WordPress Malware Removal: Fixing a Hacked Website
by Adam Watts
If your WordPress website has been hacked, simply clearing off the malware isn't enough. Hackers have your number and they'll keep on getting in through your broken code until you fix it. I've put together this short (haha) list of steps to go through in fixing and properly securing a WordPress website after being hit by an attack:
It should be noted that many of these steps will require access to your hosting account's control panel. Programming experience and a file transfer program such as Filezilla or CuteFTP are recommended as well.
Step 1: Backup Your Site & Remove the Malware
Make Backups of your database and 'wp-content' folder as well as your 'wp-config.txt' file in the root of your WordPress website and export all of your content from your admin dashboard (if you can access it) using the wp-importer/exporter plugin
(Make sure you don't lose any data)
For extra safety, take screenshots of the 'Settings' screens and copy widget contents into a text file
(Widgets and settings aren't carried over in the export file, so you'll have to re-input these manually, unfortunately)
Ask your host to do a malware scan and send you the results
(You'll need the results to find the files that are infected in your 'wp-content' folder)
Fix infected files in your backup of your site's wp-content folder and clear the bad code and/or files
(This can be time consuming, but the rest of the steps are useless if you upload infected files back in to your new install)
Delete ALL of your old WordPress files and upload a fresh version of WordPress via FTP to the root
(Don't worry - as long as you've made backups as directed in step 1, all of your content is safe)
Change the name of the folder 'wordpress' to something you wouldn't name a post, page or category (eg. your_files)
(Naming this folder is for security, so use something that isn't easy to guess. Random strings are best)
Upload your cleaned wp-content folder to the new install location (eg. /your_files/wp-content/)
(NOT at the root, but within the renamed 'wordpress' folder)
Copy index.php inside your WordPress main directory (eg. /your_files/index.php ) - Paste it into your root. You should now have an 'index.php' file at '/' and at '/your_files/'
(Make sure not to delete the index.php file in the renamed 'wordpress' folder)
Open index.php from your root '/' directory and change the line that reads: '/wp-blog-header.php' to '/your_files/wp-blog-header.php' (substituting 'your_files' for whatever you named your folder that contains WordPress)
(This tells WordPress that your website page base is the root, while your WordPress base is hidden in your renamed 'wordpress' folder)
Log in to your hosting control panel and change your FTP password as well as your Hosting Login Password and MySQL Password. Note your server settings for the next step
(Changing your passwords is important - with access to your WordPress install, intruders can easily find your server settings)
Step 2: Setup a Secure WordPress Install
Open the 'wp-config-sample.php' file in your '/your_files/' directory and add your server information
Change 'wp_' under database settings to something different. Choosing something random is best (eg. 'rsxrj_')
Make sure 'WP_DEBUG' is set to false and set your WordPress Salts (you can find them here: https://api.wordpress.org/secret-key/1.1/salt/) - then save this file and upload it back to the server. Now rename it 'wp-config.php'
Visit your website (eg. http://www.yoursite.com/) and you should see a WordPress Install Screen, prompting you to install a new version of WordPress. Create a Username Password combo. Make sure you change from the default 'admin' user
Log in to your new installation at 'http://www.yoursite.com/your_files/wp-login.php' and set your theme, activate plugins and site preferences and your site is ready to go.
Hiccups and Issues?
If your media library isn't showing your content, upload your 'wp-content/uploads' directory from the malware-free files and your site should be back to normal and more secure than ever.
(Make sure to secure this directory with folder permissions '755' and file permissions '644')
If your site is displaying a different look, make sure your theme is activated.
If you're seeing shortcodes printed on screen instead of the content they should be creating, make sure all of your required plugins are activated.
If you get a server error when visiting any pages other than the homepage, set or re-save your permalinks.
Some Words from Our Clients
Hubert De Veau
a year ago
Adam is a super knowledgeable, extremely detailed person. He answered all my questions and helped me with a huge real estate project in one simple email.