Turkey (Türkçe)
Worldwide (English)
WordPress Malware Detection and Removal: A to Z Guide
Intro
WordPress is a powerful content management system that is the backbone of millions of websites across the globe. This popularity also causes it to become the target of many ill-intentioned people. If your website has become slow or is throwing redirection errors, or if some weird content is showing up, then your site has most like gotten infected with malware. This guide will further explain malware detection and cleanup on WordPress sites.
1. What Are The Symptoms Of Malware?
Do you notice a lag in your site's response and timeout errors?
The site is blocked for access by Google.
Redirect links (spam).
Presence of malicious files (.php, .ico, .js files).
The administrator having issues logging on to the WordPress panel.
Presence of strange files on the FTP.
2. Setting Up A Secure Environment
Before commencing malware cleanup:
Take a complete backup of WordPress with all its plugin and theme files.
Gain access to the site using SSH or with SFTP.
Change admin passwords.
Set the site temporarily on maintenance mode.
3. Detection Of Malicious Code
Manual Scanning:
Check the wp-content/uploads, wp-includes, and wp-content/themes directory for changes.
Look for files that contain functions such as base64_decode, eval, gzinflate, str_rot13, preg_replace
Be on the lookout for .ico, .php, .zip files that might be hidden in the root directory.
Auto Scan:
Wordfence Security (Free & Premium)
MalCare (Free Scan, Premium Cleanup)
Sucuri Security (Website Firewall + Malware Scan)
Quttera Web Malware Scanner
4. Clean Up Operations
A. Manual Cleaning
Open the wp-config.php file; cleanse the suspicious lines.
Delete all the themes and plugins, and reinstall the originals.
Manually scan the uploads folder. Remove any suspicious files.
Reset the .htaccess file:
# .htaccess standard content for WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
Check index.php for any added statements.
B. Clean Install
To restore Core WordPress files, use the following:
wp core download --skip-content --force
Reinstall all themes and plugins from verified sources.
5. Database Cleaning
Using phpMyAdmin or Adminer, connect to the database.
Look into tables like wp_options, wp_posts, wp_users...
Search for anything in contents that would have an iframe, script, eval, base64 in it.
Delete unauthorized users in the users' database.
SELECT * FROM wp_posts WHERE post_content LIKE '%base64%';
6. Security and Optimization Settings
A. Measures on Security
Keep WordPress, themes, and plugins updated regularly.
Never use 'admin' as a username.
Adopt strong passwords.
Activate two-factor authentication (2FA).
Turn off write permissions for wp-config.php and .htaccess.
Restrict the wp-admin folder by IP.