Last modified: October 30, 2016

Everybody is aware pretty well that WordPress is an Open Source PHP CMS, which is highly vulnerable to the hacking all the time and no matter what you have implemented to protect your WordPress, there’s no denying that it may anytime fall into the lurking hacker’s prey. So anytime you need to rescue your website, it is of vital importance that you should be already familiar with the quick and sure-shot ways of salvage.

If everything goes in vain and all of your efforts are unfruitful then go for Sucuri Malware Removal service. They will take care of it all and make your site clean. Sucuri provides affordable and 100% hassle free service to remove infection from WordPress saving your hard work.

Visit Sucuri Website

It is quite probable that you might be reading this article after your website has been hacked. So let’s cut to the chase and talk you through all the possible solutions and the ways to remove a possible malware from your blog;

There may be several ways in which WordPress is hacked

  • Someone steals your login – If someone gets hold of your admin login, he can do anything to your website. He can install malicious code, delete your blog content like posts, pages, themes, plugin, users etc.
  • Backdoor access – It is the most common way in which the hackers break into a WordPress website. There may be several loopholes which let a WordPress fall victim to the backdoor hacking:
  • A  poorly coded theme or plugin (better to stop using this kind of stuff and find an alternative)

  • A security breach in WordPress core (keep updating WordPress regularly)

  • A malicious plugin installed (use only well-reputed and top rated plugins)

  • A suddenly discovered vulnerability in some themes and plugins (for example timthumb script was found vulnerable back in 2012 and thousands of WordPress got hacked. Same thing happened with Revolution slider when a massive vulnerability was found in this plugin, though developer fixed it immediately yet there were many blog owners who wouldn’t update plugins and thus their websites bore the brunt.)

  • A web hosting with poor security – Yes, of course, your web hosting may be positively responsible for the hacking of your WordPress, if it doesn’t have proper security tools such as firewall, Bruit force detection and a good security team who keeps an eye on such matters (use only reliable web hosts)

Guide to remove malware from WordPress

First aid – Put your website in maintenance mode

It is highly recommended to put your site in maintenance mode so that hacker could not be able to access the site in the meantime. If you keep your site running, hacker may regain access.

Create a file maintenance.php in WordPress root folder

Enter the following code;

$protocol = “HTTP/1.0”;
if ( “HTTP/1.1” == $_SERVER[“SERVER_PROTOCOL”] )
$protocol = “HTTP/1.1”;
header( “$protocol 503 Service Unavailable”, true, 503 );
header( “Retry-After: 3600” );

Now open your .htaccess file and add the following code to it;

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000
RewriteCond %{REQUEST_URI} !/maintenance.php$ [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g?|png|gif) [NC]
RewriteRule .* /maintenance.php [R=302,L]


>>>If Someone steals your login

If someone somehow gets access to your admin login and unbeknownst to you is making changes to your blog, create a new admin user and delete the existing one as soon as you get wind of it and sense something funny. If he has deleted your blog content then consider restoring a fresh backup of your WordPress and then change the password of your admin account. After that, you should immediately create a new admin and delete the existing one. If you don’t have a backup, contact your hosting support and ask them to restore the latest backup of your hosting account.

>>>Backdoor access

It is one of the most horrendous faces of WordPress hacking which leaves you racking your brain. After all, how is someone getting access to your WordPress?

Update WordPress core

I am not talking of updating WordPress from dashboard but updating all WordPress core files manually via FTP or hosting file manager. Download latest copy of WordPress, extract files, upload and replace all the files other than wp-content folder. I repeat, don’t replace wp-content folder as it contains all your uploads, themes and plugins. Also create a backup of your wp-config.php and save it to your computer. After uploading and replacing all WordPress core files, copy the following information from your previous wp-config.php to the new wp-config.php;

  • database name
  • database host
  • database password
  • $table_prefix = ‘wp_’;  (here replace wp_ with the prefix in your previous wp-config.php)

This will make sure that your WordPress core is not infected anymore.

Now login to your admin panel and reset your permalink structure to default and then again set it to your previous. This will create your .htaccess file

Delete all the themes and plugins

Potentially a theme or a plugin may work as a backdoor. So delete them all and download the latest theme and plugins to your WordPress. Keep in mind that if you are using pirated theme or any such plugin, there may be huge chances of one of them containing malicious code. So avoid using them.

Delete additional files in wp-content folder (other than uploads, updated theme and plugins)

There may be many other files in wp-content folder other than uploads, themes and plugins. You should delete them all.

Now scan your uploads folder

You need to scan the uploads folder for a possible malware. Usually uploads folder does not have php files . So delete all php files in wp-content folder. Now, you may be wondering how you would  find all possible php files in this folder as the size of your uploads folder is much larger.

How to find and remove php files in a specific folder;

1.Using cPanel file manager

You can do it with cPanel file manager. Type .php in search bar and select current directory and file manager will show all the php files

2.Using FileZilla file filter

FileZilla does amazing job if you want to filter specific file type and want to delete only specific file type in bulk. Here is how to use FileZilla file filter;

FileZilla File Filter

FileZilla File Filter1

FileZilla File Filter2

FileZilla File Filter3

FileZilla File Filter4

FileZilla File Filter5

After cleaning your wp-content folder and reinstalling the theme and plugins, also install a security plugin named Anti-Malware and Brute-Force Security by ELI and then scan your WordPress with this plugin. This plugin can detect many known threats and trapdoors and fix them all. It can update your outdated timthumb script too.

Check for a hidden admin

Some time after getting access via backdoor, a hacker creates a hidden admin user and make changes to your WordPress silently. You need to remove this user.

  • Go to WordPress admin dashboard > Users
  • Press Ctrl+U to show the source of that page and find the following line of code;
<tbody id=”the-list” data-wp-lists=’list:user’>
  • Here you will see all users and every user will be shown like this;

<tr id=’user-1′>

Where 1 is the ID of a user

  • Note all the user IDs from the page source and then match up these IDs with the IDs on the user list page. If you find an ID that is not available in the users list then make a note of it.
  • Now go to your hosting account > phpMyadmin and select your WordPress database, click on the table wp-users and go to SQL tab
  • Here on SQL tab, run the following SQL query to list all the admin users;
select * from wp_usermeta where meta_value LIKE ‘%administrator%’;
  • this SQL query lists all the admin users with their IDs. Now delete any admin user who was not present in the users list in admin dashboard and probably found in page source code

Check for a malicious user

If you have enabled user registration and there are many users on your WordPress website, zoom in on a suspicious user even if it is a user subscribed user. Some hackers register on your WordPress and execute malicious script exploiting any vulnerability in theme or any plugin. You can use Stop Spammers plugin to list spam users and subsequently delete them.

Stop PHP execution in wp-content/uplaods and wp-includes directories

Create an .htaccess file and add the following code to it;

<Files *.php> deny from all </Files>

Then upload this file to wp-includes and uploads folder. This will stop hackers from executing malicious PHP code in these directories

If odds are in your favor, we are quite sure that Your WordPress should be unhacked and have shaken off anything malicious after you have given this method a go.

How to remove a malicious or spammy link added to your posts content by hackers

Sometimes hackers inject their links in your database to get clicks on those links from your website. It may be fatal in terms of SEO as Google always keeps an eye on the outgoing links from your website.

Finding suspicious links

  • There is no foolproof way to find this kind of links but you can catch them via your traffic analytics service such as Jetpack powered WordPress Stats or Google Analytics. Observe out-clicks from your website and if you find any link that appears suspicious, make a note of it.
  • Now go to WordPress dashboard > Tool > Export > Download XML file
  • Open this XML file in notepad or any other text editor and now use “Find” option and look for the noted link
  • This link will appear highlighted and you will pick out the position of that link.

Quick tips to safeguard your WordPress from malwares and hackers

  • Always keep your theme, plugins and WordPress up to date
  • Only use plugins from verified authors, avoid using plugins from unknown sources
  • Use a reliable web hosting to host your WordPress
  • Use Sucuri website security plugin to tighten the security of your blog.
  • Disable php execution in uploads folder (create a .htaccess file in wp-content/uploads directory and add the following code to it;
<Files *.php>
deny from all

Still unable to remove malware from WordPress?. Consider Sucuri Malware Removal Service. It is affordable and 100% effective. Sucuri’s professional team will kick the malware out from your WordPress.

About Shams

Shams, a professional blogger, has expertise in WordPress and Web Hosting. He is used to playing around with WordPress plugins, themes, web hosting services and some other innovative stuff regarding web design. He sifts out good stuff for web designers and reviews it to help them choose what they really need.

Being an energetic tech enthusiast, he regularly pens down breaking news and tutorials related to technology particularly Smartphones and other gadgets. Sometimes writes tech tips too. It was the dawn of Internet age when he started dabbling in it and has since been delving into the realm of the internet. He occupies a permanent burrow in virtual world.

He can be reached at.- here

Related Post

Increase more than 700% of Email Subscribers!
Dolor aliquet augue augue sit magnis, magna aenean aenean et! Et tempor, facilisis cursus turpis tempor odio. Diam lorem auctor sit, a a? Lundium placerat mus massa nunc habitasse, arcu, etiam pulvinar.
  We hate spam and never share your details.
Blogging and Web Design
Get amazing content to your mailbox
We never bother our subscribers and, we deliver what they want
Your Information will never be shared with any third party.
You are successfully subscribed to webcusp newsletter. Please check your mail and confirm your subscription.
Subscribe for Updates
We never bother our subscribers and, we deliver what they want
Your Information will never be shared with any third party.
You are successfully subscribed to webcusp newsletter. Please check your mail and confirm your subscription.
Follow us for exclusive content