WordPress

Restoring a Malicious WordPress Site

A client called me this week complaining that their site was being blocked due to malicious code found on it. It was a WordPress site that was on a shared server. Rather than scour every file through every site on the server to identify the injection script, we were able to get the WordPress site back up and running fairly quickly with the following steps:

  1. Removing any unused, old or unpopular WordPress plugins. Plugins are often the source of malicious code because many plugin developers don’t work to secure their plugins.
  2. Overwriting all WordPress installation directories, excluding wp-content. Wp-content is the folder with all of your uploaded media libraries and themes in it – so you don’t want to remove it!
  3. Reviewing all theme and plugin files to ensure there isn’t code that you don’t recognize. The current means of injection is typically an iframe to a third party site (often Chinese), or an encrypted section of code at the top of all PHP pages. You’ll need to find and remove or clean all infected files. Sometimes it will require a script to run on your server to ensure this is accomplished. Read Stop Badware for more information.
  4. If your site isn’t already registered with Google Webmasters, you’ll want to register it. If you’re seeing the malware warning on your site, you’re probably going to have a message in your Webmaster inbox advising you that the site has been removed due to the issue. If you are sure that your site is now clean, you can request reinclusion.

Getting authority on search engines is tough enough – being recognized as a malicious site or phishing site isn’t a way to make points with the search engines! Not only do browsers typically block the page, even emails pointing to the domain are blocked by modern email clients like PostBox.

Of course, the easiest way to ensure you don’t get hacked is to only install trusted plugins, always update WordPress installations, and continue to monitor your site for any strange behavior… like all files being overwritten with the same date and time. Keep vigilante, fellow WordPressians!

One comment

  1. 1

Leave a Reply