In this guide, learn about malware in WordPress, and ways to remove malware and secure your WordPress site for the future.
How does malware affect WordPress?
WordPress websites account for over 43% of all websites on the Internet. Due to this, it is a major target for hackers who try and exploit any weaknesses in the software. Once an attacker has found a vulnerability in a WordPress website their first step is usually to install an ‘uploader’ file providing them a convenient means to upload more malware or modify existing files and hide malware ‘payloads’ in those.
Attackers can exploit this access further, installing ‘malware toolkits’ which in turn enable adding email accounts used for SPAM messaging, adding malicious scheduled tasks to the control panel, or scanning other sites for vulnerabilities to exploit.
Normally malware finds its way onto WordPress through vulnerabilities in plugin/s or theme/s. This is why removing suspicious files is not a catch-all solution for WordPress malware removal. This is because the underlying vulnerability remains allowing the reinfection of malware and the issues that brings. Follow on with our removal guide below to help keep malware at bay.
How can I remove malware from my WordPress website?
Step 1: Use the WordPress Toolkit to check WordPress Integrity
Navigate to WordPress Toolkit 🛈
Click ‘Check WordPress Integrity’
Now ‘verify checksums’ which checks the integrity of core WordPress files. 🛈
If this check fails, you may be prompted to reinstall the WordPress core files, do this.
This does not guarantee removing malware that may be in the root directory but it is a good starting point in the malware removal process.
If you cannot see your WordPress installation in the WP Toolkit then click ‘Scan’ to find the installation first.
Step 2: Scan your WordPress website with ImunifyAV.
To do this go to ImunifyAV in your control panel and click ‘Start scanning’. **This works by scanning files on your account and removing those it deems malicious.
You can view detected malware under the ‘Malicious’ tab. **You may notice that many of them are in the same location such as a plugin folder, which may suggest there is a vulnerability with that plugin that needs addressing, either by being updated or perhaps a clean install.
You can also view your previous malware scans under the ‘Scan’ section below.
Step 3: Manually check for undetected malware.
Manual and automated malware scanning is great but it’s not infallible. Malware is constantly changing and zero-day exploits exist so if malware remains present after scanning you need to perform a manual investigation.
Key things to look for:
Folders/Files that have recent ‘created’ or ‘modified’ dates. Folders/Files with unusual names for example ‘ajwzxq.php’.
You can sort by last modified from within your control panel or your chosen FTP client.
When using this method, if you find a suspicious file it is important to first ascertain if it is used by a plugin or theme on your site, as this might indicate a vulnerability with that plugin. If you believe the file is malicious remove it.
**As we said earlier, removing malicious files doesn’t prevent reinfection. it is important to understand that the vulnerability allowing the infection needs to be resolved to effectively resolve the malware issue.
Finding malware in most cases is straightforward, usually indicated by an oddly named, possibly newly modified file that contains heavily obfuscated code.
Keep an eye out for files that:
Look out of place and/or have strange names.
Use eval() function.
Have obfuscated code (base64, etc).
Have lots of random strings and/or expressions.
How can I protect my website from future malware?
Step 1: Update your passwords
Login to your WordPress dashboard, go to Users, Edit User, and then scroll to the bottom, set a new password, and ‘Update Profile’.
For cPanel go to FTP accounts and click ‘change password’.
For Plesk it is under ‘FTP’ and click into the FTP account.
Change Control Panel Login
You can change your cPanel/Plesk login details from your client area. To do this, go to ‘Services’ then click your service, then click ‘ Change password’ under ‘Actions’ to ‘Change password’.
Resellers can only change their own account password via the client area. To change other users passwords please head to your control panel (cPanel/Plesk).
When altering passwords please ensure that created passwords are strong and consist of a mixture of upper/lower case, numbers and symbols.
Step 2: Remove unrecognised accounts.
Unrecognised WordPress Users
Compromised WordPress sites may have, new user accounts added, some with administrator privileges. It is important to remove any unknown accounts preventing unauthorised access. To delete a WordPress user, simply click ‘Delete’ next to that user.
Unrecognised FTP Accounts
Similarly, FTP accounts can be generated, delete any unrecognised FTP accounts by pressing delete in the FTP accounts area.
For Plesk users, this is in the ‘FTP’ section. Check the user account to delete and then click remove.
Unrecognised Email Accounts
Email accounts may have also been created when your website has been hacked, these can then be used to send out spam. To prevent this you must remove the malicious email accounts. To do this click ‘Manage’ then ‘Delete Email Account’.
For Plesk users this can be done under ‘Mail’ then ‘Mail Accounts’.
Step 3: Ensure that WordPress itself is kept up-to-date.
WordPress release major updates across the year and minor updates more frequently. It’s important to stay updated as updates often include patches for security flaws. If you are unsure whether your WordPress installation is up to date you can view this in either WordPress Toolkit or Softaculous.
Step 4: Ensure that all plugins and themes are kept fully up-to-date.
You also need to keep plugins and themes up to date. WordPress Toolkit and Softaculous help with this by identifying any available updates and offering the ability to auto update your plugins, which we recommend you turn on. You can also update directly through your WordPress dashboard by going to the ‘Plugins’ section and then clicking ‘Update’ underneath the outdated Plugin.
Step 5: Ensure that all plugins used by your website(s) are widely used and frequently updated by their developers.
A common misconception is that because a plugin is ‘up to date’ it is secure. Unfortunately, this is not the case. If plugin updates are infrequent, it’s possible that its development & maintenance is not active which could lead to vulnerabilities going unchecked. We strongly recommend that you should only use plugins which are both widely used and frequently updated. In addition to this if you have older plugins that you no longer use then it would be wise to remove those plugins from your installation.
Step 6: You should ensure that your plugins and themes are from legitimate sources.
There have been cases where developers have installed ‘nulled’ (pirated) versions of wordpress themes, these very often come with malware ‘pre-installed’. And, pose a much greater security risk to your WordPress installation. You should only use plugins and theme from legitimate sources
Step 7: Install a security plugin such as ‘Wordfence’.
There are many security plugins available for WordPress, these include free, freemium or paid for plugins. They’re great for adding an extra layer of security for your website and can help monitor malicious activity, notifying you of vulnerabilities and reporting on possible attacks. For example WordFence which has features such as but not limited to; Rate Limiting, IP Blocking, Malware Scans and 2FA logins.
Step 8: (Optional): Implement extra Security Measures
Both WordPress Toolkit and Softaculous provide the capability to enable extra security measures for your WordPress website with a simple tick of a checkbox. These can be found for WordPress Toolkit in ‘Fix Vulnerabilities’ and then ‘Security Measures’.
And for Softaculous simply clicking ‘Security Measures’ on the main overview of your WordPress installation.
The security measures page contains settings that when enabled add extra layers of security. Softaculous allows you to apply a preset of ‘Critical Only’ measures, these have the least chance of negatively impacting your site.
You can also manually enable measures but they have the possibility of disrupting your sites functionality. To avoid this ensure you read through the relevant tooltips.
If you’ve gotten this far well done, keeping your WordPress website secure is great for everyone.