How to remove malware from my WordPress site? If you find yourself often asking this question, you’re not alone. WordPress website owners across the world are worried about malware and hackers, thanks to the popularity of the WordPress platform. Think about it. When a platform is popular enough to be the undisputed CMS market leader, you can be sure that hackers have their eyes set on it too.
In this article, we show you some effective and recommended ways to remove malware from your WordPress site.
SYMPTOMS OF MALWARE INFECTION ON YOUR SITE
Before we tell you how to remove malware from WordPress sites, let us take a moment to understand how you can tell if your site is infected.
Here are some of the telltale signs of a malware infection:
- There is a sudden change in your website traffic
- Your website is suspended by your web host or by Google, thus blocking traffic to your site.
You could even be blacklisted by Google.
- The message “This site may be hacked” shows up for your website on Google search results.
- Your customers start complaining about not being able to access their accounts or even your website.
- Unauthorized pop-up ads appear on your website.
- You or your customers start receiving many spam emails.
These are only a few symptoms that suggest that your WordPress site could be infected with malware. You can see how damaging malware can be for your reputation, SEO rankings, your traffic, and your bottom line.
Before discussing removing malware from WordPress sites, let us first understand where most malware infections are located in your installation.
WHERE CAN YOU LOCATE MALWARE ON YOUR SITE?
Depending on the type of attack, hackers can gain unauthorized access to different areas of your WordPress installation. Listed below are the areas that are most likely to be infected:
- WordPress files or folders, including PHP files like the wp-config.php file.
- WordPress database tables or records.
- Plugin/theme files installed on your website.
The best way to know the actual site of infection is to perform a deep scan of your entire site. Let us look at ways of scanning your WordPress site for malware infections.
HOW TO SCAN YOUR WORDPRESS SITE FOR MALWARE
Malware scanning is the first step towards cleaning your WordPress site from all infections. A complete scanning determines if your website is indeed infected or not.
For complete malware scanning and removal, here are the three steps you need to perform:
- Scan for malware in your WordPress site.
- If found, remove malware from the WordPress site.
- Prevent future malware infections on your WordPress site.
Let us first learn how to scan for malware on your WordPress site either through:
- manual scanning
- a malware scanning tool
Scan for malware manually
For a complete scan, you need to scan your WordPress installation files and your WordPress database system. This needs you to possess a fair bit of technical and WordPress know-how, enough to work with tools like FileZilla or phpMyAdmin, and WordPress files and databases.
Most core WordPress files should never be modified. You need to check for integrity issues in the wp-admin, wp-includes, and root folders.
For manual scanning of WordPress installation files:
- Download a fresh copy of the WordPress version your site uses.
- Then, access your installation files through FTP or a file manager.
- Compare the current installation files with the downloaded copy – to see if they have been recently modified (using their date and time stamp).
For manual scanning of your WordPress database:
- Connect to your current WordPress database tables and check for malicious code in database functions like “base64_decode” and “gzinflate.”
- Check for unknown links or iFrames that hackers inject into database records.
As observed, manual scanning is long and time-consuming – and must be attempted only by technical WordPress experts. There is also the possibility of missing some hidden malware.
Next, let us discuss automated scanning using a malware scanning tool or plugin.
SCAN FOR MALWARE USING A PLUGIN OR TOOL
A faster and easier way of scanning your WordPress website and database for malware is through a malware scanning tool or plugin. WordPress security plugins have evolving algorithms that can detect even malware that you may miss in the manual method. They can be installed just like other WordPress plugins and help you scan multiple websites, plugins, themes, and the database in a few clicks.
There are plenty of free and paid malware scanning tools available in the market but we recommend investing in a paid plugin like MalCare, Sucuri, or Wordfence, for the deep scanning and up-to-date malware detection they guarantee.
Now that you know how you can confirm the malware infection on your site, let us look at how to remove malware from a WordPress site.
HOW TO REMOVE MALWARE FROM WORDPRESS WEBSITES
After detecting the malware code, it is time to remove the infection from your WordPress site. This needs to be done in such a way that there is no more trace of the malware on your entire site.
As in the case of malware scanning, there are two ways to remove WordPress malware, namely:
- Through manual cleanups
- Using a malware removal tool
Let us discuss each of these two methods. However, before executing either of these methods, make sure you take a complete backup of your existing WordPress installation and database files. You can use an automated backup plugin like BlogVault that lets you run unlimited on-demand backups.
REMOVE MALWARE FROM WORDPRESS MANUALLY
As in the case of manual malware scanning, manual cleanup is a long and technical process, where you need to complete two steps:
- Cleaning the infected WordPress files or folders
- Cleaning the hacked WordPress database tables
To begin, download a fresh copy of the WordPress version that you are using.
To clean your infected WordPress files:
- Use an FTP tool like FileZilla to connect to your current WordPress installation.
- Replace each of your infected (or modified) files with the corresponding file from your fresh copy or stored backup.
To clean your WordPress database:
- Connect to your WordPress database using your admin panel.
- Delete any records containing suspicious code – or remove the entire table. For any customized files, you need to remove the suspicious code from the file manually.
Because of their complexity, manual cleanups can easily go wrong and end up damaging your website. Additionally, with hackers devising new ways of compromising websites, manual scanning and cleaning may not be effective against every type of malware attack.
Let us check how automatic malware removal using plugins fare compared to manual cleanups.
REMOVE MALWARE USING A PLUGIN
Apart from detecting malware on websites, malware scanning tools can also remove malware from WordPress sites with just a few clicks. All you need to do is to install a security plugin like MalCare or Sucuri on your website, and they will do the rest.
With the MalCare tool, you do not need to even wait to get WordPress support or technical assistance to remove the malware. Once you have installed the tool, it automatically scans your website for any malware. If it finds a hack, it alerts you so you can log in and use the “Auto Clean” feature to clean both your WordPress files and database in a few clicks and within a few minutes.
However, malware attempts and attacks are not a one-time affair. Hackers will be back again to try and infect your site. You have to make sure that your site is protected from future attacks. Next, let us find out how you can do that.
HOW TO PREVENT MALWARE INFECTIONS IN THE FUTURE
While there is no such thing as 100% immunity from hackers, you can implement security measures to make it harder for them to attack your site. Here are ten measures that help:
- Switch to a more secure WordPress web hosting provider.
- Apply regular updates to Core WordPress as well as installed plugins/themes.
- Implement a strong password policy for all users.
- Install a website firewall to block any suspicious IP requests to your website server.
- Take regular backups of your WordPress website and database files.
- Protect your WordPress account by limiting the number of login attempts or enabling Two-Factor authentication.
- Implement the SSL certification for your website.
- Limit the number of administrative (or “admin”) users by implementing various user roles.
- Install a WordPress security plugin or tool.
- Implement website hardening measures such as disabling file editing of PHP files, blocking PHP execution in untrusted folders, changing security keys, etc. Security plugins like MalCare integrate website hardening measures into their features so even non-technical users can harden their websites in a few clicks.
These measures, recommended by WordPress security experts should be part of your WordPress maintenance strategy.
We hope this article helped you understand how to remove malware from a hacked WordPress site. Manual scanning and removal methods are quite complex and recommended for more technical users with an understanding of WordPress, its file structure, etc. For everyone else, we recommend security plugins like MalCare or Sucuri designed specifically to ensure the security of a WordPress site. MalCare, for instance, includes most of the security measures included in this article in addition to malware scanning and removal. So whether it is firewall protection, login protection, 2-factor authentication, or updates, everything is taken care of from within a single dashboard.