Wordfence – Security Learning Center –
https://www.wordfence.com/learn/
https://sucuri.net/guides/how-to-clean-hacked-wordpress/
How to Clean a Hacked WordPress Site
Steps to removing malware, spam, and other hacks from WordPress.
Sucuri has devoted years to helping WordPress administrators identify and fix hacked websites. We have put together this guide to walk WordPress owners through the process of identifying and cleaning a WordPress hack. This is not meant to be an all-encompassing guide, but if followed, should help address 70% of the infections we see.
Find & Identify the WordPress Hack
1.1Scan Your Site
You can use tools that scan your site remotely to find malicious payloads and malware. Sucuri has a free
How to scan WordPress for malware with
-
Visit the
-
Enter your WordPress URL
-
Click Scan Website
-
If the site is infected, review the warning message.
-
Note any payloads and locations (if available).
-
Note any blacklist warnings.
Don’t want to do this yourself?
Our professional incident response team can have your WordPress site cleaned quickly. We’re here for you 24/7/365!
If the remote scanner isn’t able to find a payload, continue with other tests in this section. You can also manually review the iFrames / Links / Scripts tab of the Malware Scan to look for unfamiliar or suspicious elements.
If you have multiple WordPress sites on the same server, we recommend scanning them all (you can also use
A remote scanner will browse the site to identify potential security issues on your WordPress site. Some issues may not show up in a browser. Instead, they manifest on the server (i.e., backdoors, phishing, and server-based scripts). The most comprehensive approach to scanning includes
1.2Check Core WordPress File Integrity
Most core WordPress files should never be modified. You need to check for integrity issues in the wp-admin, wp-includes, and root folders.
The quickest way to confirm the integrity of your WordPress core files is by using the diff command in terminal. If you are not comfortable using the command line, you can manually check your files via SFTP.
If nothing has been modified, your core files are clean.
Both the Sucuri free
You may want to use an FTP client to quickly check for WordPress malware in directories like wp-content. We recommend using FTPS/SFTP/SSH rather than unencrypted FTP.
1.3Check Recently Modified Files
New or recently modified files may be part of the hack.
You can identify hacked files by seeing if they were recently modified with the following steps.
How to manually check recently modified files in WordPress:
-
Log into your server using an FTP client or SSH terminal.
-
If using SSH, you can list all files modified in the last
15 days
using this command:
$ find ./ -type f -mtime -15
-
If using SFTP, review by the last modified date column for all files on the server.
-
Note any files that have been recently modified.
How to check recently modified files using terminal commands on Linux:
-
Type in your terminal:
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
-
If you want to see directory files, type in your terminal:
$ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
-
Unfamiliar modifications in the last 7-30 days may be suspicious.
1.4Check Google Diagnostic Pages
If your WordPress site has been hacked and
How to check your Google Transparency Report:
-
Visit the
-
Enter your site URL and search.
-
On this page you can check:
-
Site Safety Details: Information about malicious redirects, spam and downloads.
-
Testing Details: Most recent Google scan that found malware.
-
If you have added your site to any free webmaster tools, you can check their security ratings and reports for your website. If you do not already have accounts for these free monitoring tools, we highly recommend that you sign up:
-
-
-
-
Remove Malware from Your WordPress Site
Now that you have information about malware locations, you can remove malware from WordPress and restore your website to a clean state.
Pro Tip: The best way to identify hacked files in WordPress is by comparing the current state of the site with an old and known to be clean backup. If a backup is available, you can use that to compare the two versions and identify what has been modified.
Some of these steps to clean your WordPress site require web server and database access. If you are not familiar with manipulating database tables or editing PHP, please seek assistance from a professional Incident Response Team member who can completely
2.1Clean Hacked WordPress Files
If the malware infection is in your core files or plugins, you can fix it manually. Just don’t overwrite your wp-config.php file or wp-content folder and be sure that you make a full backup beforehand..
Custom files can be replaced with fresh copies, or a recent backup (if it’s not infected). Here are some
You can remove any malicious payloads or suspicious files found in the first step to get rid of the hack and clean your WordPress site.
How to manually remove a malware infection from your WordPress files:
-
Log into your server via SFTP or SSH.
-
Create a backup of the WordPress site before making changes.
-
Identify recently changed files.
-
Confirm the date of changes with the user who changed them.
-
Restore suspicious files with copies from the official WordPress repository.
-
Open any custom or premium files (not in the official repository) with a text editor.
-
Remove any suspicious code from the custom files.
-
Test to verify the site is still operational after changes.
Caution
Manually removing “malicious” code from your website files can be extremely hazardous to the health of your website and your computer. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.
2.2Clean Hacked Database Tables
To remove a malware infection from your WordPress database, use your database admin panel to connect to the database. You can also use tools like Search-Replace-DB or Adminer.
How to manually remove a malware infection from your WordPress files:
-
Log into your database admin panel.
-
Make a backup of the database before making changes.
-
Search for suspicious content (i.e., spammy keywords, links).
-
Open the table that contains suspicious content.
-
Manually remove any suspicious content.
-
Test to verify the site is still operational after changes.
-
Remove any database access tools you may have uploaded.
Beginners can use the payload information provided by the malware scanner. Intermediate users can also manually look for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.
Caution
Note that these functions are also used by plugins for legitimate reasons, so be sure you test changes or get help so you do not accidentally break your site. When dealing with database records, the data may not always be plainly simple to replace especially if its in the wp_options table.
Database Scan Example
2.3Secure WordPress User Accounts
If you noticed any unfamiliar WordPress users in your website, remove them so the hackers no longer have access through them. We recommend having only one admin user and setting other user roles to the least amount of privileges needed for the task that needs to be carried out by that person (ie. contributor, author, editor).
How to manually remove suspicious users from WordPress:
-
Backup your site and database before proceeding.
-
Log into WordPress as an admin and click Users.
-
Find the suspicious new user accounts.
-
Hover over the suspicious user and click Delete.
If you believe any of your user accounts were compromised you can reset their passwords. One of the ways to do that is using the
2.4Remove Hidden Backdoors in Your WordPress Site
Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked WordPress sites.
Often backdoors are embedded in files named similar to WordPress core files but located in the wrong directories. Attackers can also inject backdoors into files like wp-config.php and directories like wp-content/themes, wp-content/plugins, and wp-content/uploads.
Backdoors commonly include the following PHP functions:
-
base64
-
str_rot13
-
gzuncompress
-
eval
-
exec
-
system
-
assert
-
stripslashes
-
preg_replace (with /e/)
-
move_uploaded_file
These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions or by not removing all of the malicious code.
The majority of malicious code we see in WordPress sites uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it’s very rare to see encoding in the official WordPress repository.
It is critical that all backdoors are closed to successfully stop a WordPress hack, otherwise your site will be reinfected quickly.
2.5Remove Malware Warnings
If you were blacklisted by Google, McAfee, Yandex (or any other web spam authorities), you can request a review after your WordPress site has been cleaned and the hack has been fixed.
How to remove malware warnings on your site:
-
Call your hosting company and ask them to remove the suspension if your website has been suspended by your hosting provider.
-
You may need to provide details about how you removed the malware.
-
-
Fill in a review request form for each blacklisting authority.
-
ie. Google Search Console, McAfee SiteAdvisor, Yandex Webmaster.
-
With the
See the Sucuri Dashboard in action.
Protect Your WordPress Site From Future Hacks
In this final step, you will learn how to fix the issues that caused your WordPress to be hacked in the first place. You will also perform essential steps
3.1Update and Reset Configuration Settings
Out-of-date software is one of the leading causes of infections. This includes your CMS version, plugins, themes, and any other extension type. Potentially compromised credentials should also be reset to ensure you are not reinfected.
How to manually apply updates in WordPress:
-
Log into your server via SFTP or SSH.
-
Backup your website and database (especially customized content).
-
Manually remove the wp-admin and wp-includes directories.
-
Replace wp-admin and wp-includes using copies from the official WordPress repository.
-
Manually remove and replace plugins and themes with copies from official sources.
-
Log into WordPress as an admin and click Dashboard > Updates.
-
Apply any missing updates.
-
Open your website to verify it is operational.
Reset User Passwords
It is critical that you change passwords for all access points to your WordPress site. This includes WordPress user accounts, FTP/SFTP, SSH, cPanel, and your database.
You should reduce the number of admin accounts for all of your systems to the absolute minimum. Practice the concept of
All accounts should use strong passwords. A good password is built around three components – complexity, length, and uniqueness. Some say it’s too difficult to remember multiple passwords. This is true. That’s why password managers were created!
Generate New Secret Keys
Once the passwords are reset, you can force all users to log off using our plugin. WordPress uses browser cookies to keep user sessions active for two weeks. If an attacker has a session cookie, they will retain access to the website even after a password is reset. To fix this, we recommend forcing active users off by resetting WordPress secret keys.
How to generate new secret keys in the wp-config.php file using Sucuri:
-
Open the WordPress wp-config.php file.
-
Add a value of 60+ unique characters for each key and salt.
-
You can use a
-
Save the wp-config.php file.
It is advisable to reinstall all plugins after a hack to ensure they are functional and free of residual malware. If you have deactivated plugins we recommend you remove them from your web server altogether.
To To reset your plugins using the Sucuri WordPress plugin:
-
Log into WordPress as an admin and go to Sucuri Security > Settings > Post-Hack
-
Go to the Reset Installed Plugins tab.
-
Select the plugins you want to reset (it is recommended to select them all).
-
Click Submit to reset selected items
Premium plugins will need to be reinstalled manually as their code is not available on the official WordPress repository.
Caution: Be careful not to touch wp-config or wp-content as this could break your site!
We recommend manually removing and replacing core files instead of using the Update feature in the wp-admin dashboard. This ensures any malicious files added to core directories are all accounted for. You can remove existing core directories (wp-admin, wp-includes), then manually add those same core directories.
3.2Harden WordPress
To harden a server or application means that you take steps to reduce the attack surface or entry points for attackers. WordPress and its plugins can be harder to hack when you take these steps.
How to harden WordPress, you can use the Sucuri plugin:
-
Log into WordPress as an admin and go to Sucuri Security > Settings > Hardening.
-
Review the options to understand what they do.
-
Click the Harden button to apply recommendations.
There are countless ways to harden WordPress depending on your needs. We recommend reviewing the
3.3Set Backups for your WordPress Site
Backups function as a safety net. Now that your WordPress site is clean and you’ve taken some important post-hack steps, make a backup! Having a
Here are some tips to help you with WordPress backups:
-
Location
Store WordPress backups in an off-site location. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.
-
Automatic
Ideally, your backup solution should run automatically at a frequency that suits the needs of your website.
-
Redundancy
This means that your backup strategy has to include redundancy, or in other words, backups of your backups.
-
Testing
Try the restore process to confirm your website functions correctly.
-
File Types
Some backup solutions exclude certain file types such as videos and archives.
Did you know:
Sucuri offers its customers an affordable system for secure website backups.
3.4Scan Your Computer
Have all WordPress users run a scan with a reputable antivirus program on their operating systems.
WordPress can be compromised if a user with an infected computer has access to the dashboard. Some infections are designed to jump from a computer into
Paid Antivirus Programs:
-
Bitdefender
-
Kaspersky
-
Sophos
-
F-Secure.
Free Antivirus Programs:
-
-
-
-
You should have only one antivirus actively protecting your system to avoid conflicts. If your WordPress Dashboard user’s computers are not clean, your site can get reinfected easily.
3.5Use a Website Firewall
The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators.
Benefits to using a website firewall:
-
Prevent a Future Hack
By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.
-
Virtual Security Update
Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven’t applied security updates.
-
Block Brute Force Attack
A website firewall should stop anyone from accessing your wp-admin or wp-login page if they aren’t supposed to be there, making sure they can’t use brute force automation to guess your password.
-
Mitigate DDoS Attack
Distributed Denial of Service attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.
-
Performance Optimization
Most WAFs will offer to cache for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.
Did you know:
We offer all of these features with the Sucuri Firewall.
WordPress Hacks FAQ
How do WordPress sites get hacked?
Malicious users crawl the internet looking for vulnerable WordPress sites to hack. If your website is not protected with a
How do I scan WordPress plugins for malware?
You can use
How do I find malicious code in WordPress?
You can use
How do I protect my WordPress site from malware?
You can secure your WordPress site by following
-
Having a
-
Using the latest version of WordPress, plugins, themes and third-party services
-
Enforcing strong password requirements
-
-
-
WordPress Security
WordPress is renowned for its usability and ease of access, however it’s popularity also makes it an attractive target for bad actors. This WordPress security guide is an introduction into how to protect visitors, mitigate threats, and create a more secure WordPress site.
Recent statistics show that over 28% of website administrators across the web use WordPress. Its popularity comes at a price; often targeted by malicious hackers and spammers who seek to leverage insecure websites to their advantage.
WordPress security is about risk reduction, not risk elimination. Because there will always be risk, securing your WordPress site will remain a continuous process, requiring frequent assessment of these attack vectors.
Is WordPress Secure?
The question of whether WordPress is secure or not depends entirely on you, the website owner. Website security is about risk reduction. Follow our WordPress security best practices to harden and protect your website from threats.
How to Secure a WordPress Site
This guide is intended to educate WordPress administrators on basic security techniques and actionable steps that will help to secure your WordPress site and reduce the risk of a compromise.
1
WordPress Software Vulnerabilities
Keep WordPress, Themes & Plugins Updated
The WordPress security team works diligently to provide important security updates and vulnerability patches. However, the use of third-party plugins and themes exposes users to additional security threats.
By regularly installing the latest versions of core WordPress files and extensions, you can ensure that your website possesses all of the prevailing security patches and your WordPress site is more secure.
1.1 – Regularly Audit WordPress Plugins & Themes
Plugins and themes can become deprecated, obsolete, or include bugs that pose serious security risks to your WordPress website.
To secure your WordPress installation and improve security, we recommend that you audit your plugins and themes on a regular basis.
Assess Your Plugin Security
You can assess the security of WordPress plugins and themes by reviewing a couple of important indicators:
- Does the plugin or theme have a large install base?: Check the number of installs before adding a new plugin to your WordPress site.
- Are there a lot of user reviews, and is the average rating high?: Check WordPress plugin reviews and ratings before adding a new plugin.
- Are the developers actively supporting their plugin and pushing frequent updates or security patches?: If a plugin has not been updated in a long time it can have vulnerabilities used by malicious users to compromise WordPress websites.
- Does the vendor list terms of service or a privacy policy?: It is important to check if the plugin has a privacy policy or TOS.
- Does the vendor include a physical contact address in the ToS or from a contact page?: Having a physical contact address adds credibility to a WordPress plugin.
Carefully read the Terms of Service – it may include unwanted extras that the authors didn’t advertise on their homepage. If the plugin or theme doesn’t meet any of these requirements or has recently changed owners before the latest update, you may want to look for a more secure solution for your WordPress site.
Note
Sometimes bad actors will purchase a plugin to add malicious or unwanted functionality. Exercise caution when installing plugins that have recently changed owners before the latest update.
Remove Unused WordPress Plugins & Themes
When it comes to unused plugins, less is more. Storing unwanted plugins in your WordPress installation increases the chance of a compromise, even if they are disabled and not actively being used in your installation. Removing unused plugins and themes helps improve security and protects WordPress from hacking.
Not using that WordPress plugin? Remove it from your installation.