WordPress is one of the most popular website management systems in the world. According to W3Techs, it powers 34% of all websites on the internet. The popularity of WordPress is partly due to a large number of plugins and templates available that allow you to do almost anything on a website.
This wide range of features also comes with vulnerabilities. Cyber attackers can often access code and infect WordPress sites with malware the same way they might plant malware on a router.
Malware can infect and destroy your site, so it’s important to act quickly to remove malware from your WordPress site.
How to remove malware from a WordPress website?
Contact your host first.
Before trying any of the suggestions below, contact your web host first. The host server can spread malicious code from another site to yours, especially if it is on a shared server.
Ask them to scan your server to make sure it’s not the culprit before trying to remove malware from your site. Additionally, they can give less technical website owners suggestions on scanning and safely removing malware from their sites.
Some hosts may also offer services where they will remove it for you. And then back up your site, reducing the risk of introducing malware into your backup.
Web hosts have the experience, tools, and options to fight malware, so check with them before trying to do it yourself.
Take preventive measures
It’s always best to try to prevent threats before they happen. The most important action users should take is to ensure that they are always running the latest and most stable version of WordPress, even if they only install a test version on their computer.
New versions are usually released to fix common vulnerabilities found in older versions. The same goes for plugins and themes. Keep them up to date and delete any you don’t use.
Some of the many negative issues that malware can cause on a WordPress site include:
- Web and MySQL have increased server resource consumption.
- Unwanted advertising.
- Bulk spam.
- Theft of personal data of customers and users.
- Loss of information from your site.
- Google sanctions.
What can you do if your website is infected? This article will outline the steps you can take to remove malware from a WordPress site.
Use WordPress Malware Removal Plugins
You might not have to reload your entire site if you can log in and get to your WP admin area. Using a proper WordPress plugin can help remove malware from your WordPress website.
Security MalCare
MalCare is a premium plugin that instantly removes malware from your WP installation. Not only will it clean up a breached site, but it will also protect it from future security breaches.
One of the many benefits of MalCare is that it scans your site on its own servers. Your website will not suffer any load on your resources and will continue to function properly.
Four pricing tiers range from $99/year for one site (personal) to a Custom Agency Plus plan for 20+ sites.
Malcare is a comprehensive WP security plugin that includes many additional features, such as:
- Real-time email alerts.
- Track changes to small files.
- Minimize false alarms.
WordFence
One of the most used plugins for WP security is WordFence. It includes a malware scanner and an endpoint firewall.
From brute force attack protection to firewall blocking, the free version of WordFence is powerful enough for small websites.
If you want additional features such as two-factor authentication, filtered password protection, and advanced manual lock, you can purchase a premium license. Pricing is based on the number of licenses you purchase, starting at $99 for one.
All-in-one WP Security & Firewall
One of the most feature-rich free security plugins is All in One WP Security & Firewall. It provides a simple visual interface using gauges and charts.
The plugin is designed for beginners and more advanced developers with its three categories: Basic, Intermediate, and Advanced.
All in One WP Security will protect websites by:
- Ensure the security of files and databases.
- Improved user registry security.
- Blocking forced login attempts.
Additional features include the ability to save .wp-config and .htaccess recordings. Users can also restore these files if something goes wrong on their site.
For a complete list of all WordPress security plugins, visit WordPress.org. You may need to reinstall your entire site if you cannot log in.
If you’re more tech-savvy and running a site on your server, follow the steps below carefully.
Remember that backing up your site and deleting it can be dangerous and should only be attempted by highly technical website owners.
Backing up your database and all files
If you are infected and need to remove malware from your WordPress site, it is important to protect your content immediately. Before you do anything, make a full backup of your WordPress site to restore it if something goes wrong.
Back up a clean version of your MySQL database and FTP account. There are several ways to back up a site, including through cPanel, phpMyAdmin, and WordPress plugins (such as Vaultpress).
It is highly recommended that all WordPress users back up their sites regularly. The steps below outline how to remove malware from your WordPress site manually.
Step 1: Browse your files
Once you have backed up your entire WP site, download the backup zip file to your computer. Open it by double-clicking on it. You should see the following files:
- All core WordPress files.
- wp-config.php.
- .htaccess: This is a hidden file that includes your WordPress database name, username, and password. To ensure that you have backed up this file, use a code editing application or an FTP program that allows you to view hidden files. Be sure to check the show hidden files option.
- The wp-content folder includes themes, plugins, and downloads.
- SQL database.
Step 2 – Delete all files and folders in the Public_html folder
When you are sure you have a full backup of your website, go to your web hosting file manager.
Find it public_html folder and delete its contents except for wp-config.php, wp-content, and cgi-bin folders.
Make sure you also view invisible files, incl.htaccess since it can be compromised.
If you host multiple sites, you should assume that they too have been compromised as cross infections are common. Follow the same process for all sites hosted on the same server.
Open the wp-config.php archive and compare it with a sample wp config archive. You can find this file in the WP GitHub repository.
Also, check your file to see if anything looks suspicious, like long strings of code. If you’re sure something shouldn’t be there, delete it.
Go now to wp content directory and:
- Make a list of all your installed plugins, then delete them.
- Delete all themes, including the one you are using. You will reinstall it later.
- Look in your downloads folder to see if there’s anything you didn’t put there.
- To get rid of index.php after removing all plugins.
Step 3 – Install a clean version of WordPress
Go to your hosting provider’s control panel and reinstall WordPress in the same directory as the original location.
It would be in the public_html directory or a subdirectory if you installed WordPress on an addon domain. Use the one-click installer or Quick setup (depending on your host) in your web hosting control panel.
Unzip the tar or zip file and upload your files to your server. You must create a new wp-config.php and enter your website backup details. You need to enter the database name, password, and prefix.
Step 4: Reset permalinks and passwords
Login to your WP site and reset all usernames and passwords. If there are unrecognized users, it means your database has been compromised.
You can hire a professional to clean your database and remove any malicious code.
Restart permalinks, go to Settings > permalinks, and so Save Changes. This process will restore the .htaccess file and fix your site URLs to work. Also, reset all hosting accounts and FTP passwords.
Step 5 – Reinstall the theme and plugins
Do not install old versions of your theme or plugins. Instead, get fresh uploads from the WordPress repository or premium plugin development site. Do not use plugins that are no longer supported.
If you have theme customizations from your old site, check out the backup files you downloaded to your computer and replicate the changes to the new copy.
Step 6 – Scan and reload your images and documents from your backup
This step can be tedious, but it is necessary. Carefully review your downloaded images and files before copying them back to the new wp-content > downloads folder in the file manager.
Use an updated anti-virus program to scan all files and see if they are infected. Upload the clean files to your server using an FTP client or the file manager. Keep the same folder structure, so you don’t end up with broken links.
Step 7: Inform Google
If you find that a warning from Google has compromised your site, you should inform them that you removed the malware so they can ignore the warning in your account.
Go to Google Search Console and sign in if you already have an account. If you don’t, register on your website.
To find Security and manual actions in the left navigation. Click on the drop-down menu and select security issues.
Here you will see a report about your site’s security. To choose Request an opinion and submit it to Google.
