Everybody is aware pretty well that WordPress is an Open Source PHP CMS, which is highly vulnerable to the hacking all the time and no matter what you have implemented to protect your WordPress, there's no denying that it may anytime fall into the lurking hacker's prey. So anytime you need to rescue your website, it is of vital importance that you should be already familiar with the quick and sure-shot ways of salvage.

It is quite probable that you might be reading this article after your website has been hacked. So let’s cut to the chase and talk you through all the possible solutions and the ways to remove a possible malware from your blog;

There may be several ways in which WordPress is hacked

  • Someone steals your login – If someone gets hold of your admin login, he can do anything to your website. He can install malicious code, delete your blog content like posts, pages, themes, plugin, users etc.
  • Backdoor access – It is the most common way in which the hackers break into a WordPress website. There may be several loopholes which let a WordPress fall victim to the backdoor hacking:

A  poorly coded theme or plugin (better to stop using this kind of stuff and find an alternative)

A security breach in WordPress core (keep updating WordPress regularly)

A malicious plugin installed (use only well-reputed and top rated plugins)

A suddenly discovered vulnerability in some themes and plugins (for example timthumb script was found vulnerable back in 2012 and thousands of WordPress got hacked. Same thing happened with Revolution slider when a massive vulnerability was found in this plugin, though developer fixed it immediately yet there were many blog owners who wouldn't update plugins and thus their websites bore the brunt.)

  • A web hosting with poor security – Yes, of course, your web hosting may be positively responsible for the hacking of your WordPress, if it doesn’t have proper security tools such as firewall, Bruit force detection and a good security team who keeps an eye on such matters (use only reliable web hosts)

Guide to remove malware from WordPress

Take a full backup of your WordPress

If you have access to WordPress admin panel

Use Updraftplus plugin to take backup of your site files and database. Downlaod the backup to your computer

If you don't have access to WordPress dashboard

Use hosting file manager or FTP to download entire WordPress folder (specially …/wp-content/ folder and wp-config.php file). You will be lucky if you are using cPanel hosting as it is very easy to download large site with its file manager. all you need to do is creating a zip file of site and download it.

Read WordPress backup guide

Put your website in maintenance mode

It is highly recommended to put your site in maintenance mode so that hacker could not be able to access the site in the meantime. If you keep your site running, hacker may regain access.

Create a file maintenance.php in WordPress root folder

Enter the following code;

$protocol = “HTTP/1.0”;
if ( “HTTP/1.1” == $_SERVER[“SERVER_PROTOCOL”] )
$protocol = “HTTP/1.1”;
header( “$protocol 503 Service Unavailable”, true, 503 );
header( “Retry-After: 3600” );

Now open your .htaccess file and add the following code to it;

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000
RewriteCond %{REQUEST_URI} !/maintenance.php$ [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g?|png|gif) [NC]
RewriteRule .* /maintenance.php [R=302,L]


Request a full backup from your host

If you immediately come to know of your site being hacked, you can ask your hosting provider for the most recent backup of your website, which should be malware free. On restoring this backup, malware will be removed from your hosting account. But hold on, restoring malware free backup doesn't fix the vulnerable WordPress files which attackers use to barge in. To this end, you will have to manually update WordPress core, themes and plugins. These two steps, restoring malware-free backup and manual update, almost guarantee that you can now breathe a sigh of relief.
If even after tapping these, the problem remains unresolved, don't worry, we still have something to look to.

Change passwords

Change your hosting control panel password, WordPress database user password (don't forget to update changed password in wp-config.php file), admin panel password. If you dont have access to WordPress admin panel, change password via phpMyAdmin

Reinstall WordPress core

I am not talking of updating WordPress from dashboard but deleting and uplading all WordPress core files manually via FTP or hosting file manager. Download latest copy of WordPress, extract files, upload and replace all the files other than wp-content folder. I repeat, don’t replace wp-content folder as it contains all your uploads, themes and plugins. Also create a backup of your wp-config.php and save it to your computer. After uploading and replacing all WordPress core files, copy the following information from your previous wp-config.php to the new wp-config.php;

  • database name
  • database host
  • database password
  • $table_prefix = ‘wp_';  (here replace wp_ with the prefix in your previous wp-config.php)

This will make sure that your WordPress core is not infected anymore.

Now login to your admin panel and reset your permalink structure to default and then again set it to your previous. This will create your .htaccess file

Reinstall all plugins and theme

First make a list of all of your active WordPress plugins and theme

Potentially a theme or a plugin may work as a backdoor. So delete them all and download the latest theme and plugins to your WordPress. Keep in mind that if you are using pirated theme or any such plugin, there may be huge chances of one of them containing malicious code. So avoid using them.

Also make sure that no unknown php file or folder should be present in ……../wp-content/plugins/  …../wp-content/themes/  directory. If found, delete it.

Read how to reinstall plugins automatically with one click.

Delete additional files in wp-content folder

(other than uploads, updated theme and plugins)

There may be many other files in wp-content folder other than uploads, themes and plugins. You should delete them all.

Now scan your uploads folder

You need to scan the uploads folder for a possible malware. Usually uploads folder does not have php files . So delete all php files in wp-content folder. Now, you may be wondering how you would  find all possible php files in this folder as the size of your uploads folder is much larger.

How to find and remove php files in a specific folder;

1.Using cPanel file manager

You can do it with cPanel file manager. Type .php in search bar and select current directory and file manager will show all the php files

2.Using FileZilla file filter

FileZilla does amazing job if you want to filter specific file type and want to delete only specific file type in bulk. Here is how to use FileZilla file filter;

FileZilla File Filter

FileZilla File Filter1

FileZilla File Filter2

FileZilla File Filter3

FileZilla File Filter4

FileZilla File Filter5

Another way to discover php files in uploads folder is using Windows search. Download “uploads” folder in PC and use Windows explorer search to list php files.

After cleaning your wp-content folder and reinstalling the theme and plugins, also install a security plugin named Anti-Malware and Brute-Force Security by ELI and then scan your WordPress with this plugin. This plugin can detect many known threats and trapdoors and fix them all. It can update your outdated timthumb script too.


Check for a hidden admin

How to find and delete hidden admin user in WordPress

Some time after getting access via backdoor, a hacker creates a hidden admin user and make changes to your WordPress silently. You need to remove this user.

  • Go to WordPress admin dashboard > Users
  • Press Ctrl+U to show the source of that page and find the following line of code;
<tbody id=”the-list” data-wp-lists='list:user'>
  • Here you will see all users and every user will be shown like this;

<tr id='user-1′>

Where 1 is the ID of a user

  • Note all the user IDs from the page source and then match up these IDs with the IDs on the user list page. If you find an ID that is not available in the users list then make a note of it.
  • Now go to your hosting account > phpMyadmin and select your WordPress database, click on the table wp-users and go to SQL tab
  • Here on SQL tab, run the following SQL query to list all the admin users;
select * from wp_usermeta where meta_value LIKE ‘%administrator%';

Here replace wp_ with the table prefix of your WordPress

  • this SQL query lists all the admin users with their IDs. Now delete any admin user who was not present in the users list in admin dashboard and probably found in page source code

Check for a malicious user

If you have enabled user registration and there are many users on your WordPress website, zoom in on a suspicious user even if it is a user subscribed user. Some hackers register on your WordPress and execute malicious script exploiting any vulnerability in theme or any plugin. You can use Stop Spammers plugin to list spam users and subsequently delete them.

Stop PHP execution in wp-content/uploads and wp-includes directories

Create an .htaccess file and add the following code to it;

<Files *.php> deny from all </Files>

Then upload this file to wp-includes and uploads folder. This will stop hackers from executing malicious PHP code in these directories

If odds are in your favor, we are quite sure that Your WordPress should be unhacked and have shaken off anything malicious after you have given this method a go.

Final Step –  Use Wordfence and Cerber Security WordPress plugins

Wordfence and Cerber Security (install them from WordPress repository) are amazing free security plugins for WordPress and they not only harden WordPress security but also patches security holes and vulnerabilities in WordPress. With the help of these plugins we can keep our self hosted WordPress safe 99%.

How to remove a malicious or spammy link added to your posts content by hackers

Sometimes hackers inject their links in your database to get clicks on those links from your website. It may be fatal in terms of SEO as Google always keeps an eye on the outgoing links from your website.

Finding suspicious links

  • There is no foolproof way to find this kind of links but you can catch them via your traffic analytics service such as Jetpack powered WordPress Stats or Google Analytics. Observe out-clicks from your website and if you find any link that appears suspicious, make a note of it.
  • Now go to WordPress dashboard > Tool > Export > Download XML file
  • Open this XML file in notepad or any other text editor and now use “Find” option and look for the noted link
  • This link will appear highlighted and you will pick out the position of that link.

Quick tips to safeguard your WordPress from malwares and hackers

  • Always keep your theme, plugins and WordPress up to date
  • Only use plugins from verified authors, avoid using plugins from unknown sources
  • Use a reliable web hosting to host your WordPress
  • Use Sucuri website security plugin to tighten the security of your blog.
  • Disable php execution in uploads folder (create a .htaccess file in wp-content/uploads directory and add the following code to it;
<Files *.php>
deny from all

Have questions regarding this post? Write us in comment section and we will reply as soon as possible.

About Shams

Shams, a professional blogger, has expertise in WordPress and Web Hosting. He is used to playing around with WordPress plugins, themes, web hosting services and some other innovative stuff regarding web design. He sifts out good stuff for web designers and reviews it to help them choose what they really need.

Being an energetic tech enthusiast, he regularly pens down breaking news and tutorials related to technology particularly Smartphones and other gadgets. Sometimes writes tech tips too. It was the dawn of Internet age when he started dabbling in it and has since been delving into the realm of the internet. He occupies a permanent burrow in virtual world.

He can be reached at.- here