WordPress Security

,

WordPress Infection Removal

Steps To Remove WordPress Infection

Need to remove WordPress infection?

This will show you some simple steps on how to remove WordPress infection. Now just knowing that your website may be infected could be causing you to be in a little panic right now. The good news is that you have come to the right place to get very clear actionable steps to get your website cleaned and secured. We want to make it as easy as possible to remove WordPress infection fast and properly.

It is actually a bit crazy that we are going to release this information to you below as this is the same process that we use here with our WordPress Infection Specialists when we clean our customers websites.We clean hundreds of WordPress websites all over the world every week for over 10 years now. These steps below are the exact steps that we use to identify, isolate and remove malware from a WordPress website.


Steps To Remove WordPress Infection

So in a nutshell the goal of this entire process is to identify the files and or database entries that contain malicious code and then remove them. We are going to break this up into three steps.

Step one is going to be scanning your WordPress site for infections. In this step we are going to do this in two different ways. The first way is assuming that the website is still online and accessible. The other way that we will scan a WordPress site for infections is if the website is off-line. In many cases a website may be off-line from an infection because it is not functioning properly. It may also be off-line because the hosting company has shut down the account due to the infection and this is done so the website will not infect other websites on the same server.

Step two is going to be the process of removing all the malicious code that we identified in step one. This is the step where we roll up our sleeves and dive into all the infected files and database entries to get them completely removed from the website.

And finally step three is going to be securing the WordPress site from future attacks. This step is so important and often overlooked. We will find those that like to do their own cleanups will never complete the final step of securing their website from future vulnerabilities and find themselves reinfected over and over again.

Remove WordPress Infection

Step 1: Scanning for WordPress Infections – (website still online)

If you are able to login to the WordPress site, please follow the steps below to scan the site for infections.

  1. Add the plugin GOT MLS See details at https://wordpress.org/plugins/gotmls
  2. On plugin scan screen make sure to register it on the right hand side. See form below from plugin page
    Remove WordPress Infection

  3. Once registered, be sure to download newest infection definitions
    Remove WordPress Infection

  4. Run scan from top most level. In most case this will be public_html
    Remove WordPress Infection

Once scan is complete you will be given a list of infected files. If there are multiple sites infected on the hosting account but you only clean one of them, the other sites that are infected will re-infect the one you are cleaning

In many case the host will suspend a customer’s site and take it offline. This makes it impossible to scan using a plugin. Some host will provide a list of all the infected files on the account. You can use this list they provide to clean out the infections and then request your host activate the account again since you cleaned out their list of infected files.

If host does not provide a list, follow the steps below.

  1. Request FTP/sFTP from the customer
  2. Remove all core WP files except wp-content folder and wp-config.php
  3. Backup any odd files you see in the root of WP install and then delete them from server (send odd files to customer and explain you had to remove them)
  4. Backup wp-content folder and then delete it
  5. Re-install newest version of WP core files manually though FTP
  6. Server will now have a complete fresh install of WordPress. Ask them to notify host so they can re-activate their account
  7. Once account is active again, replace wp-content folder with files from step #4 that you backed up

Now the site is back online you need to follow the steps below.

  1. Add the plugin GOT MLS See details at https://wordpress.org/plugins/gotmls
  2. On plugin scan screen make sure to register it on the right hand side. See form below from plugin page
    Remove WordPress Infection

  3. Once registered, be sure to download newest infection definitions
    Remove WordPress Infection

  4. Run scan from top most level. In most case this will be public_html
    Remove WordPress Infection

Once scan is complete you will be given a list of infected files.  Use this list to isolate and remove the infected code in each file or the entire file all together if it does not belong.  A best practice is if you find an infected file in a plugin or theme, simply remove the entire folder and re-install a fresh and clean copy. Let us dive in more on this in step #2.


Remove WordPress Infection

Step 1: Scanning for WordPress Infections – (website offline)

In many case the host will suspend a customer’s site and take it offline. This makes it impossible to scan using a plugin. Some hosting companies will provide a list of all the infected files on the account. You can use this to clean out the infection and then request the host activate  the hosting account again since you cleaned out their list of reported infections.

If host does not provide a list, follow the steps below.

  1. Request FTP/sFTP from the customer
  2. Remove all core WP files except wp-content folder and wp-config.php
  3. Backup any odd files you see in the root of WP install and then delete them from server (send odd files to customer and explain you had to remove them)
  4. Backup wp-content folder and then delete it
  5. Re-install newest version of WP core files manually though FTP
  6. Server will now have a complete fresh install of WordPress. Ask them to notify host so they can re-activate their account
  7. Once account is active again, replace wp-content folder with files from step #4 that you backed up

Now the site is back online you need to follow the steps below.

  1. Add the plugin GOT MLS See details at https://wordpress.org/plugins/gotmls
  2. On plugin scan screen make sure to register it on the right hand side. See form below from plugin page
    Remove WordPress Infection

  3. Once registered, be sure to download newest infection definitions
    Remove WordPress Infection

  4. Run scan from top most level. In most case this will be public_html
    Remove WordPress Infection

Once scan is complete you will be given a list of infected files.  Use this list to isolate and remove the infected code in each file or the entire file all together if it does not belong.  A best practice is if you find an infected file in a plugin or theme, simply remove the entire folder and re-install a fresh and clean copy. Let us dive in more on this in step #2.

Remove WordPress Infection

Step 2: WordPress Infection Removal of Malicious Code

Once you get your list of infected files found in the scan, it is now time to clean those files up and near the finish line on how to remove WordPress infection.

  1. Look at each file found to be infection and either clean the code inside that is infected or delete it if not needed on the site
  2. Remove and re-install all WP core files
  3. Audit .htaccess file for any odd code. Add the below to this file. Please test site after to make sure it still loads. Reverse action if not.
    # disable directory browsing
    Options All -Indexes
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    
  4. Audit wp-config.php for any odd code
  5. Remove all un-used free themes. Back them up and zip them on the server in case they are premium themes
  6. Zip up and unused premium theme and then remove their folder. Only active themes should remain present and accessible
  7. Browse through the wp-content folder for anything odd or not being used. If uncertain, just zip it up and place on the server before you delete it. Zip files will not be prone to infections

Once these steps are complete, run another scan from to verify you got it all.


Remove WordPress Infection

Step 3: Secure the WordPress Site From Future Attacks

So at this point all infectious files have been removed from the customer’s site and it is now time to secure the site and send them a final report of the work you completed.

  1. Install and activate plugin name SHIELD from https://wordpress.org/plugins/wp-simple-firewall/
  2. Run site through https://sitecheck.sucuri.net/ to verify there are no blacklists on the site
  3. Run site through https://www.virustotal.com/gui/home/url to further confirm site is running clean

Items you MUST complete to further protect from future infections:

  1. Run site in HTTPS mode
  2. Audit list of website users and remove any you do not recognize
  3. Change passwords of all remaining users
  4. Audit list of FTP users and remove any you do not recognize (make sure you know how to do this as you can delete your site if not)
  5. Change FTP passwords of all remaining users
  6. Kill all FTP connections to the site (please ask your hosting company if you are unsure what this is)
  7. If you have a web hosting panel, change the password
  8. Run a local infection scan on your computer (if you do not have a malware scanner use free software at https://www.malwarebytes.org/dl-confirm)

So we are hopeful that now you are armed with the exact same steps to remove WordPress infection which is what use here to clean many WordPress sites over and over again for 10+ years. If you have any questions about anything that we discussed here in this post please comment below. We also have an infection cleanup service that can do all of this for you so you can focus on other things that you are more comfortable with. See the details for the service at the link below.

WordPress Malware Removal

https://www.wpfixit.com/product/wordpress-malware-removal-service

Leave a Reply

Your email address will not be published. Required fields are marked *

QUESTIONS