WordPress is the most popular content management system used for building websites, and it is what the Ink Elves website is built on. The open-source nature of WordPress makes it easy for anyone to create a website with little technical knowledge. However, this also makes WordPress sites prone to hackers looking to infect them with malware. If your WordPress site gets infected with malware, it can cause a lot of problems like slowing down your site, redirecting visitors to malicious sites, and even getting your site blacklisted by search engines. Removing the malware quickly is important to limit the damage caused by the attack.
The Ink Elves website was recently hacked, and links to Chinese shopping pages were added. It could have been worse, and we were lucky enough that Tyler from https://www.xcitewebdesign.co.uk/ made us aware of the attack. While we ended up re-installing WordPress and then running a Malware removal software to resolve the issues, we learned a few useful things along the way.
Here are some steps you can take to clean a malware infection from your WordPress site if the worst does happen.
Scan for Malware
The first step is to scan your WordPress site for malware and check exactly what files have been affected. There are various free and paid online malware scanners you can use for this. Sucuri Scanner, Wordfence, and Malcare are some good options. Your website host may also have a malware scanner you can use. Run a complete scan of your site with one of these tools. It will detect any malware present and show you the infected files. Certain WordPress plugins like Wordfence also have built-in malware scanners.
Review Any Unusual Code
Carefully review all the files reported as infected. Malware often gets injected into legitimate WordPress files and hides amongst the existing code. So, inspect each file closely for any unusual-looking code that doesn’t seem to belong. Watch out for encoded text, strange-looking strings, and functions named in foreign languages. This malicious code needs to be removed.
Once a site gets hacked, all its passwords get compromised. So, you need to reset the passwords for your WordPress admin account, FTP accounts, hosting account, etc. When Ink Elves was hacked, we couldn’t log in via WordPress, which made life difficult.
Always use strong passwords and enable two-factor authentication wherever possible for extra security. Also, remove any suspicious user accounts that may have been added by the hacker.
Clean the Database
Hackers will often make changes to your WordPress database like adding new admin users, inserting redirects, and even disabling security plugins. Scan your database using a tool like wpscan to identify any inserted malware. Then, clean your database by removing any suspicious entries. You may need to restore a previous clean database backup if the current one is too corrupted.
Reinstall Core Files
Some malware modifies the main WordPress system files. Simply deleting the malicious code may not be enough as the files could be still infected. It is better to revert to a clean version of all the core WordPress files, which is what we did. Manually reinstall WordPress by replacing the wp-admin and wp-includes folders with a fresh copy from wordpress.org. You may also need to delete and reinstall other themes/plugins if they are affected.
Disable File Editing
One way hackers inject malware is by editing themes and plugins to add malicious code. To prevent this in the future, disable file editing from within WordPress. Install a security plugin like Disable File Editor, which removes the ability to edit plugin and theme files from within the WordPress admin. This will prevent future infections by closing off this attack route.
Make sure all your plugins, themes, PHP code, and WordPress core are fully updated after removing the malware. Old, outdated software versions often contain vulnerabilities that can be exploited by hackers, and it is common for hackers to exploit outdated plugins. Use a plugin like Wordfence to check for any missing updates. Keep your site updated to stay on the latest secure versions. If you don’t check the site regularly, make sure automatic updates for all plugins and themes are enabled.
Review Users & Permissions
Check if any unauthorised users were added during the attack. If yes, delete them. Also, review the permission settings to see if the hacker made any changes like adding admin access to other accounts. Revert any suspicious permission changes. Additionally, install a plugin like User Role Editor to customise user roles and permissions as per your site requirements.
Change Hosting Passwords
Your hosting account credentials may have gotten exposed during the hack. To be safe, change your hosting account passwords. Review the FTP accounts and reset the passwords there as well. Doing this will ensure the hacker doesn’t have backdoor access through old passwords.
Clean Up Backdoors
Hackers often leave backdoors to make it easy to reinfect a site again. Look for any suspicious files, custom user accounts, changed permissions, hidden code snippets, etc., that could be potential backdoors. Completely remove any backdoors you find to prevent repeat infections from going ahead.
Switch Hosting Providers
If your current hosting provider seems unreliable in terms of security, consider switching. There are many good managed WordPress hosts that offer advanced malware protection and removal. Their infrastructure is also more secure compared to generic shared hosts. Migrating to them will add an extra layer of safety for your site.
Reset Admin URL
Malware often targets the default wp-admin path to break into sites. Once you’ve removed the infection, you can further obscure the admin URL. Install a plugin like WPS Hide Login which lets you change the admin path to something random. This adds security through obscurity.
Improve Overall Security
Beyond just removing the current infection, take steps to improve your overall WordPress security. This will prevent future malware attacks. Some good options are installing a web application firewall, using strong passwords, enabling 2FA, regularly updating software, limiting user roles, and disabling file editing.
Monitor for Reinfections
Keep monitoring your WordPress site closely for the next few weeks for any signs of reinfection. The hacker may attempt to infect your site again through any remaining backdoors. Use a malware scanner regularly to check if any new threats emerge. Keep your site fully patched and secured.
Getting Professional Help
If you find the malware removal process too complex, don’t hesitate to enlist the help of professionals. There are WordPress security experts who can clean up stubborn infections from your site. The most important thing is to fix the issue ASAP before further damage occurs.
Following these steps will help you thoroughly remove malware from your WordPress site. The key is to act quickly to limit the impact on your site. Take time to improve security after cleaning the infection to help prevent it from recurring. With some vigilance, you can keep your WordPress site free of malware.