A Guide on WordPress Malware Fix
Speaking about website security are you sure that your website is on safe side? What makes you think that you can be a small island in a big ocean among another and more visited WordPress websites? None will ever want to gain login details or use your website? Don’t let yourself to be deceived by delusion! You may even never suspect how rapid you can lose reputation, get mark from Google “this website has been hacked” and get million of strange pages with content that you would never even think to upload!
Sample of a hacked WordPress site in search results
Unfortunately, this happened with clients of Mobilunity team. Our client’s websites, which were recently hosted and practically had no visitors, were infected and our client lost control on any actions there in one night! But our team already has a vast experience in dealing with hacked WordPress websites and we are happy to offer 911 help with our WordPress malware removal service.
Beginning of Nightmare: Your WordPress Is Hacked
And how all this nightmare started? Our clients noticed that only front pages on his websites loaded, while posts and pages were blank. Please note that sometimes reasons in displaying WordPress blank page can be different and not always connected with hacks, and reason and solutions of such issues can vary. But in our case it was suspected that reason was in .htaccess or WordPress plugins. Htaccess security checks and plugins in use was not helpful. And what was remarkable that situation happened on the same hosting account. Upon investigation client noticed some odd folders containing strange files that were not the part of theme or plugins. Files and folders had strange names of songs or just random letters.
Screenshot of malicious files in cpanel
As the websites client asked us to monitor were using php version 5.5, we noticed that it had been downgraded to 5.2 and reasons were not clear at all. Suspecting strange behavior of hosting provider php configuration was upgraded again, but process of downgrade occurred one more time, which obviously was a strange behavior and hosting support was not aware of it. Furthermore, our team received no explanations and assistance, which brought us an assumption of bad hosting support, who was moving files on their own and downgraded to php 5.2. As well as wordpress php version is highly important and we recommend to set to 5.5 for website’s better functionality.
WP operators team fixed site’s functionality by uploading latest versions of WordPress to hosting’s root folder and moving of domains to another provider that proved to be better in terms of services and support.
Incredible shock it was when upon the process of moving domains new hosting provider sent us a warning notice about uploaded malware. What was even funny to find disappearance of wp-config.php when it has been recently changed by WP operators and uploaded to server. An interesting fact that there were no trace of it in any folders, trash nor in logs.
This was the moment to accept and agree that wordpress was hacked! Malware name was – StealRat. It leaked from some infected domain on insecure shared hosting. StealRat is usually found on UNIX web servers running the Drupal, WordPress or Joomla Content Management Systems (CMS). Main function of this virus – to send spam.
This was an unpleasant discovery for us, thus we are sure that steps described below will help you to detect virus before it brings any harm! And don’t forget to check this post about backdoor site that may bring infection to your websites.
- You will find a file called popup-pomo.php that is causing the virus work.
- .htaccess files in any folder of site except the root one.
- Strange lines of code in wp-config files
- A lot of .php files
- Folders have modification date of today or yesterday and you have not modified anything on website.
- Last, but the most important thing to acknowledge and save is the files of your site that should be on server!
Screenshot of root folder of clean site having no odd files
What is more you need to know? Your root folder may contain .htaccess and php.ini files, but if you find .htaccess files in all folders of site or find such files as ini.php – this is absolutely a SOS for you!
The most common reasons of WP hacks
WordPress Malware Fix
It’s simple: do wordpress website backup and delete all! Only 2 things should be left untouched:
Why we don’t touch wp-content? This folder contains images that were on your website, plugins and themes. Get the list of plugins and theme that were used by you, write it down. Uploads folder contains usually images with extension png or jpeg.
For your convenience here is the list of extensions that you may leave:
- Pictures: .jpg , .jpeg , .png , .gif , .ico ,
- Documents: .pdf , .doc , .docx , .ppt , .pptx , .pps , .ppsx , .odt , .xls , .xlsx , .psd
- Audio- .mp3 , .m4a , .ogg , .wav
- Video: .mp4 , .m4v , .mov , .wmv , .avi , .mpg , .ogv , .3gp , .3g2
All files with extensions above can be left untouched. Get the list of plugins and themes that were in use and remember/write it down. And delete everything else. Acknowledge that virus can be hidden and you may not notice it, so create in wp-content folder .htaccess file with such information:
deny from all
This will help you to be on a save side from everything that is hidden from you.
Screenshot of a positive feedback from the client
Danger Is Detected: WordPress Malware Removal
You have deleted everything and now it’s nothing to lose. Actions are simple now:
- Create .htaccess file in root with such data:
Deny from all
Allow from IP (insert your IP)
- Take latest WordPress release from official site and upload to your server.
- Upload to /wp-content/plugins all the plugins that were in use by you. Please take them only from official website of WordPress: https://wordpress.org/plugins/
- Same actions are done with /wp-content/themes
When you came to this part – everything will be simple. After you uploaded clean WP from official site, take file wp-config-sample.php and edit it. Process of editing is identical to fresh website launch. In general you need to add there:
- Database configuration
- Authentication keys
- Prefix of tables
- Delete old wp-config.php
- Rename wp-config-sample.php to wp-config.php
Save&print our inforgraphics which will help you in case of any bad luck:
Steps to perform on a hacked website
Well Done: WordPress Is Not Hacked Anymore!
Customize your website, change login and passwords to site and ftp. Now you are free from malware. Congratulations and don’t forget that it is much better to secure your website with plu gins like Sucuri, WordFence, WP Login reCAPTCHA, save .htaccess and monthly check of your folders and hosting in general. Do not forget that it is always better to host your website with secure hosting having csc filters and 24/7 reliable support. And remember that its is better securing wordpress from malware than clean and restore it!