Malware Removal Checklist for WordPress – DIY Security Guide

 

You may not have expected me to write this post. Nor did I ever think of writing such a post. But i did. You can blame Godaddy for that.

They made me learn every trick (almost) in the book about wordpress security issues. The majority of bloggers regardless of their background/expertise use wordpress day in, day out and so wordpress security is of paramount importance to all of us.

 

Cookie Cutter list is not going to help you

They say experience is a great teacher and it is so true esp. when you go through something as horrific as malware attacks and there is nobody out there to help you.

You contact your host and he sends you a cookie cutter list to fix the malware yourself.

You contact Google and again you are given a cookie cutter list to fix malware yourself.

You follow these cookie cutter guidelines and sometimes actually fix the malware issues on your own. But most of the times these lists don’t work.

There are two main reasons for this:

First to follow the instructions given in such list, you must have good understanding of your CMS (Content management system). You must know what you are playing with and how it will affect the website performance. One wrong move and you may end up deleting your website files or the entire database.

Second you must know exactly where to look at and what needs to be done to fix the malware issue.

With recent attacks of malware from Russian websites despite of using security services , I was pretty much convinced that I can’t rely on such services anymore. These services claim to protect your website from malware which I have found it to be a marketing scam.

They do scan your website and alert you of malware but they don’t do anything to prevent your site from being infected in the first place.

Most of them scan your website only once a day and one day is good enough for a hacker to inject malware into your website.

One day is also good enough for Google to issue malware warning for your website.

In fact none of these services can alert you of malware issues faster than Google according to my experience.  I have hired several of these so called malware protection companies and they all failed miserably in finding and alerting me of malware issues on time.

In fact the best malware scanner out there at the moment is ‘Google Chrome’.

Google chrome sniff malware faster than any paid malware scanner out there.

I did a lot of work and research to make sure that my website is safe and secure for our visitors.  What I am going to present to you next is what I actually do to find and fix malware issues.

 

Take down your website

As soon as you detect malware on your website, take it down to prevent hackers from further abusing it.

There is no point working on a live website while hackers are busy injecting malicious code at the same time from the other end.

Follow the steps below to put your website under maintenance in a SEO friendly manner:

Step-1: Create a ‘website under maintenance’ web page and name it as 503.php. Put following PHP code at the very top of the page (before the <html> tag:

<?php

header(“HTTP/1.1 503 Service Temporarily Unavailable”);

header(“Status: 503 Service Temporarily Unavailable”);

header(“Retry-After: 3600″);

?>

This code will return 503 response header which tells the search engine that your website is temporarily unavailable.  The ‘Retry After’ parameter tells the search engines to try to crawl the website after 3600 seconds (or 1 hour).

Note: Google also recommends returning 503 status code when your website is under maintenance.

Also insert Google Analytics tracking code in the head section of the 503.php page to keep track of the website visitors during the downtime.

 

Step-2: Add following lines of code at the top, in your .htaccess file:

RewriteEngine on

RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111

RewriteCond %{REQUEST_URI} !/503.php$ [NC]

RewriteRule .* /503.php [R=302,L]

The code in the .htaccess file will redirect all the pages on your website to the 503.php page. So no matter what page a visitor access on your website, he/she will be automatically redirected to the 503.php page.

 

Change all the passwords

In order to prevent hackers from further abusing your website, change the passwords associated with your wordpress admin panel, hosting control panel, FTP account and specially your database.

You can change your database password by going to the database section in your hosting control panel.

When you change your database password, you should immediately edit your wp-config.php file and update the database password there too.

Failing to do so will result in the error message “error establishing a database connection” when you try to access your website via web browser.

Open your ‘wp-config.php’ file via ‘File Manager’ and locate the section that looks like this example:

/* The name of the database for WordPress */

define(‘DB_NAME’, ‘putyourdbnamehere’);

/* MySQL database username /

define(‘DB_USER’, ‘usernamehere’);

/* MySQL database password /

define(‘DB_PASSWORD’, ‘yourpasswordhere’); <=Update your password here

/* MySQL hostname */

define(‘DB_HOST’, ‘localhost’);

 

Change WordPress Security Keys and Salts

WordPress uses four different security keys to encrypt information stored in users’ cookies and to make your website harder to crack.

These secret keys are randomly generated characters strings and are used along with four different types of salts (which are also randomly generated character strings).

You can see the security keys and salts by opening your wp-config.php file:

wordpress-security-keys

You should change all these security keys and salts in order to invalidate all the cookies set up for your website and make your website harder to hack again. One caveat here is that all the users who can login into your website will then have to login again.

You don’t need to remember or store these keys like your regular passwords. But make sure that you don’t share them either.

You can change the value of these keys either manually (by using a long and complex randomly generated character string like shown in the image above) or by using the official wordpress Security Keys generator: https://api.wordpress.org/secret-key/1.1/salt/

Note: I used the official wordpress security key generator to randomly generate security keys for this blog post (used in the image above). These are not the security keys I use for optimizesmart.com. Don’t use these keys for your website. 

 

Take backup of your wordpress theme files & other important files

Though your website has been infected but it still contains valuable data. You don’t want to lose this data if something goes wrong during the clean-up process and you end up deleting/corrupting all your files.

If you want to take a backup of your wordpress site then first take a backup of the folder /wp-content/ via your FTP.

This folder contains all your plug-ins, themes, images and videos.

Then take backup of the following files which are unique to particular wordpress installation:

  1. /wp-config.php – This file stores your database information like database name, database username, database password etc. It is a very important file. You can find this file in the root folder via your FTP.
  2. /.htaccess – Another important file for server access control. You can find this file in the root folder via your FTP.
  3. /favicon.ico – This is your website favicon file. You can find this file in the root folder via your FTP.
  4. /robots.txt – This file is used to give instructions about your site to web crawlers/bots. You can find this file in the root folder via your FTP.

 

Take Backup of the wordpress database

Your wordpress database contains all your pages, blog posts and comments.

If your database gets corrupted or deleted, you will lose all your pages, blog posts and comments for good.

To take back up of your database go to your database section in the hosting control panel and then click on the icon for the type of database (MYSQL or MSSQL) you want to backup:

database-backup

From the Actions Menu select ‘Backup’:

database-backup2

Note down the backup name file and the file location. The file location is generally /_db_backups.

Once the backup is finished go to the folder where your database file is located (in our case /_db_backups) via your FTP and download this file.

Make sure you have the most recently updated database file in your folder before you download it via FTP.

For manual backup, check out this post: http://codex.wordpress.org/WordPress_Backups

Take back up of your website, database and other important files at least once every month and/or before upgrading to the latest version of wordpress.  

Make at least two copies of the backup files/folders and store them on different hard disks in case one backup gets deleted/corrupted.

 

Use Google chrome & Google Webmaster Tool to quickly identify malware issues

Google Chrome detects malware faster than any expensive malware scanner out there. 

Always use Google chrome to browse your website and other websites just for this reason. It can sniff malware very fast sometime even much before the malware warning turns on in the Google Webmaster Tools.

Sometimes you can prevent Google from labeling your website from being infected, if you take prompt actions and immediately remove the malicious code/files from your server.

Visit the Google Safe Browsing diagnostics page for your site:

(http://www.google.com/safebrowsing/diagnostic?site=www.mywebsite.com)

Replace mywebsite.com with your domain name. Through this page you can get some clues about the malware issues. For example:

safe-browsing

Here the malicious software is hosted on the websites enclosed in the rectangle above and the links to these websites have been secretly inserted into your website somewhere by the hackers.

You need to find these links and remove them from your files. Hackers generally put these links somewhere in your wordpress theme flies.

Sometime they upload their own files onto your server.  You can either remove the malicious code/files manually or you can use some software which can do this for you.

Here I found one interesting thing about Google.

If you visit the safe diagnostic page for Google.com, you can see that Google itself is infected with malware and so ideally it should block itself. But Google has chosen not to label itself as infected website

safe-browsing2

Anyways, now log into Google webmaster tools to get more details about your malware issues.

Go to Health > Malware and see the sample of URLs with malware.  Sometimes through these URL samples you can quickly find and remove the malicious files on your server.

Use Fetch as Google tool (under the Health menu in Google Webmaster Tools) to detect malware that you can’t detect otherwise through browser but the one which was served to Google.

Note:  You can also use the free website malware scanner http://sitecheck.sucuri.net/scanner/ to get some information about the type of malware and the type of infection.

 

Check folders for malicious files on your web server

1. Download a fresh copy of the latest wordpress and store it on your hard disk.

2. Now browse the wordpress files in the various folders on your hard disk to get a feel and awareness of the files which are generally included in a typical wordpress installation.

3. Once you have browsed the folders, access your web server via FTP and look for suspicious files (files which should not be there but are there) in /wp-content/, /wp-admin/ and /wp-includes/ folders.

For example the file css.php is generally not present in the /wp-includes/css/ folder of a typical wordpress installation.

But if you find one, then it is most probably a malware. Take a backup of this file and then remove it from the server so that if something bad happens to your website functionality, you can restore the file.

Comparing the name and number of files on your server with the name and number of files in the fresh wordpress installation is a very good way to find malicious files.

The ‘upload’ folder under /wp-content/ is one of the favorite places for hackers to store malicious files. So always check this folder.

 

Check files for malicious code on your web server

Sometimes hackers don’t upload malicious files instead insert malicious code in your existing wordpress files.

Hackers especially target those files for inserting malicious code which can survive wordpress updates/re-installation like your theme files.

Malicious codes are generally inserted via IFRAMES and NOSCRIPT tags. So specially look for these elements in your files.

The malicious code can be in the form of a link to an executable file (like .exe, .cmd etc) or it can be a script which download malware or redirect users to the sites which host malware.

 

Look for Invisible IFRAMES

Look for IFRAME tags with width=0 and height=0 in the HTML code of your web pages. These are invisible IFRAMES and are generally placed at the very top or very bottom of the HTML code of a web page.

 

Look for strange looking Code

Look for unintelligible blocks of numbers, letters and symbols in your files’ code and remove them. For e.g.

%wwwww%xxxxxx%yy%%%\u9900\u

These are encrypted code commonly used by Hackers to hide malware. Use ‘custom filters’ of Screaming Frog SEO Spider to find malicious codes.

 

Scan user generated areas of your website

Users generate areas like comments are commonly used to inject malware.

Use ‘custom filters’ of ‘screaming frog SEO’ spider to search for spam words (like viagra, buy, porn, casino, insurance, work at home etc) on your website.

You can also use the site: search command on Google.com to find spam on your website.

For example: site:www.abc.com viagra will return all the pages (if any) which contains the word ‘viagra’ on your website.

Also keep an eye on search queries reports in Google webmaster tools. If your website is getting lot of impressions for search terms like ‘casino’ then your website may be affected with malware/spam.

 

Scan your internal and external links

Scan all of your internal and external links and look for links to unfamiliar sites. Generally the website hosting malware have got unintelligible name like bacxwq and it ends with .ru (sorry Russia).

You can scan your links through screaming frog SEO spider, Google Webmaster tools or through tools like ‘open site explorer’.

 

Check for open redirects

Open redirects are the redirects which are left open to arbitrary destination.

They are commonly abused by hackers to redirect your website visitors to websites which host malware. Look out for URLs like: www.abc.com/db.php?url=

I have not found any easy way to fix the open redirect issues. You need to take help of your web developer or system administrator.

 

Check where your website is sending traffic

If you do Exit tracking (or outbound links tracking) on a site level you can easily find out where your website is sending traffic.

 

Check your .htaccess file

This file is one of the favorites of hackers and is commonly used to add malicious code.

The code is generally added to redirect your website visitors to the website which host malware. While checking this file for malicious code, make sure that you check the entire file from top to bottom.

Sometimes the malicious code starts after hundreds of empty lines in your .htaccess file. This is done to avoid the code from being detected.

 

Check your wp-config.php file

This file generally contains 92 lines of code and end with the following code:

Require_once(ABSPATH.’wp-settings.php’);

Hackers generally insert malicious code after that line of code. Again while checking this file for malicious code, make sure that you check the entire file from top to bottom.

Sometimes the malicious code starts after hundreds of empty lines in your wp-config.php file.

 

Check index.php file

In this file the malicious code is generally added between:

 require(‘./wp-blog-header.php’);

?>

So delete everything between these two lines of code.

 

Check all downloadable files

Check all the files which can be downloaded from your website. Sometimes hackers alter these files to add malicious code.

 

Also look for and remove following files from your web server. They all are some sort of malicious files and are used to deliver malware:

  1. wp-includes/xmlrpc.php
  2. wp-includes/css/css.php
  3. wp-includes/css/style.php
  4. /wp-includes/js/jquery/jquery.js
  5. /wp-content/upd.php
  6. /wp-content/themes/[theme's name]/temp/e9815adced6d3.php (or similar)
  7. wp-admin/upd.php
  8. Remove all the image files, zip files and other files which are no longer required. They could have been compromised.
  9. Remove all the plugins which are no longer used. These plugins could have been compromised
  10. Remove all those wordpress themes (from the /wp-content/ folder) which are not used any more.

Note: Use Robotto (http://robotto.semetrical.com/) tool to monitor any changes in your robots.txt file

 

Check your plugins for using Timthumb

Timthumb is a PHP script which is used to resize web images in blogs.

This script is not malicious on its own but is commonly used by hackers as a delivery mechanism for the malware.

Some wordpress plugins use Timthumb and are therefore vulnerable of being compromised by the hackers.

Use the ‘TimThumb Vulnerability Scanner’ wordpress plugin to identify those wordpress plugins which use timThumb. You should either remove such plugins or update them to the latest version.

timthumb-scanner

The TimThumb scanner plugin scan your /wp-content/ folder to find any instances of outdated or insecure versions of the timThumb script which can be abused by hackers to deliver malware.

Once you have installed this plugin, make sure that you use it by going to ‘Tools menu > Tim Thumb Scanner’ and then click on the ‘scan’ button.

This plugin doesn’t automatically start working once you have installed it.

 

Check for hidden administrators on your website

Check for users who have admin privileges but who you can’t recognize. Sometimes hackers gain admin rights in order to insert malicious code/files onto your server. If you find such administrators, delete them.

 

Find Backdoors and Remove them

Once your website got hacked, the very first that happens is the installation of a malicious code called ‘backdoor’.

These backdoors are developed in such a way that a hacker can use them to regain access to your site.

Sometimes several backdoors are installed in case one is lost in a manual removal or upgrade.

If your website has ever got hacked, there is always a possibility that there may be a backdoor installed on your website which can be used to regain access.

You need to check each and every wordpress template file, plugin and the database to find such backdoors. But this is very time consuming and not very effective. If you miss something, you left your backdoor open for hackers.

So what I suggest is that you take back up of your theme files, database and other important files (like .htaccess, robots.txt, wp-config.php) and then delete all the files, plugins and folders in your wordpress directory.

Completely delete the entire directory structure your blog is in and then install the fresh and latest version of wordpress.

Don’t rely on reinstalling or upgrading your wordpress.

While reinstalling/upgrading may replace files with malicious codes with the fresh code, it does not always remove the malicious files which have already been placed on your web server.

Scan your theme files, database file and other important files through anti-virus/ anti-malware software installed on your system before you upload them back on your web server.

I recommend ‘spybot search and destroyhttp://www.safer-networking.org/dl/

 

Change your web hosting service provider

This is what I did after GoDaddy made me learn every trick in the book to get rid of malware.

When you ask GoDaddy to help you with removing malware, you get the following pathetic copy-paste response from them:

We cannot assist you with removing malware from your server.

Consider taking your site down immediately to prevent infecting visitors, and take action quickly to identify/remove it. – LOL GoDaddy

To annoy you even further, they never forget to add the following line at the end of each email:

Please let us know if we can assist you in any other way

Sincerely

LoL

Online Support Technician

 

Sometimes vulnerabilities lie with the web hosting service provider.  

Theses vulnerabilities can be in the form of server misconfiguration or security loopholes in the hosting platform which make your website vulnerable to being abused by the hackers again and again.

Choose a web host which is local (so that you can easily call them in case of emergency) and is a medium size business.

Avoid web host which boast of having tens of thousands of clients.

There turnaround time is painfully slow and to be honest majority of them don’t care about you.

 

If you run a wordpress website, choose a host which is specialized in ‘wordpress hosting’.

This can help you a lot in sorting out specific wordpress issues.

You will deal with a staff that is well versed in wordpress. Avoid using shared hosting if possible. Shared hosting accounts are nowhere as safe as dedicated hosting accounts.

 

Ultimate Solution – Penetration Testing

Even if you follow all the steps explained so far to remove malicious code/files from your website there is still no guarantee that your website cannot be hacked again.

Hackers can create new backdoors to regain access by exploiting security loopholes in your wordpress theme, hosting platform or network.

To prevent your website from getting hacked again, you need to hire a person/company who is expert in penetration testing.

These guys will evaluate the security of your wordpress theme, hosting platform and network by deliberately exploiting the security vulnerabilities.

Such type of testing is also known as ethical hacking because the testers act as hackers to find security loopholes in your website.  Penetration testing is a onetime fees and it can help you greatly in preventing from further malware attacks.

Once you feel confident that your website is free from malware, change all your passwords, wordpress security keys and salts once again.

Remove the ‘website maintenance page’ and make your website live.

Submit a request in Google webmaster tool to review your website by going to Health > Malware > Request a Review.

Within a day or so, Google will remove malware warning from your website provided it can’t detect any malware. Otherwise malware warning will remain and you will be notified via Google webmaster tools ‘Review Status’.

 

Secure your email accounts from getting hacked

If your domain name/hosting is registered via Google/Yahoo e-mail account then you must make sure that you can recover them in case they are hacked.

Add security questions, alternative email address and phone number to your email account so that you can recover them in case the password is changed.

Someone hacked my old yahoo email account (which was registered with a domain name) and I wasn’t able to recover it because I didn’t remember the answer to my security question, I didn’t add any phone number and the hacker also hacked my alternate email address.

Had I added phone number to my email account, I would have recovered that email account.

 

Scan your Computer regularly

Scan your computer regularly to find and remove malicious files, Trojans and viruses. Sometimes your website files get infected /re-infected due to malware present on your computer hard disk.

Note: There is a common misconception among webmasters that they can stop malware bots via robots.txt. Malware/spam bots ignore robots.txt

 

Last but not least use ‘Code Guard’

I am not an affiliate of codegaurd but a fan.

Codeguard.com is the only service I have found useful so far to diagnose malware issues on time. Whenever it detects any change in your website code, it automatically takes a new backup and alerts you via email.

You will get email alerts when you add a new blog post because there is addition of file(s) on your web server.

You will get email alerts when you add/remove plugins because again there is addition/removal of file(s) on your web server.

And off course you will get email alerts if someone secretly add a malicious file on your web server.

You should pay special attention to these emails and never overlook them. I did it and paid the price.

Look for any changes which look malicious/ unfamiliar. So for example if a file like css.php is added somewhere in your web server, you should immediately find and remove it because it is not a standard wordpress file and is most probably a malware.

Related Post: WordPress Website Architecture – Become a Ninja in 15 minutes 

Other Posts you may find usefulUnderstanding Key Performance Indicators (KPIs) – Complete Guide

Join over 4000 subscribers!
Receive an update straight to your inbox every time I publish a new article.

 

About the Author:



My business thrives on referrals, so I really appreciate recommendations to people who would benefit from my help. Please feel free to endorse/forward my LinkedIn Profile to your clients, colleagues, friends and others you feel would benefit from SEO, PPC or Web Analytics.

 

 

  • Brahmadas

    Hi Himanshu Sharma, great post, as you said at the top, we don’t expect such kind for security solution post from you. I do understand till stage, I have given the link to my developer as I am not an expert in development. Hope it is very useful for others also. have a nice time

  • helplinewebsite

    Thanks
    for this Space!

    There
    is a web designing company for you Website
    Maintenance – Website Helpline

  • http://www.wpishacked.com Ken

    I would always recommend a few other things…

    1) Try out the plugin called GOTMLS …it’s a simple scanner and malware removal tool that’s updated quite often.

    2) ALWAYS delete and reinstall the wordpress core… this includes the wp-includes folder, the wp-admin folder, and the root files (except wp-config.php and .htaccess) ….this assures that you’ve at least cleared out any issues in the WordPress install core files.

    • seotakeaways

      Thank you for your comment.

  • R Kidambi Badri

    Wonderful guidance. However, I am afraid I cannot carry out on my own. My website is hacked. Can you resolve it? I will pay. Thanks.

    • seotakeaways

      Sorry i don’t provide such service.

    • http://www.caviteniofilipino.blogspot.com ronley

      Are you still getting such problem?

  • madhvik

    The post is really good. Its quite rich in information and you explained it in a step by step manner. Good work Himanshu. keep such good posts coming .!!

    • seotakeaways

      I am glad you like it.

  • Micheal Clark

    Every day I visit a number of blog sites to see content, however this offers quality based content.https://www.facebook.com/bubblegumcasting