Noob’s Guide To Removing Malware From A WordPress Website

This guide is for website owners and digital marketing consultants who don’t know much about web development. Getting hit by a malware infection is still something that happens, and continues to happen to websites. It’s actually not as rare an occurrence as I thought it would be. This site actually got hit by malware last year, along with a few other sites on the server. I guess it may have been due to my negligence regarding my websites. (As I mentioned in my earlier post, I had been neglecting my websites, because I had to focus on my clients’ sites.)

For most people, getting hit by malware can come as a surprise. A malware infection is not something that only happens to ‘bad’ people. Malware can actually be described as a proponent of equal rights, in the sense that it treats all websites equally. Everyone’s a target. (Insert smile here.)

The Top Reasons Why A Website Gets Hit By Malware

• You did it! Malware hits computers. Infected computers log onto the backend of websites. It’s the main, or one of the main reasons why a website gets hit by malware. You would be surprised how many computers don’t even have an antivirus installed. Drive-by infection occurs when you visit an infected website and get the infection which you can spread to your website. Plus, compounded with the rise of mobile and infected mobile operating systems that connect to your computers, this number goes up. Just do yourself a favor and install an antivirus program/app on your devices.
  

• Work on your core. WordPress updates regularly. This is because they are always trying to serve users a better product, and part of this product development is the security and maintenance updates. The WordPress platform has millions of users, and it follows that it is a target for malware. This is why it is important that WordPress powered websites should take advantage of the updates that WordPress releases. Not updating your website’s core is like leaving a door open for attacks. There are options and plugins that allow a WordPress website to auto-update.

• It can be thematic. Themes are part of a WordPress powered website. They add functionality and layout options to a WordPress site. It’s part of the charm of using a CMS, I think. With a click of a button, you can change the look and functionalities available to a WordPress site. However, themes are created by 3rd parties, and sometimes they don’t update their themes right away. During this time, a theme’s files may leave you open to malware. So, update update update.
  

• It’s plugged in. Plugins are another part of a WordPress-powered website. They extend the functionality of a WordPress website. Like themes, they are created by 3rd parties and are also as susceptible to exploits. The same rule of thumb applies when choosing your plugins. It’s usually better to choose plugins which have more feedback and are used by more websites. These plugins are updated more frequently and help stave off malware attacks.

Confirmed? Confirmed.

The first thing in this process is to establish an actual malware infection. Usually, an issue on your website can be explained by a coding error, but for noobs like me, this is pretty rare, since I don’t change the code on my backend. I just change settings or change the settings on plugins or themes I’ve installed.

When a website gets hit by a malware infection, it receives a Google warning like the picture above and a near immediate drop in search result rankings and conversions. (Because you really don’t want to stay on a website that may compromise your security, right? Plus, it’s scary to see this in a browser, right?)

Google Search Console and your hosting service will notify you that malware has been detected on your site, and they will give you some information regarding the infection. Your hosting may then promote their malware specialist third-party partner to help with the issue. In my case, my hosting is Hostgator, and their third-party security partner is Sitelock. These security partners may charge you about $200 per site to fix the issue. For some clients who have multiple sites on their server, this amount can be substantial.

If you’ve received these warning alerts, you can confirm the existence of malware on your website.

Let’s get to removing it.

How To Remove Malware From A WordPress Website

Note: In my case, my affected hosting plan was my old shared server account at Hostgator. Using a shared server is actually the best thing to do when you’re starting out because it allows you to put up multiple websites for the cost of one hosting. However, the drawback to this situation is that it is exactly what it is — the hosting is shared. If you have multiple sites on your shared server, they have the chance of cross-contamination, and this can leave you in a pickle if even one website on that server is hit. I had to go attend to all the sites on the shared server, just to be sure, right? So, once a website starts to earn, I would advise you put them on their own plans because they’re already established as moneymakers.

1. Disinfect Your Tools. Don’t touch anything until you finish checking your gear. Get a decent antivirus and check all points of contact to your website. This means checking all the devices that touch the backend. In my case, it meant all the laptops that edit/upload files to websites. 
2. You Shall Not Pass. Look for a decent password generator. Generate some secure passwords, something like gm19n$9sGV7d6&kfvZd$7CNm^. It’s more than 20 characters, has numbers, upper and lower-case letters, and symbols. Once you have your passwords, change EVERYTHING. (Hosting, Database, FTP, WordPress passwords.) Document these passwords in a safe place, and make extra passwords. We’re going to have to change passwords more than once, so getting them prepped at this stage will save you some time. Log in to your wp-admin. If you can’t, this can be due to two things. Someone hates you and changed passwords behind your back, or your friendly neighborhood malware changed your password. In any case, you need to reestablish access. Open your hosting, go to PHPMyAdmin, open your website’s database, and look for the wp-users table. Click on that, and you’ll see your username (user_login) and password (user_pass). You may also see some users that you don’t recognize. If this happens, delete those users, and prepare your password. Click on the ‘edit’ option on your user, and under the function column, on the user_pass row, click on the drop-down and select MD5. Enter your new password there. take note of it, and let’s move on.
3. Are You Down For It? This is something of an SEO issue. But it’s really important that you figure out how long do you think it will take you to fix the issue. We have to put the site down for a while to make sure we get all instances of the malware. It won’t be for long, but you have to consider when is the best time to do it, usually when there’s not much traffic on your site. If you think it may take you some time, preparing a maintenance page to tell people and search engines that you’ll be back online in a bit may be best. Check out this old post from Moz which talks about the different ways you can go about it.
4. Reboot. It’s time to ‘reboot’. It will take too much time to manually check each file for malware, so the most efficient way to handle a malware infection on your website is to simply delete the whole WordPress installation on your backend. There is an option on your backend, where you can update your version of WordPress, but this just updates the files that need updating. That method won’t remove/replace everything. Might as well just do everything at the same time. Head over to the official WordPress download page and get a pristine copy of the CMS.
5. Get Your Hands Dirty. It’s time to get into the website’s files. There are two ways to do this, via your hosting control panel and FTP. For the hosting control panel, open the hosting panel, and go to the file manager and open the files for your domain. Hosting control panels are pretty much the same in function, and they just have some differences in the layout. For FTP, you need to have a third party application like Filezilla. I’m sure there are other worthy alternative FTP applications, but I never bothered to explore them. I actually use both methods for accessing the backend. I’ve learned that deleting files is faster on the file manager, and it’s easier uploading folders via FTP. But either will do if you choose to only use one method.
6. When In Doubt, Delete. The first thing you have to do is compare the installed files with a clean installation. What normally happens when you have a malware infection is the creation of additional files that you didn’t authorize. Oh, and looking at this list, take into consideration the files that you may have added before like the different files search engines ask you to add to the root folder of your domain.A typical installation of WordPress looks something like this:wp-admin
   wp-content
   wp-includes
   index.php
   license.txt
   readme.html
   wp-activate.php
   wp-blog-header.php
   wp-comments-post.php
   wp-config.php
   wp-config-sample.php
   wp-cron.php
   wp-links-opml.php
   wp-load.php
   wp-login.php
   wp-mail.php
   wp-settings.php
   wp-signup.php
   wp-trackback.php
   xmlrpc.php

   Just leave the wp-content folder and the wp-config.php file. Delete everything else.

   After deleting, the folder will look like this:

   wp-content
   wp-config.php

7. I Spy Malware! This is the part when you will get to meet your troublemaker and his friends. You may already have met him in the last step, and you may have already deleted an instance. But in this step, you can look it in the eyes if you wish. Select the wp-config.php file and (right-click) edit it.If you see this long string of gibberish, it means that the file is infected. (Well, if you’re a noob like I was, all code seems like gibberish.) Just to be sure, we can compare files. Earlier, I mentioned that you should get a fresh WordPress installation file. You can unzip that file, and compare your wp-config.php file with the wp-config-sample.php file. How the wp-config-sample.php file looks is how your wp-config.php should look like. If it looks too different, with the instance of that long string of code, you’ve got an infected file. If the wp-config.php gives you any cause to doubt, just delete it. Just get the fresh copy of wp-config-sample.php and rename it to wp-config.php. 
8. Time Capsule On! At this point, you have to take inventory of the items you have on your website. You’ll need these notes when you’re recreating your website.  Let’s open the wp-content folder. This where all the files you added to your website should be.It should look like this:plugins
   themes
   uploads
   index.php

   Delete the index.php file, and open the plugins folder. Take note of all the plugins you have installed, then delete all the contents of the plugins folder. Open the themes folder. Take note of the theme you’re currently using. Then delete the contents of the themes folder. You can actually just delete the plugins and themes folders and recreate them later on.Open the uploads folder and check the folders. This is where all the images and files you uploaded will be. Take note of the items that you need to recover. If you have clean copies on your computer, you can just go ahead and delete the uploads folder and replace it later. I did this another way. I just searched through the folders for instances of malware. What I look for here are .php files that may have been injected. I used to do this manually by going through each and every file in the uploads folder, but there’s an easier way to do this. On the file manager panel, there is a search field. There are three options there when searching for files.

   These are:

   All Your Files
   Only public_html
   Current Directory

   Just choose Current Directory, and run a search for .php files. Normally, there is just one file that should be there, an index.php file. In the event that there are other .php files, check them to see if there is any gibberish. If there is, delete with a vengeance. If you’re using a shared server with other website installations, you should do all of the steps up to this point on all the other websites before continuing.

9. Let’s Burn The Bridge When We Get There. We’re going to disconnect all the users logged on to the website as a precaution. All installations of WordPress have secret keys and salts. Open the WordPress Secret Key page. Copy the keys you see there. Every time you refresh that page, a new set of keys will be made. There’s no need to save these keys because you only need to copy it onto the clean wp-config.php file. However, you should take note of this page, since we will be visiting quite often, as we change the passwords to the site. While your wp-config.php file is open, you should also take note of the database line. This is where you should put the database password to your website when you change it on the hosting. The passwords on the hosting and on the wp-config.php file should match for a connection to be established, or else you’ll get an error message on your browser. Now that we’ve replaced this, go ahead and replace all your passwords again. (Hosting, Database, FTP, WordPress passwords.)
10. Here Comes The Cavalry. It’s time to bring the boys home…and when I say boys, I mean WordPress files. Time to dig out the official WordPress installation file. Upload the files, and if you deleted the plugins and themes folders you can recreate them now. Upload all the plugins and the themes that you will be using. Once the files and the folders are all back in place, it’s time to check everything.

At this point, you should have successfully purged your website of malware and restored all functionality. Now let’s focus on making it more difficult for malware to affect your website in the future.

How To Harden Your Website

There are a few things you can do to ‘harden’ your website to malware attacks. You can decide to use some of these things, a combination, or everything on this list.

• Be Kind, Rewind. If you had a backup system in place, you could have just restored the website to its condition before the malware infection. Could have saved you some time spent worrying about this issue, right? You can do this through your hosting, or through plugins that can be added to your WordPress website.
• White Picket Fences. Install a security plugin. I prefer Wordfence, but it’s just my preference since there are a lot of people who use this service and they update frequently. Just go to the plugins section and select add new. Do a search for Wordfence and you should find it easily. If you want to check out the other plugins who can do the job, do a search for that term ‘security‘. Once you’ve chosen, just install and follow the instructions for setting things up.
• Update, Update, Update. So, what I mean to tell you is…you guessed it…update regularly. Update WordPress, your themes, and the plugins you have installed.  Most of the possible exploits can be avoided if you keep your website updated.

Now that your website is all fixed, the only thing left to do is to reach out to your hosting and Google Webmaster tools to ask for a review of your website. Their review won’t take long, and you can dispel the warning placed on your website. Once you get your notification that the site’s warning message has been lifted, it’s time to get back to work!