Malware is short for ‘malicious software’. It is an umbrella term used to describe various computer applications designed to infiltrate websites, PCs, smartphones and other platforms. These applications have many purposes, including stealing personal information, redirecting traffic to illicit websites, disrupting a website’s functionality and extorting money.
Lots of people – including lots of business owners – have heard of malware. But most tend to associate it strictly with email attachments or links that, when clicked on or opened, download a trojan horse type of program to their PC or phone.
As such, when customers come to us for help in dealing with a malfunctioning WordPress site they are often surprised when we tell them the problem is malware.
How Malware Gains Access to a WordPress Site
Malware typically infects a PC or smartphone when a person clicks on an innocent-looking but malicious link or when they open what seems like a harmless email attachment. Gaining access to the core of a WordPress site is a little more complicated.
The Importance of Staying Up-to-Date
WordPress is constantly updating its core coding to reflect technological advances and to respond to security threats. If you own or run a WordPress site you have no doubt received plenty of notifications urging you to update to the most recent version of the program.
Unfortunately, people often ignore such messages. Maybe it’s because they don’t have time to conduct site maintenance. Maybe they just assume it’s not a pressing issue. But it is. By running an outdated version of WordPress you are opening the door to cyber-weasels who spend their lives scouring the internet searching for vulnerabilities they can exploit.
They have had plenty of time to pick apart old versions of WordPress and invariably they discover some tiny vulnerability they can exploit. Now all they have to do is find a site running an old version of WP. If that is your site, look out! Once hackers find a way into your website the entire online component of your business is at their mercy.
What Malware Can Do
You may wake up one day to find someone has shut down your site and is demanding a huge cash payment to release it. Or you may discover that someone has stolen your customers’ personal information and is using it for nefarious purposes. Or you may discover that a virus is slowly grinding your website into cyber-dust. The question then becomes “How can I remove malware from my WordPress website?”
Remove Malware from a WordPress Site Part 1: Finding the Infection
At Belov Digital Agency we are experts at securing WordPress websites from hackers. We’re also experts at helping companies whose sites have fallen victim to malware get back on their feet stronger and better than ever.
Not every infection is the same, but they all share one of two basic objectives:
- To exploit weaknesses in your website’s defenses for their own gain, or
- To undermine the integrity of your website because it gives them some sort of perverse pleasure to do so.
Once you become aware something is amiss with your WordPress site, it’s vital that you take action as soon as possible. This will enable you to mitigate the damage and set you on a course to recovery before you start losing customers or your reputation takes a hit.
As we mentioned, not every malware infection is the same. But as a general rule, these are the steps that are necessary to clear one from your WordPress site.
Identify the Nature and Location of the Attack
No mitigation efforts can proceed until the infected files are located and the nature of the attack is identified. The first step in doing so typically involves checking the integrity of your core files. WordPress core files are not intended to be modified. Therefore, if you check these files and discover some have recently been altered then odds are good you have located the source of the problem.
Check Core Files Using SFTP
The simplest way to check the integrity of your core files is to log into your site using SFTP. SFTP stands for ‘Secure File Transfer Protocol’. It is a successor to FTP and enables site owners and administrators to move sensitive files back and forth without compromising their security.
Note: Even a free FTP program like Filezilla is capable of SFTP these days. So there is no excuse for not using it.
Once you have logged into your WordPress site using SFTP look in the ‘last modified date’ column for all the core files. This will tell you which files (if any) have recently been revised.
Any files whose last modified date differs from the majority of files should be considered suspicious. If you notice any such files, ask yourself if the modification date coincides with when you started to notice problems. If it does, you have likely located the source of the infection.
If, however, a check of the core files indicates nothing has been added, removed, deleted or otherwise modified then the problem is not with your core files. But don’t worry, you still have other ways to locate the source of the problem
Use Google Transparency Report
When a WordPress site has been compromised by a virus or other form of malware Google will flag it as unsafe. Once that happens anyone who visits your site will see a red page with an alarming message saying something to the effect that the site has been flagged for malware.
It may, in fact, be this warning page that alerted you something was wrong. So going to the source (i.e. Google) to find out what prompted this page to appear is a logical course of action. Here’s how you do that:
- Go to the Google Transparency Report website.
- Enter the URL of your website then click the search icon.
- If there is a problem Google will indicate the website is ‘dangerous’ and provide some details on why.
For instance:
- It may indicate that redirects have been installed on your pages that send visitors to other dangerous websites.
- Or it may indicate that if you access certain pages you will inadvertently download malware to your PC or smartphone.
- Or, it may alert you to popups designed to get you to click through to other sites.
But whether you see one or all of the above warnings, (or something different), the point is the Transparency Report can help you identify the problem and perhaps locate it at the same time.
Use Google Search Console
You might also try going to Google Search Console to obtain information on the state of your website. The process is much the same as using the Transparency Report:
- Log into Search Console.
- Click on ‘URL Inspection’ in the left-hand column.
- Enter the URL of any page of your website and click the search icon.
Search Console will return relevant information about the page, including any problems and the nature of those problems, much like the Transparency Report.
Once you have identified the location and nature of the problem you are ready to take steps to remove the malware from your website. Keep in mind that some of the steps we are about to lay out may require knowledge of PHP, familiarity with database tables and other forms of expertise. If you require assistance contact the pros at Belov Digital.
Remove Malware from a WordPress Site Part 2: Removing the Infection
If you have determined that your core files are the source of your malware infection it is possible to repair the damage by manually replacing the affected files. However, before you start make sure that you create a backup of your site. Read our post about backups to learn how to do that.
Once you have completed the backup it is time to replace the infected files with clean copies from the WordPress repository. Also, if you have clean backups of custom source files now is the time to dust them off and use them.
Here is the process for removing and replacing infected source files.
- Log in using SFTP.
- Even though some files are infected, create a backup of the site anyway in case something goes wrong during the file replacement process.
- Delete the files you suspect of being infected.
- Replace the deleted files with clean copies from the WordPress repository.
- Replace any custom files you had to delete with clean copies from your own records.
- If you do not have clean copies of the affected custom files then open each infected custom file in a text editor and remove any suspicious code manually.
- Once the changes have been made test the website to see if it works properly.
Clean Up Database Tables
Working with WordPress database tables is a process that is fraught with potential problems. If you suspect you have infected database files, but you have never worked with database tables before, we strongly advise that you contact a professional.
That said, to access your WordPress database and remove infected files:
- Log in to the database admin panel of your WordPress site.
- Make sure you make a backup of the database before initiating changes.
- Search the database for red flags such as outgoing links, unrelated keywords and more.
- Open the database table that contains the questionable content.
- Remove any and all suspicious content, being careful to leave everything else intact.
- Save changes.
- Go to your website and test to make sure it is working properly.
Eliminate Possible Access Points
Many hackers are not content to simply plant malware on your site. Some want round-the-clock unfettered access to your site in order to carry out their nefarious agenda. It’s important that you eliminate any and all of their access points before you declare your site healthy.
One of the most common methods hackers employ to gain access is to set up their own user accounts. Fortunately, eliminating these phony user accounts is fairly easy to do.
- Login to your WordPress site as an admin.
- Click the ‘Users’ link.
- Look for user accounts you do not recognize.
- Delete any such accounts and save changes.
At this point, it may also be a good idea to change the passwords on all user accounts in case the hacker has gained access to them.
Using a Plugin to Remove Malware
If using the above method to clean up your site does not appeal to you, you can try using a plugin. Be aware, though, that a plugin will only work if you still have access to the ‘admin’ area of your WordPress site. If the infection has locked you out a plugin is not an option.
There are numerous plugins that can help you remove malware and restore the integrity of your WordPress site. To set one up follow these steps:
- Log in to your site.
- Click ‘Plugins’ on the dashboard menu.
- Enter ‘remove malware’ in the search box on the plugins page.
- Select the plugin that appeals to you.
- Click ‘install’ and then ‘activate’.
That’s it you are ready to roll.
A word of caution, however. You will need to be absolutely sure the plugin is compatible with the version of WordPress your site is running. If it is not, it may not remove the infection completely.
Also, be aware that the more plugins you add the greater the chance that they will conflict with one another and possibly create a slew of new problems that Google will find unacceptable.
Retest Your Site Using Google Transparency Report
Regardless of which method you use to clean your site, once you are reasonably certain you have eliminated the infection go back to the Google Transparency Report website and retest your site. If everything comes up roses, congratulations!
Update Your Website Status with Google
Even though you have managed to remove the malware from your WordPress site your work is not quite done. You will still need to contact Google directly and ask them to remove that big red warning page and return your website to the ‘safe’ column. To do this:
- Login to Google Search Console.
- In the left-hand column, you will see a link for ‘Security & Manual Actions’. Click it.
- A dropdown menu will appear.
- Select ‘Security Issues’ from this dropdown menu.
- Clicking Security Issues will bring up the report that indicated your site was unsafe.
- Find the link that says ‘Request a review’ and click it.
Be as sure as possible that your website is completely clean before requesting a review. Should Google find more problems you will not be able to request another review for a full 30 days.
Conclusion
Despite its popularity and its reputation for being the most secure CMS, WordPress is still a product of computer code. That means it is a prime target for hackers who don’t care how much time and effort you’ve put into carefully constructing your web presence.
If you have reason to believe your WordPress site has been infected with malware, use the above information to remove the infection, or contact the professionals at Belov Digital Agency for help.