Last Updated on April 20, 2022 by WP Knowledge Hub
If your WordPress website was compromised, you will most likely see some odd behaviour coming from your site. You might notice strange links on your website, unwanted ads, some pages might not load, your Google search results might be hijacked, and all sort of other things that are terrible for business. If you’re not sure your WordPress website has been hacked, check out this guide!
How to Remove Malware and Scan for Viruses in WordPress.
The first thing you need to do is confirm that your WordPress website has indeed been hacked. In order to do this, the first step is to scan your site by either using a free service like Sucuri SiteCheck or, use the number 1 rated security plugin for WordPress called Wordfence. Wordfence, the Leader in WordPress Security, offers a free version of the plugin which does a great job out of the box, but for those whose website up-time is mission-critical, they offer paid plans with quick resolution times for cleaning a hacked site.
How to Scan WordPress for Malware with Sucuri SiteCheck:
Head on over to the free website malware scanner tool at https://sitecheck.sucuri.net, and type in your website. If your website is clean, the results should look something like this:
If not, you have a problem! But keep in mind that just because Sucuri’s SiteChecker did not find any issues, it doesn’t necessarily mean that they don’t exist. It might just not have found the malware or virus, or other hacking measures for a different number of reasons. They might be too sophisticated for this basic free tool, they might be brand new hacking methods that are not yet registered in Sucuri’s database, or there could be malicious users manually logging in and changing things, without alerting any security checks.
How to Scan WordPress using the Wordfence Security Plugin:
Wordfence is another essential tool for WordPress websites since it not only protects your website at all times from malicious login attempts and suspicious bot behaviors, but it also allows you to do a pretty thorough scan, for free! To scan your website with Wordfence, you must first install the plugin.
Go to Plugins > Add New > and search for Wordfence. Intstall it, then activate it, then go to Wordfence > Scan > START NEW SCAN:
Wordfence is great because it scans the website for malware (including the WordPress core files), but it also provides insight about other things like the server state, file changes, content safety, and also tells you if plugin have been abandoned by third-party developers. This is super important since WordPress plugins need to be updated frequently to be considered “safe”.
How to Remove Malware from Your WordPress Website
Now that you know with confidence that you have a hacking problem, it’s time to decide how you want to clean your website. There are several ways you can do this:
- Hire a professional service
- Restore a backup
- Clean it manually
1. Hire a Professional Service
Sucuri offers many plans to clean up your website and keep your site safe from future hacks. Fix your hacked website fast with 24/7 access to a security team and no hidden costs.
For a similar price, you can also hire the team behind the Wordfence security plugin and purchase Wordfence Care. If you have a hacked website or suspect you have a security problem on your WordPress website, Wordfence provides hands-on support via Wordfence Care and Wordfence Response products, including full incident response services.
Honestly, give yourself peace of mind by choosing to do this if your online presence is important to the success of your business. While manually cleaning up your website by yourself might sound like a better, cheaper solution, it’s really hard to find all the hidden junk code that can re-infect your website over and over.
2. Restore a Backup
Another simple way to clean-up a hacked WordPress website is by restoring a backup. This only works if you catch the hack in time, allowing your host to restore a previous copy of the website, by rolling it back a few days. Keep in mind that if you write a lot of content or make lots of changes to the website on a daily basis, you will lose all the progress you’ve made since the day of the backup that’s being restored.
If you host your website with a reliable host, they will typically do backups weekly and hold on to them for at least two weeks. This means, if your website has been hacked less than two weeks ago, there’s a good chance you may be able to restore a previous version before it was infected with malware.
If you’re not sure about backups, please read this guide.
3. Clean Your Hacked WordPress Website Manually
Replace Core WordPress Files
If the malware infection is in the core files doing this will overwrite the virus. Just DO NOT overwrite your wp-config.php file or wp-content folder. You should really do (or make sure you have) a backup of everything before attempting this.
You can download a fresh copy of the latest version of WordPress here, and overwrite all files in your server via your hosting panel’s File Manager, or by using an FTP client like FileZilla.
Clean Hacked Database Tables
To remove a malware infection from your WordPress database, use your database admin panel to connect to the database. Make sure you have a backup of you database before attempting this as well.
How to manually remove a malware infection from your WordPress files:
- Log into your database using phpMyAdmin
- Search for suspicious content
- Open the tables that contain any suspicious content
- Remove it
Check the Theme Files
The most common files for hacks to occur will be the index.php templates of your WordPress theme, and the functions.php template. Start by scanning these templates from top to bottom and look for any code that looks like this (or similar junky code wrapped in a php tag) and remove it:
Check WordPress User Accounts
If your website allows users to freely register and you have hundreds or thousands of users or more, it might be impossible to notice malicious users from normal ones. But in most cases, WordPress’ open registration is turned off by default, meaning you should only have users you know in the Users tab of your WordPress dashboard.
Go to Users and check for any usernames or email addresses you don’t know. If you can confirm that these people should not be registered, they may be the hackers and they need to be deleted immediately, and all associated content should be deleted as well.
Check for Hidden Backdoors in Your WordPress Site
Whenever your site is hacked, hackers will try to find a way back in. In most cases, we find multiple backdoors of various types in hacked WordPress websites.
Backdoors are commonly embedded in files named similar to WordPress core files but located in the wrong directories. Attackers can also inject backdoors into files like wp-config.php and directories like wp-content/themes, wp-content/plugins, and wp-content/uploads.
Look for any files that contain some of these PHP functions:
- base64
- str_rot13
- gzuncompress
- eval
- exec
- system
- assert
- stripslashes
- preg_replace (with /e/)
- move_uploaded_file
Plugins can also use these functions legitimately, so be sure to test any changes because dangerous functions can be removed or malicious code not removed, which could damage your site.
Protect Your WordPress Website From Future Hacks
Here are some things you can do to make sure you never get hacked again:
- Reset user passwords
- Reset your hosting account passwords
- Reset your database and database user passwords
- Update all WordPress versions, themes and plugins to the latest version
- Remove any abandoned plugin from your website
- Install a security plugin like Wordfence
- Use a firewall, like the one from Wordfence, or one provided by your web host
