When it comes to cleaning up hacked WordPress websites, the most important part of doing that is often not done. That being trying to figure out how the website was hacked and fixing that. Sometimes you can get away with failing to do that, other times the problem is going to come back again and again.
As an example of that, take someone who was looking for help with a hacked WordPress website recently from the developer of the Wordfence Security plugin. They wrote that they had done the following:
Steps I have taken so far:
- Scanned my website using a security plugin, but the malware continues to reappear.
- Removed wp-links.php, sw.js, index.php, google.json, and the affected plugin files manually from the respective directories.
- Checked theme files for suspicious code and removed any identified malicious snippets.
- Updated WordPress, themes, and plugins to their latest versions.
- Changed all passwords related to my website, including admin, FTP, and database.
But that hadn’t resolved the issue:
Despite these efforts, the malware keeps reappearing, and I’m unable to find the source of the infection.
They rightly understood the need to figure out the source of the infection, which notably is something that many malware cleanup services for WordPress websites don’t do. We know they don’t do that because we are often brought in to re-clean hacked WordPress websites where that wasn’t done before and doing that shows that in addition to not finding the source of the infection; the provider missed parts of the malware currently on the website.
The response from the developer didn’t provide helpful information, but it did promote hiring them to clean up the website. According to the poster they tried that, getting the Wordfence Care service, but that didn’t help:
I already got the Wordfence Care, but you still can’t give the permanent solution for me.