A Guide on WordPress Malware Fix

Speaking about website security are you sure that your website is on safe side? What makes you think that you can be a small island in a big ocean among another and more visited WordPress websites? None will ever want to gain login details or use your website? Don’t let yourself to be deceived by delusion! You may even never suspect how rapid you can lose reputation, get mark from Google “this website has been hacked” and get million of strange pages with content that you would never even think to upload!

Sample wordpress hacked

Sample of a hacked WordPress site in search results

Unfortunately, this happened with clients of Mobilunity team. Our client’s websites, which were recently hosted and practically had no visitors, were infected and our client lost control on  any actions there in one night! But our team already has a vast experience in dealing with hacked WordPress websites and we are happy to offer 911 help with our WordPress malware removal service.

Beginning of Nightmare: Your WordPress Is Hacked

And how all this nightmare started? Our clients noticed that only front pages on his websites loaded, while posts and pages were blank. Please note that sometimes reasons in displaying WordPress blank page can be different and not always connected with hacks, and reason and solutions of such issues can vary. But in our case it was suspected that reason was in .htaccess or WordPress plugins. Htaccess security checks and plugins in use was not helpful. And what was remarkable that situation happened on the same hosting account. Upon investigation client noticed some odd folders containing strange files that were not the part of theme or plugins. Files and folders had strange names of songs or just random letters.

Screenshot of Malicious Files Website Malware Removal

Screenshot of malicious files in cpanel

As the websites client asked us to monitor were using php version 5.5, we noticed that it had been downgraded to 5.2 and reasons were not clear at all. Suspecting strange behavior of hosting provider php configuration was upgraded again, but process of downgrade occurred one more time, which obviously was a strange behavior and hosting support was not aware of it. Furthermore, our team received no explanations and assistance, which brought us an assumption of bad hosting support, who was moving files on their own and downgraded to php 5.2. As well as wordpress php version is highly important and we recommend to set to 5.5 for website’s better functionality.

WP operators team fixed site’s functionality by uploading latest versions of WordPress to hosting’s root folder and moving of domains to another provider that proved to be better in terms of services and support.

Unpleasant Discovery

Incredible shock it was when upon the process of moving domains new hosting provider sent us a warning notice about uploaded malware. What was even funny to find disappearance of wp-config.php when it has been recently changed by WP operators and uploaded to server. An interesting fact that there were no trace of it in any folders, trash nor in logs.

This was the moment to accept and agree that wordpress was hacked! Malware name was – StealRat. It leaked from some infected domain on insecure shared hosting. StealRat is usually found on UNIX web servers running the Drupal, WordPress or Joomla Content Management Systems (CMS). Main function of this virus – to send spam.

This was an unpleasant discovery for us, thus we are sure that steps described below will help you to detect virus before it brings any harm! And don’t forget to check this post about backdoor site that may bring infection to your websites.

Malware Detection

  1. You will find a file called popup-pomo.php that is causing the virus work.
  2. .htaccess files in any folder of site except the root one.
  3. Strange lines of code in wp-config files
  4. A lot of .php files
  5. Folders have modification date of today or yesterday and you have not modified anything on website.
  6. Last, but the most important thing to acknowledge and save is the files of your site that should be on server!

Screenshot of root folder of clean site wordpress malware fix

Screenshot of root folder of clean site having no odd files

What is more you need to know? Your root folder may contain .htaccess and php.ini files, but if you find .htaccess files in all folders of site or find such files as ini.php – this is absolutely a SOS for you!

The Most Common Reasons of WP Hacks

The most common reasons of WP hacks

WordPress Malware Fix

It’s simple: do wordpress website backup and delete all! Only 2 things should be left untouched:

  • wp-content
  • wp-config

Why we don’t touch wp-content? This folder contains images that were on your website, plugins and themes. Get the list of plugins and theme that were used by you, write it down. Uploads folder contains usually images with extension png or jpeg.

For your convenience here is the list of extensions that you may leave:

  • Pictures: .jpg , .jpeg , .png , .gif , .ico ,
  • Documents: .pdf , .doc , .docx , .ppt , .pptx , .pps , .ppsx , .odt , .xls , .xlsx , .psd
  • Audio- .mp3 , .m4a , .ogg , .wav
  • Video: .mp4 , .m4v , .mov , .wmv , .avi , .mpg , .ogv , .3gp , .3g2

All files with extensions above can be left untouched. Get the list of plugins and themes that were in use and remember/write it down. And delete everything else. Acknowledge that virus can be hidden and you may not notice it, so create in wp-content folder .htaccess file with such information:

<Files *.php>
deny from all

This will help you to be on a save side from everything that is hidden from you.

screenshot of a positive feedback from the client

Screenshot of a positive feedback from the client

Danger Is Detected: WordPress Malware Removal

You have deleted everything and now it’s nothing to lose. Actions are simple now:

  1. Create .htaccess file in root with such data:
Order Deny,Allow
Deny from all
Allow from IP (insert your IP)
  1. Take latest WordPress release from official site and upload to your server.
  2. Upload to /wp-content/plugins all the plugins that were in use by you. Please take them only from official website of WordPress:
  3. Same actions are done with /wp-content/themes

wordpress malware removal service


When you came to this part – everything will be simple. After you uploaded clean WP from official site, take file wp-config-sample.php and edit it. Process of editing is identical to fresh website launch. In general you need to add there:

  • Database configuration
  • Authentication keys
  • Prefix of tables
  • Delete old wp-config.php
  • Rename wp-config-sample.php to wp-config.php

Save&print our inforgraphics which will help you in case of any bad luck:

Steps to Perform with Hacked Websites

Steps to perform on a hacked website

Well Done: WordPress Is Not Hacked Anymore!

Customize your website, change login and passwords to site and ftp. Now you are free from malware. Congratulations and don’t forget that it is much better to secure your website with plu gins like Sucuri, WordFence, WP Login reCAPTCHA, save .htaccess and monthly check of your folders and hosting in general. Do not forget that it is always better to host your website with secure hosting having csc filters and 24/7 reliable support. And remember that its is better securing wordpress from malware than clean and restore it!

Having any questions? Contact us for professional website malware removal service! We are here to help you!

Request a quote

We will contact you as soon as posible.

Attach File (max file size 5MB; allowed extensions: doc, txt, pdf, docx)

Your email address will not be published. Required fields are marked *

Contact us Request a Quote

Your email address will not be published.

Required fields are marked *

Attach File

(max file size 5MB; allowed extensions: doc, txt, pdf, docx)

subscribe to newsletter

Your email address will not be published.

Required fields are marked *

Ask a Question

Your email address will not be published.

Required fields are marked *

Sorry, this page isn't quite ready yet

redirecting to the old site



cannot account for customer alterations, as the site may reflect changes made after the project was completed.

Mobilunity - Dedicated Developers