Having your website hacked and trying to salvage something from the ashes can be a harrowing experience. It seems there are no two hacks that manifest in the same way, so having a set routine for malware and/or virus removal is pretty much impossible.

We’ve just completed another cleanup this week on a site that was infected with Trojans and sat unnoticed for months. During this time it was blacklisted by Google and other service providers and made inaccessible through most popular browsers. The site sat essentially functioning as a spam email machine for weeks until the hosting company stepped in.

Here’s the routine we went through to get this website cleaned up and back online. In this instance there were no backup files which could be utilized. It’s written as a guide so if you get hacked and you have a fairly good level of WordPress and server admin skill, you can use the procedure below – 

  • Place your own computer systems into high-alert mode to prevent infections from hitting your own equipment 
  • FTP to the server and remove obviously erroneous files. The easy way to approach this if you have to do it is sort by date to list the most recently added files, which are likely those planted by the virus system. You’ll easily recognize non system files if you have experience of working with WordPress core, and don’t forget to set your FTP client to view hidden files!
  • Regain access to the WordPress admin by changing the password via PHPMYADMIN. If you don’t have access through Cpanel into PHPMYADMIN and you can’t login to the site then you’re going to have issues with the repair.
  • After successful admin login, go to Users in the WP control panel and change all admin passwords and update the passwords for any accounts for anyone with higher than subscriber level access. Delete any erroneous admin accounts, you will likely find one or more. We recommend using the WordPress ‘suggest a password’ tool inside User accounts for the most secure level of admin password.
  • Next, install the Securi scanner and run a system scan. Be wary when running scanners as much of what they report is lifted from the Google malware database, so files will still show infected even after they’ve been cleaned.
  • After determining if there has been any impact on the database it’s time for the removal of All files on the root server.
  • First, backup any files outside of WordPress, like image and media directories and scan them manually on your PC.
  • Then, make a list of all of the plugins and acquire those from WordPress.org In some cases you may have to purchase these over to acquire the necessary licenses to allow a download.
  • Then acquire a clean copy of the theme from the theme source. 
  • Now take a backup of the uploads folder in WP-Content and scan that remotely. Open each sub folder and remove any erroneous files. Most of the sub folders will be image files so delete anything that isn’t an image.
  • Now take a copy of the wp-config.php file and inspect it for any compromises. You may want to reset the access keys in this file if they look hacked. Ensure also that it is set to point to the actual WP database and not an erroneous path.
  • Inspect the .htaccess file if you’re running on an Apache server. You’ll know from experience if there’s anything in that file that’s connected with the hack. Look for erroneous redirects and switches. If you’re not absolutely certain of its status obtain a clean .htaccess file.
  • Once you have new copies of all plugins and themes, delete everything in the root of the server except .htaccess!
  • Now reinstall WordPress from scratch. We usually do this via FTP.
  • Now uncompress and install all of the plugins and do the same with the theme. Be careful with Child themes and mobile themes. In this particular instance the infection appears to have gained entry via the mobile theme.
  • Reinstall any non WordPress files which might reside in the root directory, only if you are absolutely certain they are not part of the virus/malware system. In most cases everything will be in WordPress WP-content but not always.
  • Upload the original Wp-config file.
  • Now you should be ready to attempt a login.
  • Once you’ve gained access to WordPress admin you can begin getting the site back together. Activate all plugins and activate the theme. 
  • Install security scanner plugins and check the installation again. 
  • Now check site functionality. This is where you’re fingers should be crossed!
  • Once everything is working as before you need to access a reliable remote scanner to see if anything is being picked up. We utilize several of these services and they’ll go into the whole site and detect anything that might still be lurking.
  • Remember that at this stage your browser will still be trying to block your access to the website, so it’s time to contact Google and request a security review. First you’ll need to claim ownership of the actual website, here’s how:
  • Login to your Google webmaster tools account and add the compromised website to your list of managed sites. Google will generate a file which you need to upload to the website root for validation.
  • Once validated you can submit a request for Google to review the site. Don’t be put off by all the security alerts that Google throws at you, they relate to earlier scans and should not reflect the current status post cleanup.
  • Now you’ll need to wait for Google. The previous five cleanup jobs we’ve done took less than 24hrs for the review. Once Google confirms the site is clean it will quickly lift all browser blocks and remove the website from its blacklist. Other online resources may take longer. If your hacked WordPress site has been used for sending out spam email it could take months for any IP level blocks to be lifted on your email system. If your email has been blacklisted I’d recommend converting away from webmail so you don’t lose valuable contacts from visitors to your website.
  • Now it’s time to get everything backed up and on a daily/weekly schedule. Don’t rely on hosting company backups, they don’t work as they should.
  • Also, install a good firewall and proactive Malware scanner. Make sure you know what you’re doing when you configure these things as they don’t work optimally out of the box. 
  • Akismet is actually a good plugin to prevent comment spam, so activate that and get a key from Akismet direct. Be wary about having comments set to Auto Approve as malware can gain entry to your website via this door if you leave it even slightly ajar.

For resources, Check our malware scanner and backup service to get proactive about site security- WordPress backup and malware scanning.

Why It Will Happen To You If You Don’t Take Action

Firstly, unless you own NASA, your website isn’t going to be hacked by a person it’s going to be hacked by a robot. These malicious scripts are propagated around the web like a spreading virus, which is exactly what they are. A human launches the thing initially then they take on a life of their own. No website is too big or too small to become infected.

Secondly, you don’t need to have an eCommerce website with sensitive customer data to be useful to a hacker. In fact the smaller and more inauspicious the website the better, in many cases, as they’re looking to basically leech your server resources and use your website as a front for their evil deeds.

And that’s it! Good luck!

If you need help, call us!