How to Remove Malware from a WordPress Website (With 6 Security Tips)
Since WordPress is the most used CMS globally, it faces the highest number of malware attacks. Malware, also known as malicious software, includes viruses, trojans, ransomware, spyware, and other harmful software that can make changes to a website without its user’s consent. Thus, website owners unknowingly host infected files within their websites.
Feeling worried? We’ve got your back. This article explains how to remove malware from a WordPress site. Before that, let’s learn why your website might become a target for malware attacks.
Why Your Website May Get Infected With Malware
A website can be infected with malware for various reasons. Malicious software doesn’t appear without any reason. There are always some identified or unknown factors that make a website susceptible to external attacks. The following list mentions the top reasons here.
Weak security: You may become a victim of malware if your site has vulnerable scripts that let hackers easily crawl into your website. People who run malware attacks are usually well-versed in technical knowledge. They can identify weak security and exploit that in the following ways:
- Break into the backdoors and upload web-shells
- Implant the virus in the website database
- Add, modify, or remove admin roles.
Vulnerable plugins, themes, and templates: Free themes, plugins, and templates usually come with less security. Especially, nulled products often contain web shells and malicious scripts accessible by hackers. Using such infected products on your website opens a door for hackers.
Easy-to-guess passwords: Most people tend to use passwords that are easy to remember and related to them. Your pet name or birthday is not a strong password. Nowadays, it’s possible to get these pieces of information easily from social media accounts.
According to a study, 61% of unauthorized entry into organizations happens because of compromised credentials.SecureLink
Sometimes, hackers try different combinations of passwords to access the website. This is called a brute-force attack.
Theft of FTP credentials: Having access to FTP (File Transfer Protocol) is enough to infect malware on your website. Your login credentials may get stolen easily if you use an unprotected browser. Use secure channels while connecting your website via FTP.
Inexperienced hosting provider: Some hosting providers resell services after buying them from bigger companies. They don’t have hands-on experience in how to configure and administrate their hosting securely. Websites hosted on such servers are more vulnerable.
Untrustworthy freelancers/contractors: You may need to employ a freelancer or contractor from the service marketplaces. While most of them are honest and decent, a few may turn into a threat to your website’s security.
These freelance contractors have access to the website when they work on it. They may leave some code within the website and exploit your website in the future to earn more money.
How Can Malware Attacks Affect Your WordPress Website
Malware in a WordPress site can affect its performance in every aspect, from the user experience to the site’s SEO health. It also hampers the reputation of a website to a great extent. And all these things are directly or indirectly associated with a significant monetary loss. Learn more about how different types of malware can affect your WordPress site from the below list.
- The hackers will have partial or complete control of your website
- They may attack other websites and send spam emails using your website as a host
- Malware usually stores thousands of files on the website occupying a large amount of your disk space
- Malware affects the user experience by slowing down your website
- It might modify a website’s SEO structure and result in a loss of website traffic
- Google blacklists websites that consist of malicious codes
- Your website’s content may get replaced by content from hackers
- Visitors may click on infected ads and get affected by the malware
- An infected website may grant cybercriminals to access your website
- Your website will lose a significant amount of visitors and revenue
How to Detect Malware on Your WordPress Site
There are multiple signs that are directly attacked by malware. You can easily detect if your WordPress site has malware by identifying these symptoms. You can also perform security audits regularly to find out the threats.
Keep reading the following section to learn how to detect malware on your WordPress website.
1. Scan your website using a URL Scanner
One of the easiest ways to check whether a website is hacked or infected with malware is to use a URL checker. VirusTotal scans WordPress websites for free to check if the site has any files flagged as malware. You can use such URL scanners to find out an infected website right away. However, these are not always able to find the malware.
2. Notice if there are any unexpected changes
Try to log in to your website’s dashboard. If your credentials don’t work anymore, try to recover the password. If you still fail to access the website, chances are high that your site has been compromised.
3. Look out for warning messages from Google Search Console
Google sends warning messages to owners of the linked websites. Take it seriously if you ever receive such warnings from Google. These notifications contain highly usable information about the overall situation.
4. Identify the underlying reasons for a slow website
A website loads slowly for various reasons. It may take longer to load because of less optimized content or heavy plugins, themes, and scripts. Find out why your website has become slow suddenly. If there are no valid reasons, it might be malware doing the trick. Malware uses a large number of server resources which eventually makes the website slower.
5. Identify spam results for your website on Google
Search your brand name/domain name on Google. Examine the search results and notice if they look strange to you. If the results contain unrelated meta descriptions and weird characters, take that as a sign of malware.
6. Find if there are any web host flags issues
Web hosting providers regularly audit their servers and take immediate action if there is any malicious activity. They will disable your website and notify you about the issue if your website ever gets attacked by malware. The main reason for this is to prevent the malware from spreading to other websites hosted by them.
7. Consider customer complaints
Most of the time, customers face malware issues before the website owners. If your customer alerts you about unusual activity, compromised user experience, credit card theft, or any other performance issues, take their complaints seriously. Make it your first priority if you run an eCommerce website.
8. Investigate unexpected behavior in analytics
If you see a sudden spike or significant drop in the different parameters in your analytics, investigate this unexpected behavior. Usually, traffic, sales, the number of backlinks, the number of pages, etc. don’t increase or decrease overnight. Sudden significant change means there is something wrong with it. And, in many cases, it’s malware.
How to Remove Malware from WordPress Site
Once you’re sure that your WordPress website has malware, clean it as soon as possible. You can remove malware from a WordPress site both manually and using a plugin. We suggest using a plugin since it requires less technical knowledge and associates less risk with the cleaning process. However, the following section has both ways of malware removal for your convenience.
Clean WordPress Malware Manually
Here’s a step-by-step tutorial on how to clean WordPress malware manually.
1. Back up your website
You’re going to make significant changes to your WordPress website during this malware cleaning process. There are slight chances that you’ll lose valuable data if you don’t have a backup beforehand.
Back up all your files and database using a WordPress plugin. UpdraftPlus is a great WordPress backup plugin that you can use easily.
You can also make a backup of your website by accessing the cPanel or your FTP- File Transfer Protocol Client like FileZilla.
Note: The .htaccess file is invisible by default. You can see it only after enabling the visibility of hidden files from the host’s File Manager. Make it visible and download it on your computer for future use.
2. Thoroughly check the backup files
The future of your website depends on these backup files. So, it’s important to examine them before you move to the next steps. Have a close look at the following types of files.
- All WordPress core files
- wp-config.php file
- .htaccess file
- wp-content folder
- SQL database
Check all these files and folders to see if you have everything you need. Go to the next step if your backup files are okay.
3. Clean your public_html folder
Now go to the public_html folder via the File Manager of the cPanel. Delete all files from the folder (except server-related folders and the cgi-bin folder) that look free from malware. If you have multiple websites connected via the same hosting account, make sure to clean all of them.
4. Clean malware from WordPress database tables
You have a complete backup of your website now. It’s time to do some internal cleansing. Go to the website database through phpMyAdmin. Scan the data tables to find out suspicious names like spammy keywords or links. Remove everything that looks malicious.
5. Clean themes and plugin files
Make a list of all the plugins you have on your WordPress site. This list will help you reinstall them once the cleaning is done. Erase all files related to the plugins from the subfolder. Delete the theme contents as well. Maybe, you got affected by the malware in your plugins or themes. So, delete all of these to minimize the risk.
6. Reinstall WordPress core
Now that the cleaning is almost done, it’s time to install WordPress again. You can reinstall WordPress via the one-click installer of your cPanel. Use the database credentials from the old wp-config.php file to connect the new installation to the old database.
Now you can upload the backup files of your website to the newly installed WordPress.
7. Reset passwords and configure the WordPress settings
Login to your website dashboard and reset credentials for all users. Set a strong password for each user. If you don’t see any unusual user name or activity, your database is clean of malware. Now, configure the settings for your WordPress website. Pay special attention to the permalink settings.
8. Reinstall plugins and themes
Since you deleted files related to themes and plugins, you need to reinstall them freshly from the WordPress repository. Don’t go for unauthorized or nulled plugins or themes. Refer to your backup files to replicate the customization you made before.
9. Remove all the backdoors you can identify
Hackers can enter your website backdoors. Backdoors look like WordPress core files but contain different extensions as follows.
- preg_replace (with /e/)
If any of your WordPress files carries such PHP functions, they might be malware in disguise. Remove these infected files right away. But, keep in mind that some plugins legitimately use such PHP functions to improve their functionality. Spare them to keep your website running without breaking.
10. Reach out to remove security warnings
Search engines and web hosting providers flag a website as malicious if it remains affected by malware for a long time. If you get any such security warning, you need to contact them to remove the warning after cleaning the malware. They’ll review your request and remove the warning if everything looks fine to them.
11. Install a security plugin to scan your website
You’re all done! Now install a security plugin to your WordPress site to tighten the security. Run a complete scan using the plugin to identify potential threats. Hopefully, you’ll face no issues after doing all the hard work. However, if you find anything after scanning, you can clean that using the plugin you’ve installed.
In the following section, we will show you how to remove malware from a WordPress site using a plugin.
Clean WordPress Malware with a Plugin (MalCare)
The manual process of cleaning WordPress malware is a bit complex, especially for people with low technical knowledge. A quality security plugin can unburden you from the painstaking steps of malware removal.
We used MalCare here as it is one of the best WordPress security plugins that keep the website secure with automatic scans, one-click malware removal, and a security firewall.
Let’s learn how you can clean WordPress malware with MalCare from the following section.
Step 1: Install the MalCare plugin to your WordPress website.
Go to your WordPress admin panel. Visit Plugins> Add New from the left sidebar. Search the MalCare plugin by searching its name on the search bar. Then install and activate the plugin.
Step 2: Connect MalCare to your website
Insert your email address on the welcome widget to connect your website with the MalCare security dashboard. Verify the email address by clicking on the link sent to you.
Step 3: Go to the security section of your MalCare dashboard
Visit the Security section of your MalCare dashboard. Scan your WordPress site and MalCare will automatically identify all malware with optimal accuracy. Click on the Clean Site button to get rid of the affected files.
MalCare employs a robust firewall that can protect your WordPress website from future potential attacks. So, with MalCare, you can clean the existing infected files and prevent future malware attacks.
How to Prevent Malware Attacks – 6 Handy Tips
Prevention is better than cure- this cliche sentence is applicable to this matter also. Isn’t it a great hassle to clean WordPress malware? You can avoid these painstaking things with the right prevention measures. Here are the five essential security tips that anyone should follow.
1. Keep Your Site Updated
Outdated software is often associated with security issues. Keep all your software updated including WordPress version, themes, plugins, PHP version, and more. The latest version of software comes with improved security patches. We recommend you have a backup before any major update. This way, you can prevent data loss.
2. Harden Your Website Security
This step includes the overall security of a website. Let’s put all these security measures in a bite-sized list.
- Limit your entry points by allowing only the authorized users to access your website’s backend
- Use strong passwords along with multi-factor authentication
- Keep your website hosted in an isolated hosting plan to avoid cross-contamination
- Use a renowned antivirus program for your operating system
- Use a quality website firewall to prevent brute force attacks and DDoS attacks.
3. Avoid Nulled Plugins
Apparently, nulled plugins look exactly like original plugins at cheaper prices. But, they are actually cracked versions of the premium plugin that can provide some of the features. Such plugins come with high-security risks and often come with malware. You should avoid using nulled plugins and install plugins from the official plugin website or WordPress.org only.
4. Choose a Proven Hosting Provider
There are hundreds of hosting providers in the market. Sadly enough, only a few of them have effective security systems to protect your WordPress site. Moreover, most hosting services don’t have a responsive support team that immediately addresses your problems and solves them.
That’s why we recommend choosing a reliable hosting provider that has a great security system and an active support team.
5. Make Sure Your Website Has an SSL Certificate
SSL- Security Sockets Layer is a digital security certificate that authorizes a website’s identity and ensures an encrypted connection between a web server and a browser. Having an SSL certificate is a basic security measure nowadays. Add an SSL certificate to your WordPress website to keep it secure across different web browsers.
6. Install a Security Audit Plugin & Scan Your Site Regularly
Install and activate a WordPress security audit plugin to ensure optimal security for your website. A security plugin alerts the users whenever there’s any security threat. And, you can detect the issues instantly by scanning the website using that plugin.
It’s a better practice to scan your website regularly so that you can stay one step ahead and prevent serious security issues in the primary stage.
FAQs on How to Clean WordPress Malware
1. Does WordPress have malware?
According to a report, 70% of the top 40,000 WordPress websites are vulnerable to cyber-attacks. Almost 90,000 attacks are targeting WordPress sites every minute. Malware attacks account for a significant percentage of these attacks.
2. How do I protect my WordPress site from malware?
You can secure your website by following the below steps:
1. Keep your CMS, plugins, themes, and other components updated
2. Use strong passwords and multi-factor authentication
3. Download/buy plugins and themes from only the official platforms
4. Install a security plugin and a website firewall
5. Scan your website regularly and clean WordPress malware (if any)
3. How do WordPress sites get hacked?
Malicious users/hackers look for websites that have low security and try to hack them. If your website is vulnerable and doesn’t follow the best WordPress security practices, it may become a victim of hacking.
4. How do I manually check for malware?
You can check the malware manually in the following ways:
* Examine the recently added/modified files
* Check the WordPress core files for unusual names
* Keep track of the number of pages created within your website
* Examine the .htaccess file to find out files with strange extensions
5. How do I check for malware warnings on Google?
Google marks a website as deceptive and shows a Malware warning page to the viewers if it detects malware on the website. And, sometimes it blocks the affected website from appearing on the search engine. You can check for malware warnings on your website by browsing it from an incognito window.
You can also look for user feedback related to malware attacks on your website. And check the email address that you used when connecting your website to the search console. You may receive an email from Google about the ongoing issues.
To sum it up, let’s conclude this blog with a precious expert tip. Cleaning WordPress malware is now easier with a plugin, but you will lose valuable website data if you fail to create a regular backup.
It’s pointless to restore a website from an old backup. If you’re serious about your WordPress website, you would publish content or make changes almost every day. So, clean WordPress malware but create a backup beforehand. Daily backup is the best, if you publish fewer contents, weekly backup is a more suitable option.
Md. Tanvir Faisal is a Content Writer at WP Hive with 4 years plus experience in Content Writing, Copywriting, Proofreading, and Editing. He focuses on writing informative content that draws social media attention and enhances search engine visibility. To date, he has successfully developed useful content for many websites across all formats.