Over the years I’ve cleaned many, many WordPress malware infections for customers. The following steps are the same steps I use when hired to clean a site. To be successful, you should be familiar with WordPress core files, FTP and your hosting control panel. If your host provides access to the command shell and you’re familiar with Linux, even better. Let’s get started!
Step 0: Backup your site. Before you even start, if you have a working backup, consider restoring that backup to a time before the malware infection occurred. Your site may still be in a vulnerable state, but it may not be the mess it is right now.
If you don’t have a backup, or you need to get your site working with minimal loss since your last backup, you should backup your site before proceeding. I am not responsible for any damages you might cause your site by following this guide. When in doubt, hire a professional.
Step 1: Record plugins and themes. Make a note of everything you’re using, including the URL and author, if available. If it’s not active and/or necessary, consider deleting it. Pay special attention to the active plugins; malicious plugins are often installed with seemingly innocuous names such as, WordPress Dictionary.
Step 2: Download WordPress You’re going to need a fresh copy of the latest version of WordPress.
Step 3: Remove unknown users. Especially user with Administrator access. If they have content associated with them, assign it to a known user.
Step 4: Reset your password. Make it something strong; I just let the auto-generator suggest something.
Step 5: Secure FTP accounts. This is back in your hosting control panel and is actually two steps in one. Some panels give you the option to delete the files under the user as well, but I would not suggest this unless you have a backup and know what you’re doing. Reset the passwords on any remaining FTP accounts to something strong.
Step 6: Reset any other logins. Reset any other control panel, billing or additional logins your hosting account might have.
Step 7: Take website offline. I typically do this by renaming the folder, but you could do it with permissions as well. This is one that’s tempting to skip over to minimize downtime. However, if you leave your site up with any active infection, you leave the door open to re-infection while you work. The short downtime will be worth the hassle of having to start over from scratch.
Step 8: Check .htaccess. A commonly targeted file by malware infections. Remove malware redirects manually if you know what you’re doing. If you’re unsure, another option is to delete the file (backup first!) then recreate it through WordPress after you’re done. This is as simple as re-saving the Permalinks settings.
Step 9: Archive core WordPress files. Basically you’re going to backup the old files on-site temporarily. I usually create a temp folder and move the core files there. This does not include the /wp-contents/ folder or wp-config.php.
This is a list of the latest WordPress core files at time of publication:
Step 10: Install fresh plugins and themes. Things start to get tricky here for most people. I like to start with a fresh /plugins/ and /themes/ folder and upload new copies of the plugins straight from WordPress. If you’ve made changes directly to your theme files, re-installing the theme may not may possible. If you have a premium theme or plugin, you will have to retrieve that the source again.
Step 11: Remove malware. This is where the dirty work happens, and subsequently, where most people fail. Basically you need to remove files which contain only malware and clean files containing malware snippets.
Unfortunately, this is where real expertise and experience with Linux, WordPress and php becomes necessary. If you’re lucky, you’ll encounter only a couple obvious malware files to delete. In most cases though, malware files will be dispersed throughout your directory structure. Worst case, you’ll have a highly custom theme with malware embedded in every theme file.
I have years of experience and have developed many tools and scripts that I use for malware removal, both with and without shell access. If you’re in over your head at this point, consider hiring me to get it done.
Step 12: Create new wp-config.php. Use the existing wp-config-sample.php file as your template. Copy the database server and user from the old file. In your host’s control panel, reset the database password for the correct database to something strong and copy it into the file; do not re-use the existing password.
Set the authentication keys and salt values, too. Use the WordPress API to generate them instead of typing in your own random strings.
Finally, check your old wp-config.php for host specific settings. Copy these over into the correct place. Be sure you are not copying over malware here; the wp-config.php file is a common malware target and you’ll typically see code inserted at the beginning of the top of this file. Again, know what you’re doing or get an expert. Quick tip, take care not to insert blank space before or after the opening or closing php tags. They should be the first and last things in this file. Doing so usually leads to a WordPress site with just a white screen.
Step 13: Upload WordPress Wait! This is the fresh installation you downloaded earlier. You want to upload everything except the /wp-content/ folder.
Step 14: Set file/folder permissions. The default permissions for WordPress are 755 for folders and 644 for files. Your host may require different permissions; check with them if necessary.
Step 15: Reactivate site. Your site should be functioning now. If not, try accessing just the dashboard and re-save Permalinks, check plugins and the active theme. If it’s still not working, go back carefully through the steps.
Step 16: Reset accounts, again. Repeat steps 3 through 6. This is probably unnecessary, but once the site is clean and running, I like to double-check just in case.
Step 17: Remove old core files. These are the files you archived in Step 9. If they are in your active web folder and they are infected, there’s a small chance any call to them could re-infect everything. If they’re above your active web folder, in a folder inaccessible to web visitors, this is less of a concern. Either way, you don’t need them anymore.
Step 18: Use Wordfence. The Wordfence Security plugin is a great anti-malware plugin that also has a scanner built-in. If you’ve missed anything, there’s a great chance Wordfence is going to find it. If you plan on keeping Wordfence installed long-term, which I highly recommend, I would turn off the Live Traffic Option under the Basic Options menu. It consumes a lot of resources and isn’t necessary for protection.
Before you run the initial scan, go to the Scans to Include options section and check every checkbox except for the ‘Scan images, binary, and other files’, ‘Enable High Sensitivity’ and ‘Use low resource scanning’ options. This will give you a thorough scan. Warnings aren’t generally infections, but you’ll have to use your own judgement here. Critical errors mean you missed something. Fix it and go back to Step 3. Sorry.
Step 19: Use Sucuri. The Sucuri Security plugin is a good second line of defense. I like this plugin for monitoring changes to WordPress core files, users, theme changes via the editor and things like that. It also has a Hardening section to quickly lock down some parts of WordPress.
(Optional) Step 20: Blacklist check. If you’ve been harboring a malware infection for very long, there’s a good chance you’re being flagged in the search listings by Google and possibly blacklisted by other search engines or mailing blacklists. Submit your site for reconsideration.
If you’ve successfully cleaned your site following these steps, congratulations! Going forward, it will be important to keep your site up to date and monitor the security plugins you’ve installed. If you don’t already, have an off-site backup plan in place for your files and database.
Did you try and fail? Or do you have a stubborn infection that keeps coming back? If this is simply beyond your capabilities, consider hiring a professional to clean your site. I have a WordPress malware removal service for a reasonable flat fee with a 30 day guarantee. I also provide ongoing site monitoring and off-site backup with my WordPress management service.