How to Remove Malware From a Hacked WordPress Site (step-by-step)
Cleaning a hacked WordPress site is a methodical process. If you skip steps, the site will be re-infected within 48 hours. Follow this workflow to sanitize, patch, and harden.
Phase 1: Isolation and Triage
Before touching files, stop the bleeding.
- Backup: Take a full snapshot of the filesystem and database. You need a fallback if your cleanup breaks functionality.
- Maintenance Mode: Put the site in maintenance mode. If the host allows, block all traffic via
.htaccessexcept your own IP. - Change Credentials: Immediately rotate FTP/SFTP passwords, database passwords, and WordPress admin passwords.
Phase 2: Detection and Scanning
Use automated tools to identify the scope of the infection.
Scanning with Maldet
Maldet (Linux Malware Detect) is the industry standard for identifying malicious scripts.
# Install and run
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-* && sudo ./install.sh
sudo maldet -a /var/www/html/your-site-path
Review the report in /usr/local/maldetect/sess/.
Scanning with WPScan
Use WPScan to identify outdated plugins or themes that likely served as the entry point.
wpscan --url https://yourdomain.com --enumerate vp,vt,u
Look for "Out of Date" or "Vulnerable" statuses. These are your entry points.
Phase 3: Surgical Removal
Cleaning the Filesystem
Don't try to "clean" core files. Replace them.
- Core Files: Download a fresh copy of WordPress. Delete everything except
wp-contentandwp-config.php. Upload the fresh core files. - Plugins/Themes: Delete all plugins and themes. Reinstall them from the official repository. Do not restore them from your backup (the backup is infected).
- Uploads Folder: Scan
wp-content/uploadsfor PHP files. There should be none.bash find wp-content/uploads -name "*.php" -exec rm -rf {} \; - Backdoors: Look for obfuscated code. Use
grepto find common patterns:bash grep -r "base64_decode" wp-content/ grep -r "eval(" wp-content/ grep -r "gzinflate" wp-content/
Cleaning the Database
Hackers often inject malicious scripts into the wp_options table (e.g., footer_scripts or siteurl) or create admin users.
- Check Admins: Run
SELECT * FROM wp_users;. Delete any user you don’t recognize. - Check Options: Inspect
wp_optionsfor suspicious code inactive_plugins,siteurl, orhome. - Search for Injection: Use
mysqldumpto export the DB and search for common injection strings like<script src=...oreval(.
Phase 4: Patching and Hardening
If you don't close the door, the hacker will return.
- Reset Salts: Generate new security keys in
wp-config.php. This invalidates all active session cookies. - Permissions: Set strict file permissions.
bash find . -type f -exec chmod 644 {} \; find . -type d -exec chmod 755 {} \; chmod 600 wp-config.php - Disable File Editing: Add this to
wp-config.php:php define('DISALLOW_FILE_EDIT', true); - Security Plugin: Install a reputable plugin like Wordfence. Run a "Learning Mode" scan to identify remaining anomalies.
Phase 5: Verification
- Check Google Search Console: Ensure the site isn't blacklisted. If it is, request a review once clean.
- Check Headers: Use
curl -I https://yourdomain.comto ensure no malicious redirects are present. - Monitor Logs: Keep an eye on
/var/log/apache2/access.logor Nginx logs for suspicious POST requests.
Common Mistakes to Avoid
- Restoring from an infected backup: If your backup is from three days ago, the malware might already be there. Always use fresh versions of plugins/themes.
- Ignoring the DB: Many hackers leave a "sleeper" script in the database that reinjects code into files every time a page loads.
- Leaving old plugins: If a plugin was the entry point, it will happen again. Replace it with a maintained alternative.
- Not changing DB passwords: If the hacker got your
wp-config.php, they have your DB credentials. Changing the DB password is mandatory.
Checklist for Cleanup
- [ ] Backup current state (files + DB).
- [ ] Change all passwords (hosting, DB, WP Admin).
- [ ] Run Maldet/WPScan to identify entry points.
- [ ] Replace WordPress core files.
- [ ] Reinstall all plugins/themes from official sources.
- [ ] Delete all
.phpfiles in/uploads. - [ ] Audit
wp_usersandwp_optionstables. - [ ] Reset
wp-config.phpsalts. - [ ] Apply file permission hardening.
- [ ] Install Wordfence and run a deep scan.
- [ ] Submit for Google blacklist removal if applicable.
Need this done for you? Don't waste hours chasing backdoors. I specialize in rapid site recovery and hardening. Hire me on Freelancehunt: https://freelancehunt.com/freelancer/sspoisk
Комментарии
Отправить комментарий