What is the fastest way to remove malware or virus from your Wordpress site?

David Beroff

Well-known member
Registered
Joined
Jun 14, 2016
Messages
1,498
Points
63
Recently one of my WP site got infected by malware codes and it redirected to a strange domain name, I did more things to remove it from my site and although it was successful but it consumed pretty more my time. What is the fastest way to remove malware or virus from your Wordpress site? including manual way or auto tools/ways?
 

aniruddhdiwan

New member
Registered
Joined
Feb 12, 2019
Messages
2
Points
3
10 Steps to Remove Malware from Your WordPress Site

Step 1: Backup the Site Files and Database
Step 2: Download and Examine the Backup Files
Step 3: Delete All the Files in the public_html folder
Step 4: Reinstall WordPress
Step 5: Reset Passwords and Permalinks
Step 6: Reinstall Plugins
Step 7: Reinstall Themes
Step 8: Upload Your Images from the Backup
Step 9: Scan Your Computer
Step 10: Install and Run Security Plugins
 

Collabora

Well-known member
Registered
Joined
Jan 24, 2017
Messages
123
Points
18
Recently one of my WP site got infected by malware codes and it redirected to a strange domain name, I did more things to remove it from my site and although it was successful but it consumed pretty more my time. What is the fastest way to remove malware or virus from your Wordpress site? including manual way or auto tools/ways?
There really is no fast method, but there are easy and hard method. Here is probably the quickest way that doesn't require much mental effort: Delete all plugin folders, replace all wp core files (from backup or wp repository), reinstall plugins. Assuming the db is clean you should be back in action with a fresh clean site with all the data.

If that fails, you will need to run a server side scanner. I have had good results with https://wordpress.org/plugins/wp-malware-removal/ -- it will take several hours to complete a scan, but you will know exactly what files (and db) are infected and how. The external scanners are quicker (I like Sucuri) but they can only access files that a visitor browser can access and can miss a lot.
 

LayerVPS

New member
Registered
Joined
Jun 23, 2019
Messages
4
Points
1
You probably are best restoring from backups, and check through the installed plugins and make sure to update the wordpress install, and there should not be any problems.

Also you can check the access logs to try and find out how they exploited the wordpress install.
 

bountysite

Well-known member
Registered
Joined
Oct 11, 2017
Messages
109
Points
28
Proactive way to protect any website is to have your website backup system notify you on the details on files modified. You can quickly address the issue and know what files have been modified.

Offcourse website backup can help you restore your site back to pristine version.

Reactive way! Some points I can think of:-
- Clean up everything and start with stock version and install plugins
- Restore db
- Reset all users
- Check if user registration is on. If yes, check default new user role
- check posts (if anything JS/HTML code is added extra)

You got to have a website backup!
 

Nixtree

Well-known member
Registered
Joined
Jul 16, 2016
Messages
133
Points
28
Once infected then it is always good to reinstall using fresh installation files and restore the wp-content files. So that core wordpress files is not infected. Now before you restore, I will suggest to manually take a look on contents and remove all unwanted plugins and themes and check the uploads folders. Once cleanup and restore is done, then make sure you harden the site like block wp-login.php and xmlrpc.php to your or enable 2 step verification for wp-login , disable unwanted php_fnctions which are used by hackers , disable php execution in uploads folder recursively etc. Many wordpress plugins can be used for this but I will suggest to reduce the wordpress plugins as much as you can as normally they tend to slow down the websites.
 

bountysite

Well-known member
Registered
Joined
Oct 11, 2017
Messages
109
Points
28
Recently one of my WP site got infected by malware codes and it redirected to a strange domain name, I did more things to remove it from my site and although it was successful but it consumed pretty more my time. What is the fastest way to remove malware or virus from your Wordpress site? including manual way or auto tools/ways?
Did you find out why the website got infected in the first place?
 

AdrianG001

Member
Registered
Joined
Jul 25, 2019
Messages
41
Points
8
Recently one of my WP site got infected by malware codes and it redirected to a strange domain name, I did more things to remove it from my site and although it was successful but it consumed pretty more my time. What is the fastest way to remove malware or virus from your Wordpress site? including manual way or auto tools/ways?
Others may end up giving the plugin names that you can use but i would not use this solution to clean it up as it will be time consuming because the codes and the virus might still be there.

For me its best to install the latest WP version and install the updated version of the current theme or install a new theme. Do this for all the plugins.

Usually the malicious code and virus are in the plugins and theme (not the updated ones).

Avoid using nulled themes and plugins

Perform daily backup of the site if you can.

To avoid such malware attacks you can go for a strong website firewall.

Regards,
Adrian
 

EthernetServers

Member
Registered
Joined
Nov 24, 2017
Messages
21
Points
3

bountysite

Well-known member
Registered
Joined
Oct 11, 2017
Messages
109
Points
28
If you had a backup in place, you would have known what changes were made to website. Something that I put a lot of effort on, while building our platform.
So, the fastest way to fix your website would be a simple restore click.

I am excited to announce that BountySite now supports database monitoring. You can choose what tables you want to be notified on change.
If the hack has made changes to your post or added a new user, you can easily view the changes. Once you know what has changed, the fix becomes easy.
 

AlbaHost

Well-known member
Moderator
Hosting Provider
Joined
Jan 18, 2017
Messages
809
Points
43
AlbaHost
Really? If the backup was made while your website was infected, how would you solve it with "only restore click"?
 

bountysite

Well-known member
Registered
Joined
Oct 11, 2017
Messages
109
Points
28
bountysite
"If you had a backup in place, you would have known what changes were made to website" I am talking backups prior to website hack.

Hosting providers normally offer 7/14 days retention. So, if the site was hacked 15 days back, then the oldest version is infected.
BountySite backups don't have the retention period, as it converts website into a revisioning system. So, only delta text changes are added to the repo, and you can restore to any point since your first backup.

Now that you have put forth this question, with BountySite you can find out which files are modified wrt to its pristine version. We support Wordpress, Drupal, Joomal core and several other open source softwares.
If the hack are in web files, you can identify and replace with pristine or stock files manually. I actually thought of having a single click replace with pristine version, for which I need to build exclusion file list, which can be misused. So, manual approach is reliable.
Checkout our manual to clean up site.
 

TerranceM

Member
Registered
Joined
Jul 25, 2019
Messages
35
Points
8
Make sure you are using the updated WordPress and PHP version, block your admin page from all other IPs and perform some kind of scan on the website.
 

Adam Stokes

Active member
Registered
Joined
Mar 19, 2020
Messages
83
Points
6
Others here may suggest plugin names but for me its best to install the latest WP updates of themes and existing plugins as well. Most of the malicious codes are in the form of plugins or themes so this is the mandatory first step. You can have a website firewall installed to protect your suite against such attacks
 

seaweb

New member
Registered
Joined
May 18, 2020
Messages
2
Points
1
If you are advanced user or willing to learn install ModSecurity. This is a great free GPL application control that monitors every step of your webserver for common and specific malicious attacks.

Install:
Bash:
yum install mod_security mod_security_crs
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
Then you need to customize httpd.conf to load it into apache and then modify the mod_security.conf file to load your rulesets.


Add additional rules such as the free ones:
OWASP ModSecurity Core Rule Set (CRS)

The downside is you have to apply whitelisting rules, because there will be false-alarms. There is a big learning curve involved. But once you learn it you could do very advanced stuff and protect your entire servers (in terms of attacks directed via web sever).


IF you are not an advanced user OR don't have the time:
Just search for commercial Website Application Firewall (WAF) providers. They will ask you to change your domain's dns provider to their own. Then they will filter your traffic before sending it to your server. They site in between your server and the public and filter bad traffic.
This is much easier to do but will cost you a monthly fee per domain. (FYI modsecurity is more extensive control since it monitors your webserver directly BUT depending on your setup you may not have the best rule sets)

Some of these services also offer Virtual Patching. They apply fixes to known exploit attacks to commonly used scripts/CMS/plugs/etc. In theory you could keep running outdated plugin while hiding behind the Virtual patching WAF. This is the advantage of commercial WAF compared to the ModSecurity. (Technically, there are commercial rule set that covers zero day exploit for modsecurity but the server licenses to get these updates is so high that only worth it if you have a lot of sites hosted or you have a mission critical site).

When it come to wordpress most of the time the breach happened because of a well known vulnerability of sort in the CMS or plugins.

There is one specific company that I would recommended but since I am a new here, I don't want to come across as promoting. ;)


Bonus for those that came across this post (since this will be above the OPs needs: Look into SElinux to safeguard your entire linux server (for advanced users only)
 

Cherin

Member
Registered
Hosting Provider
Joined
Apr 21, 2015
Messages
64
Points
8
cwatch is the best tool to manage all malware scans on the wordpress sites at an ease
 

Require

Active member
Registered
Joined
Feb 12, 2020
Messages
68
Points
6
I suggest doing the recommendation above suggested by user^^ there is also a video here I suggest you can watch hope this helps!
Also this
 

Jackleo7878

Member
Registered
Joined
Jul 1, 2020
Messages
30
Points
6
To Remove Malware from a Hacked WordPress Website, here are steps I recommend:
  1. Access details. The first step is to get access to your hosting account’s control panel. For most WordPress administrators that’s cPanel or Plesk.
  2. Make a backup. Even though your website may be infected, it’s important to make a backup, just in case the hosting companies will either suspend your account and in some cases delete your website.
  3. Protect your users with a maintenance page. To temporarily protect your website users, you should upload a maintenance page. A hacked site may redirect your visitors to pornographic, gambling and malicious sites. The last thing you want as a business owner is to harm your customers.
  4. Run a complete scan on your website. There are many great plugins for a website security scan.
  5. Update WordPress to its latest version.
  6. Check your plugins. Running and keeping vulnerable plugins on a website is one of the most common reasons why WordPress sites hacked! Then go back over to your scan results from your security plugins and double check which plugins have been flagged with malicious content.
  7. Review the entries for any accounts that were not created by you.
  8. Reset your database password and create a new set of security keys.
 

zainhosting

Member
Registered
Joined
Mar 11, 2019
Messages
40
Points
8
Just install the wordfence plugin to your wordpress site and scan your site, it will give you all the infected files and malware, so next step is remove or clean your files.

If your WordPress core files are infected you can replace them with a new one, if your plugin or theme files are infected then replace full plugin or theme.
 

webtalk

New member
Registered
Joined
Sep 3, 2020
Messages
7
Points
1
The fastest way is to restore your old backup. however, for the cleaning website, try installing wordfence or another security plugin to scan your website.
if you have vps or dedicated server, try installing maldet and clamav , it will surely benefit you in future too. moreover, figure out what plugin or theme is the culprit to stay safe.
 
Latest Threads
Replies
0
Views
91
Replies
0
Views
57
Replies
0
Views
50
Replies
1
Views
81

Latest postsNew threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top