How to Check, Remove, and Prevent Malware from Your WordPress Site

This week was pretty busy. One of the non-profits that I know found themselves in quite a predicament – their WordPress site was infected with malware. The site was hacked, and scripts were executed on visitors that did two different things:

  1. The site tried to infect Microsoft Windows users with malware.
  2. The site redirected all users to a site that utilized JavaScript to harness the visitor’s PC to mine cryptocurrency.

I discovered the WordPress site was hacked when I visited it after clicking through on their latest newsletter, and I immediately notified them of what was going on. Unfortunately, it was quite an aggressive attack that I was able to remove, but immediately reinfected the site upon going live. This is a pretty common practice by malware hackers – they not only hack the site, they also either add an administrative user to the site or alter a core WordPress file that re-injects the hack if removed.

What is Malware?

Malware is an ongoing issue on the web. Malware is utilized to inflate click-through rates on ads (ad fraud), inflate site statistics to overcharge advertisers, try and attain access to visitors’ financial and personal data, and most recently – to mine cryptocurrency. Miners get paid well for mining data but the cost to build mining machines and pay the electric bills for them is significant. By secretly harnessing computers, miners can make money without the expense.

WordPress and other popular platforms are huge targets for hackers since they are the foundation of many websites. WordPress has a theme and plugin architecture that doesn’t automatically protect core files from security holes. Additionally, the WordPress community is outstanding at identifying and patching security holes – but site owners are not as vigilant about keeping their site updated with the latest versions.

This site was hosted on GoDaddy’s traditional web hosting (not GoDaddy’s Managed WordPress hosting), which offers zero protection. Of course, they offer a Malware Scanner and removal service, though. Managed WordPress hosting companies such as Flywheel, WP Engine, LiquidWeb, GoDaddy, and Pantheon all provide automated updates to keep your sites updated when issues are identified and patched. Most have malware scanning and blacklisted themes and plugins to help site owners prevent a hack. Some companies go a step further – Kinsta – a high-performance Managed WordPress host – even offers a security guarantee.

Additionally, the team at Jetpack offers a great service for automatically checking your site for malware and other vulnerabilities daily. This is an ideal solution if you’re self-hosting WordPress on your infrastructure.

You can also utilize third-party malware scanning incorporated into plugins like All-In-One WP Security and Firewall, which will report if your site is blacklisted on active malware monitoring services.

Is Your Site Blacklisted for Malware:

Many sites online promote checking your site for malware, but keep in mind that most of them are not checking your site at all in real-time. Real-time malware scanning requires a third-party crawling tool that can not instantaneously provide results. The sites that provide an instantaneous check are sites that previously found your site had malware. Some of the malware-checking sites on the web are:

Unless your site is registered and you have a monitoring account somewhere, you will probably get a report from a user of these services. Don’t ignore the alert… while you may not see a problem, false positives rarely happen. These issues can get your site de-indexed from search engines and blocked from browsers. Worse, your potential clients and existing customers may wonder what kind of organization they’re working with.

How do You Check for Malware?

Several companies above speak to how difficult it is to find malware, but it’s not quite so difficult. The difficulty is figuring out how it got into your site! Malicious code is most often located in:

How Do You Remove The Malware

A good friend of mine recently got his WordPress blog hacked. It was quite a malicious attack that could impact his search ranking and, of course, his momentum in traffic. Here’s my advice for what to do if WordPress gets hacked:

  1. Stay Calm! Don’t start deleting things and installing all kinds of crap that promise to clean your installation up. You don’t know who wrote it and whether or not it’s simply adding more malicious crap to your blog. Take a deep breath, look at this blog post, and slowly and deliberately go down the checklist.
  2. Take down the blog. Immediately. The easiest way to do this with WordPress is to rename your index.php file in your root directory. It’s not enough to just put up an index.html page… you need to halt all traffic to any page of your blog. In place of your index.php page, upload a text file that says you’re offline for maintenance and will be back soon. The reason you need to take down the blog is that most of these hacks aren’t done by hand; they’re done through malicious scripts that attach themselves to every writeable file in your installation. Someone visiting an internal page of your blog can reinfect the files you’re working to repair.
  3. Back up your site. Don’t just back up your files, also back up your database. Store it somewhere special if you need to refer to some of the files or information.
  4. Remove all themes. Themes are an easy means for a hacker to script and insert code into your blog. Most themes are also written poorly by designers who don’t understand the nuances of securing your pages, your code, or your database.
  5. Remove all plugins. Plugins are the easiest means for a hacker to script and insert code into your blog. Most plugins are written poorly by hack developers that don’t understand the nuances of securing your pages, your code, or your database. Once a hacker finds a file with a gateway, they simply deploy crawlers that search other sites for those files.
  6. Reinstall WordPress. When I say reinstall WordPress, I mean it – including your theme. Don’t forget wp-config.php, a file that’s not overwritten when you copy over WordPress. In this blog, I found the malicious script was written in Base 64 so it just looked like a blob of text and it was inserted in the header of every single page, including wp-config.php.
  7. Review your Database. You’ll want to review your options table and your posts table especially – looking for any strange external references or content. If you’ve never looked at your database before, be prepared to find PHPMyAdmin or another database query manager within your host’s management panel. It’s not fun – but it’s a must.
  8. Startup WordPress with a default theme and no plugins installed. If your content appears and you don’t see any automated redirects to malicious sites, you’re probably okay. If you get a redirect to a malicious site, you’ll probably want to clear your cache to ensure you’re working from the latest copy of the page. You may need to go through your database record by record to try to locate whatever content might be there that’s paving the way into your blog. Chances are your database is clean… but you never know!
  9. Install Your Theme. If the malicious code replicated, you’re probably going to have an infected theme. You may need to go line by line through your theme to ensure there’s no malicious code. You may be better off just starting out fresh. Open the blog up to a post and see if you’re still infected.
  10. Install Your Plugins. You may want to use a plugin, first, such as Clean Options first, to remove any additional options from plugins you’re no longer using or wanting. Don’t go crazy though, this plugin is not the best… it often displays and allows you to delete settings you want to hang on to. Download all your plugins from WordPress. Run your blog again!

If you see the issue come back, chances are that you’ve reinstalled a plugin or theme that’s vulnerable OR there was something hidden in the content of your site stored in the database. If the issue never leaves, you’ve probably tried to take a couple shortcuts in troubleshooting these issues. Don’t take a shortcut.

These hackers are nasty folks! Not understanding every plugin and theme file puts us all at risk, so be vigilant. Install plugins that have great ratings, plenty of installations, and a great record of downloads. Read the comments folks have associated with them.

How do You Prevent Your Site from Being Hacked and Malware Installed?

Before you put your site live… it’s now time to harden your site to prevent an immediate re-injection or another hack:

Once you believe you’ve got everything fixed and hardened, you can bring the site back live by removing the .htaccess redirect. As soon as it’s live, look for the same infection that was previously there. I typically utilize a browser’s inspection tools to monitor network requests by the page. I track down every network request to ensure it’s not malware or mysterious… if it is, it’s back to the top and doing the steps all over again.

Remember – once your site is clean, it will not automatically be removed from blacklists. You should contact each and make the request per our list above.

Getting hacked like this is not fun. Companies charge several hundred dollars to remove these threats. I worked no less than 8 hours to help this company clean up their site.

Exit mobile version