$ ls -1tlah | head -10$ find . -type f -mtime -90This will filter out all files that were not modified within the last 15 days and will allow you to quickly look through each directory to see what was recently modified while searching for malware.
You will need to follow these steps to change the filter dates or start a new search.
If your WordPress website has been hacked and blocklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your website.
If you have added your site to any free webmaster tools, you can check their security ratings and reports for your website. If you do not already have accounts for these free monitoring tools, we highly recommend that you sign up:
If your website is listed on any major blocklisting vendors, you can use VirusTotal to analyze the issue.
Now that you know how to identify the location of malicious content, you can remove malware and have a clean working WordPress site again.
The steps listed below require access to the WordPress file structure and database. You will need access via sFTP/FTP/SSH to view your file structure, along with database credentials to access your database. Be sure to make a full website backup prior to proceed with these steps!
If you are not familiar with manipulating database tables or editing PHP, please seek assistance from a professional Incident Response Team member who can completely remove website malware for you.
WordPress is made up of many files and folders that all work together to create a functional website. Most of these files are core files, which are consistent across installations of the same version.
If the infection is in your core files, you can fix the malware manually by downloading a fresh installation from the official WordPress site and replacing each compromised file with clean copies. Just don’t overwrite your wp-config.php file or wp-content folder and ensure you have a working backup beforehand!
To remove a malware infection from your WordPress database, use your database admin panel to connect to the database. You can also use tools like PHPMyAdmin or Adminer.
Beginners can use the payload information provided by the malware scanner. Intermediate users can also manually look for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.
You may notice that your website was hacked on a certain date and unrecognizable spam posts were injected into your site. This may occur if an administrator’s password becomes compromised.
UPDATE `wp_posts` SET `post_status` = ‘trash’ WHERE `post_status` = ‘publish’ AND `post_type` = ‘post’ AND `post_date` > ‘2023/03/08’;
Attackers will often create malicious admin users and/or FTP users to gain access back into your site at a later date, so it’s vital to review user account access through every possible entry point into your site. If a WordPress site becomes infected and is cleaned but the malicious admin/FTP users remain, the site will quickly become reinfected.
Remove any users you do not recognize so the hackers no longer have access, including:
If a user has content associated with it, you will be prompted with the option to keep or remove any associated content. It is recommended that you keep the content and manage it afterwards to avoid any unintentional data loss.
If you believe any of your user accounts were compromised you can reset their passwords. One of the ways to do that is using the Sucuri WordPress plugin.
We recommend assigning only one admin user and setting other user roles to the least amount of privileges needed (ie. contributor, author, editor).
Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked WordPress sites.
We regularly find backdoors embedded in files named similar to WordPress core files but located in the wrong directories. Attackers can also inject backdoors into files like wp-config.php and directories like wp-content/themes, wp-content/plugins, and wp-content/uploads.
These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions or by not removing all of the malicious code.
The majority of malicious code we see in WordPress sites uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it’s very rare to see encoding in the official WordPress repository.
It is critical that all backdoors are closed to successfully stop a WordPress hack, otherwise your site will be reinfected quickly.
If you were blocklisted by Google, McAfee, Yandex (or any other vendor), you can request a review after your WordPress site has been cleaned and the hack has been fixed. You will need to fill in a review request form for each blocklisting authority.
Outdated software is one of the leading causes of infections. This includes the WordPress version, plugins, themes, and any other pieces of software installed on the site. Critical vulnerability patches are released often by plugin and theme authors and it is crucial to stay up to date on the latest updates.
Update all software on your server (i.e., Apache, cPanel, PHP) to ensure that there are no security patches missing.
This includes:
It is advisable to reinstall all plugins and extensions after a hack to ensure they are functional and free of residual malware.
Tidy up your environment by removing any pieces of software that are not in use. This creates fewer entry points for attackers and keeps things clean and tidy.
Before removing any items, ensure that you are removing software that is not needed for the functionality of your website. Make sure to have a working backup that you can restore from before removing any unused software.
Review and remove the following:
It is critical that you change passwords for all access points to your WordPress site. This includes WordPress user accounts, FTP/SFTP, SSH, cPanel, and your database.
You should reduce the number of admin accounts for all of your systems to the absolute minimum. Practice the concept of least privilege. Only give people the access they require to do the job they need for just as long as they need it.
All accounts should use strong passwords. A good password is built around three components – complexity, length, and uniqueness. You can generate a secure password with Passwords Generator and utilize a password manager to keep track of your passwords.
Once the passwords are reset, you can force all users to log off using our plugin. WordPress uses browser cookies to keep user sessions active for two weeks. If an attacker has a session cookie, they will retain access to the website even after a password is reset.
To fix this, we recommend forcing active users off by resetting WordPress secret keys.
To harden a server or application means that you take steps to reduce the attack surface or entry points for attackers.
There are countless ways to harden your website. Check out these recommendations to protect and defend your WordPress site against malware and attacks.
Only allow the public to access parts of your website that are intended for public usage. Deny entry to all other sections of your site with server configuration rules or a web application firewall.
You can also review our basic WordPress hardening steps post for more details. Some highlights from this article include:
There are countless ways to harden WordPress depending on your needs. We recommend reviewing the WordPress Codex if you want to research additional hardening methods. See the Website Firewall section below for more information about how we offer virtual patching and hardening.
Backups function as a safety net. Now that your WordPress site is clean and you’ve taken some important post-hack steps, make a backup! Having a good backup strategy is at the core of a good security posture.
Sucuri offers its customers an affordable system for secure website backups.
Have all WordPress users run a scan with a reputable antivirus program on their operating systems.
WordPress can be compromised if a user with an infected computer has access to the dashboard. Some infections are designed to jump from a computer into text editors or FTP clients.
If your computer isn’t clean, your website can be reinfected easily.
The number of vulnerabilities exploited by attackers grows every day. Trying to keep up can be challenging for administrators. Website Firewalls were invented to provide a perimeter defense system surrounding your WordPress site, and can help filter out malicious requests to your server.
Benefits to using a website firewall include:
The Sucuri Firewall can help you protect your WordPress website by blocking bad bots, virtually patching known vulnerabilities, and mitigating DDoS attacks.
Looking for a video tutorial? Follow Sucuri Remediation Team Lead, Ben Martin, through the steps needed to clean your WordPress site and minimize attack time.
WordPress is the most widely used Content Management System on the web. More than 40% of the websites online use WordPress, which makes it a prime target for attackers. There are many different types of hacks that target WordPress sites, ranging from spam infections to more complicated credit card stealer attacks.
Here are a few common reasons why a website might be hacked.
Attackers regularly leverage vulnerabilities in CMS and third-party components to compromise websites. Automated attacks targeting known website vulnerabilities are one of the leading causes of hacked websites. Always keep your CMS and third-party components updated with the latest patch.
Brute force attacks guess thousands of login combinations to obtain unauthorized access to a website. If you’re using weak or easily guessable credentials on your website or database, you’re much more likely to fall victim to a brute force attack — especially if you’re not using a website firewall to prevent it.
Your web server uses a number of rules to control access to website files. If file permissions are too relaxed, hackers are easily able to modify website files.
How do you know if your website has been compromised? There are a handful of obvious signs and symptoms to look out for.
Say on top emerging website security threats with our helpful guides, email, courses, and blog content.
