How to Remove Malware From a Hacked WordPress Site (step-by-step)

Cleaning a hacked WordPress site is a methodical process. If you skip steps, the site will be re-infected within 48 hours. Follow this workflow to sanitize, patch, and harden.

Phase 1: Isolation and Triage

Before touching files, stop the bleeding.

  1. Backup: Take a full snapshot of the filesystem and database. You need a fallback if your cleanup breaks functionality.
  2. Maintenance Mode: Put the site in maintenance mode. If the host allows, block all traffic via .htaccess except your own IP.
  3. Change Credentials: Immediately rotate FTP/SFTP passwords, database passwords, and WordPress admin passwords.

Phase 2: Detection and Scanning

Use automated tools to identify the scope of the infection.

Scanning with Maldet

Maldet (Linux Malware Detect) is the industry standard for identifying malicious scripts.

# Install and run
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-* && sudo ./install.sh
sudo maldet -a /var/www/html/your-site-path

Review the report in /usr/local/maldetect/sess/.

Scanning with WPScan

Use WPScan to identify outdated plugins or themes that likely served as the entry point.

wpscan --url https://yourdomain.com --enumerate vp,vt,u

Look for "Out of Date" or "Vulnerable" statuses. These are your entry points.

Phase 3: Surgical Removal

Cleaning the Filesystem

Don't try to "clean" core files. Replace them.

  1. Core Files: Download a fresh copy of WordPress. Delete everything except wp-content and wp-config.php. Upload the fresh core files.
  2. Plugins/Themes: Delete all plugins and themes. Reinstall them from the official repository. Do not restore them from your backup (the backup is infected).
  3. Uploads Folder: Scan wp-content/uploads for PHP files. There should be none. bash find wp-content/uploads -name "*.php" -exec rm -rf {} \;
  4. Backdoors: Look for obfuscated code. Use grep to find common patterns: bash grep -r "base64_decode" wp-content/ grep -r "eval(" wp-content/ grep -r "gzinflate" wp-content/

Cleaning the Database

Hackers often inject malicious scripts into the wp_options table (e.g., footer_scripts or siteurl) or create admin users.

  1. Check Admins: Run SELECT * FROM wp_users;. Delete any user you don’t recognize.
  2. Check Options: Inspect wp_options for suspicious code in active_plugins, siteurl, or home.
  3. Search for Injection: Use mysqldump to export the DB and search for common injection strings like <script src=... or eval(.

Phase 4: Patching and Hardening

If you don't close the door, the hacker will return.

  1. Reset Salts: Generate new security keys in wp-config.php. This invalidates all active session cookies.
  2. Permissions: Set strict file permissions. bash find . -type f -exec chmod 644 {} \; find . -type d -exec chmod 755 {} \; chmod 600 wp-config.php
  3. Disable File Editing: Add this to wp-config.php: php define('DISALLOW_FILE_EDIT', true);
  4. Security Plugin: Install a reputable plugin like Wordfence. Run a "Learning Mode" scan to identify remaining anomalies.

Phase 5: Verification

  1. Check Google Search Console: Ensure the site isn't blacklisted. If it is, request a review once clean.
  2. Check Headers: Use curl -I https://yourdomain.com to ensure no malicious redirects are present.
  3. Monitor Logs: Keep an eye on /var/log/apache2/access.log or Nginx logs for suspicious POST requests.

Common Mistakes to Avoid

  • Restoring from an infected backup: If your backup is from three days ago, the malware might already be there. Always use fresh versions of plugins/themes.
  • Ignoring the DB: Many hackers leave a "sleeper" script in the database that reinjects code into files every time a page loads.
  • Leaving old plugins: If a plugin was the entry point, it will happen again. Replace it with a maintained alternative.
  • Not changing DB passwords: If the hacker got your wp-config.php, they have your DB credentials. Changing the DB password is mandatory.

Checklist for Cleanup

  • [ ] Backup current state (files + DB).
  • [ ] Change all passwords (hosting, DB, WP Admin).
  • [ ] Run Maldet/WPScan to identify entry points.
  • [ ] Replace WordPress core files.
  • [ ] Reinstall all plugins/themes from official sources.
  • [ ] Delete all .php files in /uploads.
  • [ ] Audit wp_users and wp_options tables.
  • [ ] Reset wp-config.php salts.
  • [ ] Apply file permission hardening.
  • [ ] Install Wordfence and run a deep scan.
  • [ ] Submit for Google blacklist removal if applicable.

Need this done for you? Don't waste hours chasing backdoors. I specialize in rapid site recovery and hardening. Hire me on Freelancehunt: https://freelancehunt.com/freelancer/sspoisk

Originally posted at https://guardlabs.online/care/

Комментарии

Популярные сообщения из этого блога

Архитектура торговых систем: уроки инженера-строителя

Three AI War Story Shorts: 8s viral test (Why your code, backtest, and site all lie)