OH WHY OH WHY my “Host Said WordPress Website is Infected“…
Did you just receive an email from your hosting company saying that your have infected files in your account or they have suspended your WordPress website because it is infected with malware? This has to be one of the worst emails to receive and can send your emotions into a tailspin for sure. Stay calm and let us provide you with some actions you can do right away to get your site back in good standing with your host.
So let us start by explaining what “Host Said WordPress Website is Infected” actually means. This was communicated to your by your hosting company because during a routine check of the server files they are hosting they found some in your WordPress install that are malicious in nature. They must in most cases turn off access to your account immediately or the infected files can infect other sites that are hosted on the same server. WordPress infections are like the common cold. Very contagious and can spread quickly. So the short resolve to this problem is simply removing the files they have deemed malicious. Now with some hosts that is easier said than done. There are hosting companies that will provide a list of the files they found malicious while others will not and sell you an infection cleanup service to their favorite WordPress Infection Removal company.
So let us look at this from both scenarios.
- Host Said WordPress Website is Infected – NO LIST
- Host Said WordPress Website is Infected – WITH LIST
Plan of action with no list of files from host
So it is pretty difficult to scan your website files and find the ones that are infected without your website being online. If your site was online and running there are many infection scanner plugins that can do a detailed scan of your site files and tell you the ones that need to be cleaned out. But since your site is offline it is not possible to do this. So instead we need to get as much of the site as possible back to normal so the host with re-activate the account. This is how we do it.
- BACK UP UNIQUE FILES because “Host Said WordPress Website is Infected”
- AUDIT SPECIAL FILES because “Host Said WordPress Website is Infected”
- FRESHEN UP WORDPRESS CORE FILES because “Host Said WordPress Website is Infected”
- ASK HOT TO REACTIVATE ACCOUNT because “Host Said WordPress Website is Infected”
- RESTORE YOUR SITE AND SCAN IT because “Host Said WordPress Website is Infected”
There is a very high possibility that the files unique to the functionality of your website are infected. These would include files like the plugins and active theme you are using. This can also include your images. It is basically all the files within the WP-CONTENT folder of your WordPress install. In some cases you may also have some other folders you use for storing files or running plugins that are outside of the WP-CONTENT folder and you need to note those during this process.
So using either your web hosting control panel file manager or sFTP/FTP you will download these files locally which we will need later once the host reactivates your hosting account. Once you have backed up all the files unique to the way your website functions you need to remove them from the server. YES, delete them with no worries. You have backed them up remember…;)
In the root of your WordPress installation live two files that are needed to allow WordPress to run. These files are the .htaccess file and the wp-config.php file. Now if your WordPress site is being hosted on a Windows server you will not have a .htaccess file but rather a web.config file.
You will want to take a look at each of these files and look for any suspicious code that may have been injected into them. You can do this by downloading the files and using your favorite text editor to open and inspect them. If you find injected code in any of these files, remove it and then replace the clean version of the file back on the server.
We are nearing the end of this process. There is one more batch of files we must remove and replace to ensure that the ones the server is hosting are clean. These are the WordPress core files. These are the foundation files that WordPress runs on. Using your web hosting control panel file manger we will navigate to your active WordPress install and look for the 2 folders called WP-ADMIN and WP-INCLUDES. We will then delete these fully. Then we must head over to WordPress.org to grab a fresh copy of the WordPress core files. The exact download link to the most recent version of WordPress is at https://wordpress.org/latest.zip.
We will also want to delete any other files that are in the same folder as the folders WP-ADMIN and WP-INCLUDES exist in minus the special files we audited in the last step. Once our deleting is complete, we will use the fresh copy of WordPress we just downloaded and add it to the server. Unzip the file and upload all it’s contents to the root folder of your WordPress installation.
It is now time to ask your hosting representative to turn your account back on. Based on all the steps we just did above, there is no reason that a malicious file is present in your hosting account. Give them a holler and tell them to flip the switch back on to your site.
As soon as you receive word that your website account is back online you need to take some action. Remember in the first step here how we backed up all the unique files that allow the site to function and then we deleted them? Well common sense will tell you here that your site will not work until we restore those files where they belong.
Once you have restored these unique files you MUST run a scan of them to make sure there are not any which contain infections. Login to your WordPress admin area and add the plugin below to do a full scan of all the files in your hosting account.
Now based on the scan results, you will need to clean or restore the files that return infected in the scan report. Doing this will ensure that you do not repeat the email communication “Host Said WordPress Website is Infected”.
Plan of action with full list of files from host
So we put this at the bottom of this article because it is the easy and fast way out of this mess. There are several hosting companies out there that will provide you the results of their server scan and an itemized the list of infected files they found. Simply take that list and using either your web hosting control panel file manger or sFTP/FTP access, clean or replace each file they have listed. After you do this you can ask them to reactivate your account and then get some much needed rest…;)
Keep in mind here that the goal in the beginning is to get all the bad files off the server so your hosting company will activate your account again. Another big part not discussed yet is the need for security. This is so important because once you get a clean bill of health for your WordPress site you need to secure it to avoid future infections. The post at the link below will offer some easy tips to enhance security on your site.
If any of this information is overwhelming to take in we will gladly do it for you with the service below. We start right away too.
SOME SUPPORTING Website is Infected TWEETS
Search engines care a lot if your #Website is #secure and safe for your customers and more and more sites which get infected with #malware will be detected by the search engines. 👉Follow the 5 steps and prevent nasty incidents.💻 https://t.co/oDAP5PrCjw #SEO #infosec #WordPress pic.twitter.com/tlbmhBNTfP
— WebARX (@webarx_security) January 22, 2018