“When you think you’re safe is precisely when you’re most vulnerable.” This quote comes to mind when we think of security in a WordPress site. According to The Wordfence Threat Report, every minute there are around 90,000 attackers targeting WordPress. Among these attacks, the one persistent threat is malware attacks. Malware attacks cannot be taken lightly in any scenario. The risk is your whole website and business being compromised, which is a big deal. The threat of malware infections to your WordPress website looms large. Now, the good news is that ,even if you have already been hacked, you can still clear out malware infections and have a malware-free WordPress website by following the steps we will cover in this article.

There are multiple ways of preventing attacks as well as recovering from an attack. While precautions are necessary to avoid getting infected, these alone won’t guarantee safety—it is important to keep performing regular security scans. In this article we will cover all these topics, beginning with explaining what malware is, how and where it can come from, how to detect malware, and finally what steps we need to take in order to maintain a malware-free WordPress website.

So let’s begin.

What is malware?

In simple terms, malware is malicious software that is used to leverage a site’s weaknesses for various harmful activities. Malware can wreck a WordPress site’s performance at all levels. Malware encompasses all types of viruses like trojans, viruses, and worms that are intended to bring harm to the computer or the overall network. So, from the web server to the user experience, and even the site’s SEO performance, everything is undermined.

Some of the prominent risks posed by malware include the following:

• A compromised server means the hacker is partially or entirely using your server resources to their advantage.
• Unwanted changes to your content or site, whether something is added or removed without your permission. Malware can enable hackers to use your server resources to attack other websites.
• A type of Malware called keylogger can record keystrokes that are entered by a user and thus steal sensitive information like username and passwords, which can then be used for illegally accessing and misusing accounts.
• Unsolicited bulk emails, also known as spam, containing suspicious links can be sent from your site.
• Google will mark your website as unsafe when someone tries to access it and its ranking will fall.
• Your URL gets redirected to untrustworthy websites promoting scams, inappropriate content, or malicious ads.
• The website’s address will get redirected to various unwanted, unauthorized, and untrustworthy web pages containing spam, adware, and mature content.
• When your visitors make a request to load a page from your site, hackers may fetch files from other servers and load them along with your page. This can damage your site’s performance because the whole process is time-consuming.
• Hackers infect websites with malware and install cryptocurrency miners. They use your visitors’ browsers to mine cryptocurrency every time they open your site.

As you can see, keeping your security up to date and knowing how to remove malware from a WordPress site is an absolute must!

When should you scan your site for malware?

A malware scan is just like a normal virus scan that we run on our systems capable of alerting us of any potential dangers. In the same way, a malware scan will alert you to any hidden nasties such as trojans, worms, spyware, and viruses, as well as warn you if your site has been blacklisted or is redirecting to suspicious sites. Manual methods of malware removal require quite a bit of expertise and are usually time-consuming, but they can give you insights into where the breach happened. A simpler way to detect and remove malware would be to use a security plugin instead.

Regular scans with security plugins are the best way to tackle and prevent malware attacks. One good practice is to run the scan every time you install a new plugin or upload files that change the structure of your website. One more good practice is to use Two-Factor-Authentication for your login to avoid unauthorized access and maintain a malware-free WordPress website.

How to clean malware from your WordPress site

If you’ve already been hacked, the good news is that you can clear out the malware infections in WordPress by following the steps we’re about to cover. Basically, keeping your security up to date and knowing how to remove malware from a WordPress site is an absolute must. 

Back up your website files using FTP client or cPanel

Before changing anything in your website or its files, it is important to back everything up. This includes the website files as well as the database. The simplest way of doing this is logging onto the FTP or the cPanel, navigating to the website root folder and from there to the public_html directory. Then, compress the whole folder to download it easily. You could also use the backup option of the cPanel and download the database from phpMyAdmin as well. One of the simplest and most powerful FTP clients is FileZilla. If you have access to your website, you can simply use a backup plugin like UpdraftPlus, Backup Buddy, or VaultPress to save time.

Scan your system with an antivirus software

While running a scan on your own computer’s entire system is beneficial, we suggest you start with the backup folder you saved in the first step. This is a good place to start from and the most effective way to find malwares. Extract the backup to some folder and run a full scan on it locally. Using antivirus tools like Avast, Kaspersky,or even the default Windows Defender (in case you’re a Windows user like me) is enough. If the scan succeeds in detecting malicious files and content, remove it and then reupload the files back to your website. Don’t forget to change your FTP credentials as well as a precaution.

Scan your website for malware using an online tool

If the above method hasn’t yielded any success, the next step you can take is to run a scan using an online tool. There are tools like Google Webmaster VirusTotal or Sucuri available that can scan the HTML output of your site. This is useful because security plugins are generally unable to do so. You simply put your site’s URL in these online tools and let them scan. They will find any code that is being injected into the HTML output. Usually combining an online tool with a security plugin is the best practice. Thus, while security plugins will be able to detect any issues in codes and databases, online tools will check for other vulnerabilities.

List files by modification date

One simple, fast and reliable technique to detect or find potentially dangerous files is to access the site files via FTP and sort all files by modification date. This way you’ll see files that have been modified recently. The files that have a recent modification date have potentially been tampered with, so if the changes are recent and not made by you, it may be a sign that this recent code is causing the problem.

The only problem with this method is that it requires checking each file inside each folder of the site one by one to locate the infected files. This task could be very cumbersome if the malicious code is larger and a great number of files have been affected.

Reinstall WordPress core files and plugins

One more step you can take if the above steps don’t yield any results is to redownload WordPress and reupload the content to your website via FTP or the file manager.

You can do that by going to your file manager once you’ve downloaded fresh WordPress files from WordPress.org. Extract the zip somewhere and delete the wp-content folder. Open the wp-config.php file to edit and make sure that there aren’t any strange lines of codes, such as a long string of random text.

To be totally sure everything belongs, you can compare your config file with the default one called wp-config-sample.php. Copy everything else besides the zip file to public_html.

Alternatively, you can use cPanel’s one-click installer and edit the database credentials in the wp-config.php file to point it to your new installation.

Find the malicious user

If you are registered and your WordPress website has many users, some hackers register on your WordPress website and execute malicious scripts exploiting any vulnerability in the theme or plugin. You can check for users you don’t recognize or those you didn’t add and thus you can stop spammers from spamming and delete them.

How to remove malware from WordPress using a plugin

If you prefer a quicker way to scan and remove malware from your WordPress website without needing technical acumen and can afford a premium service, you can go the other way and choose a security plugin. As with every other kind of plugin, WordPress has a large collection of premium security plugins.

Wordfence Security Plugin

Wordfence security plugin is one of the most popular WordPress security plugins with a free version as well. The free version is available from the WordPress plugin repository. 

When I said it is the most popular, I meant it: Wordfence has more than 3 million active installs, which makes it the most trustworthy security plugin. It comes with a lot of features, including a basic and extended firewall.

It is recommended that you use the free version first. Wordfence will begin searching your website for malware, file changes, and more. It can take a while for this process to finish. You can monitor the progress via the timeline on the scanning screen.

Once the scan is complete, you’ll see a detailed breakdown of the results.

Wordfence helps many users to clean and secure their sites. It has both a free and a paid version with monthly subscriptions. Its malware definition and signatures are updated daily, making this the best plugin for scanning and securing a malware-free WordPress website.

Wordfence firewall is the best firewall plugin available on the market. It helps to prevent brute force and other attacks on your WordPress site.

Sucuri

Sucuri is one of the comprehensive malware removal plugins for WordPress. Sucri even has its own guide for malware removal. The free version of Sucuri is also available in the WordPress plugin repository. The premium includes server-side scanning while the free version has remote scanning, which means the free version is able to detect on-site malicious code and the premium version will also check for malware on the back-end. The premium version also includes a firewall setup on your website.

Sucuri is very useful for post-hack activities. It helps you reset salt keys, which expire all login and cookies worldwide, and provides single click plugin reset without having to manually delete or install the plugin again. We can also check if our site was blacklisted by Google or other search engines, plus any antivirus programs. Sucuri also provides a premium WordPress firewall for protecting the site against DDoS and other attacks.

After your site is integrated with Sucuri’s API service, go to Dashboard > Refresh Malware Scan. After running the scan, the program will display a file log with any suspicious files flagged. You can select it and perform whichever action you prefer.

iThemes Security plugin

iThemes Security plugin is one of the oldest and most widely used security plugins on the market. This plugin also comes with a free and a premium version. Both versions include tons of great features that provide professional security for your site. iThemes Security automatically scans for possible vulnerabilities and fixes them. It prevents brute force attacks by blocking attackers trying to log in at various times using brute force algorithms. iThemes Security is one of the best security plugins available today and has over 900k active installs. The plugin receives regular updates, which is paramount for enabling a security plugin to tackle new vulnerabilities.

Conclusion

Malware is a persistent threat to the security of WordPress websites. Performing regular scans and being alert is the way to protect your data and business, making it easy to ensure a malware-free WordPress website. While covering in detail how to remove malware from a WordPress site, we showed you two methods:

Manual removal, for which you need to:

• Back up your site.
• Use antivirus and malware scanning software on the backup locally.
• Eliminate malware by tweaking your WordPress files and deleting old or suspicious ones.
• Reset all user passwords and check for suspicious users.
• Reinstall plugins and themes.

Automatic method, which uses plugins to fix the issues and improve your site’s security, involves the following:

• Install one of the WordPress security plugins.
• Back up your WordPress site.
• Run a scan and delete malware files.
• Take steps to secure your site thoroughly.
• Run regular scans and keep the plugins up to date.