Steps to removing malware, spam, and other hacks from Website.

 Steps to removing malware, spam, and other hacks from the Website.

Sucuri has devoted years to helping WordPress administrators identify and fix hacked websites. We have put together this guide to walk WordPress owners through the process of identifying and cleaning a WordPress hack. This is not meant to be an all-encompassing guide, but if followed, should help address 70% of the infections we see.

.

Find & Identify the WordPress Hack

1.1Scan Your Site

You can use tools that scan your site remotely to find malicious payloads and malware. Sucuri has a free WordPress plugin that you can find in the official WordPress repository.

How to scan WordPress for malware with Sucuri Site check:

1. Visit the SiteCheck website.
2. Enter your WordPress URL
3. Click Scan Website
4. If the site is infected, review the warning message.
5. Note any payloads and locations (if available).
6. Note any blacklist warnings.

If the remote scanner isn’t able to find a payload, continue with other tests in this section. You can also manually review the iFrames / Links / Scripts tab of the Malware Scan to look for unfamiliar or suspicious elements.

If you have multiple WordPress sites on the same server, we recommend scanning them all (you can also use SiteCheck to do this). Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their hosting and web accounts.

A remote scanner will browse the site to identify potential security issues on your WordPress site. Some issues may not show up in a browser. Instead, they manifest on the server (i.e., backdoors, phishing, and server-based scripts).

1.2Check Core WordPress File Integrity

Most core WordPress files should never be modified. You need to check for integrity issues in the wp-admin, wp-includes, and root folders.

The quickest way to confirm the integrity of your WordPress core files is by using the diff command in the terminal. If you are not comfortable using the command line, you can manually check your files via SFTP.

If nothing has been modified, your core files are clean.

Both the Sucuri free WordPress security plugin and the Sucuri monitoring platform help with website auditing and monitoring.

You may want to use an FTP client to quickly check for WordPress malware in directories like wp-content. We recommend using FTPS/SFTP/SSH rather than unencrypted FTP.

1.3Check Recently Modified Files

New or recently modified files may be part of the hack.

You can identify hacked files by seeing if they were recently modified with the following steps.

How to manually check recently modified files in WordPress:

1. Log into your server using an FTP client or SSH terminal.
2. If using SSH, you can list all files modified in the last 15 days using this command:
3. $ find ./ -type f -time -15
4. If using SFTP, review by the last modified date column for all files on the server.
5. Note any files that have been recently modified.

How to check recently modified files using terminal commands on Linux:

1. Type in your terminal:
2. $ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
3. If you want to see directory files, type in your terminal:
4. $ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
5. Unfamiliar modifications in the last 7-30 days may be suspicious.

1.4Check Google Diagnostic Pages

If your WordPress site has been hacked and blacklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your website.

How to check your Google Transparency Report:

1. Visit the Safe Browsing Site Status website.
2. Enter your site URL and search.
3. On this page you can check:
4. Site Safety Details: Information about malicious redirects, spam, and downloads.
5. Testing Details: Most recent Google scan that found malware.

Remove Malware from Your WordPress Site

Now that you have information about malware locations, you can remove malware from WordPress and restore your website to a clean state.

Clean Hacked WordPress Files

If the malware infection is in your core files or plugins, you can fix it manually. Just don’t overwrite your wp-config.php file or wp-content folder and be sure that you make a full backup beforehand..

Custom files can be replaced with fresh copies, or a recent backup (if it’s not infected). Here are some additional tips & tricks that you can use with WordPress.

You can remove any malicious payloads or suspicious files found in the first step to get rid of the hack and clean your WordPress site.

How to manually remove a malware infection from your WordPress files:

1. Log into your server via SFTP or SSH.
2. Create a backup of the WordPress site before making changes.
3. Identify recently changed files.
4. Confirm the date of changes with the user who changed them.
5. Restore suspicious files with copies from the official WordPress repository.
6. Open any custom or premium files (not in the official repository) with a text editor.
7. Remove any suspicious code from the custom files.
8. Test to verify the site is still operational after changes.

Clean Hacked Database Tables

To remove a malware infection from your WordPress database, use your database admin panel to connect to the database. You can also use tools like Search-Replace-DB or Adminer.

How to manually remove a malware infection from your WordPress files:

1. Log into your database admin panel.
2. Make a backup of the database before making changes.
3. Search for suspicious content (i.e., spammy keywords, links).
4. Open the table that contains suspicious content.
5. Manually remove any suspicious content.
6. Test to verify the site is still operational after changes.
7. Remove any database access tools you may have uploaded.