If we dismantle WordPress, we will get three major parts; WP Core, WordPress Plugins, and WordPress Themes. If these elements are not handled well, they leave the door open for hackers to enter. Web developers in their fresher's year, content writers who just want to blog about their favorite topics, and basically all those people who do not have technical knowledge make that mistake unknowingly. They don't know what to do when things go south.
Installing unreliable plugins from unreliable sources, updating plugins without running a test on them, installing WordPress themes that are vulnerable to attacks are some of the mistakes that people make. Even if they pay for a theme, website development, they easily neglect the maintenance and support for the website, which most of the time leads to the website becoming a hacker's paradise.
WordPress website getting infected with malware is really a nightmare for website owners. When that actually happens, be prepared for some tedious cleaning tasks to make things right again. The first thing to remember is to calm down because cleaning the WordPress website is may be difficult and time-consuming, but not impossible.
We take you to a step-by-step guide to remove malware from your WordPress website. Ashok Kuikel, DevOps Engineer at Computan shared knowledge from his experience as he has helped many clients clean their WordPress Websites.
Take Backup and Scan for Malware Detection
Take a backup of your website files. Save the content files, images, and other assets. Prepare your website for a detailed audit or scan. We need to identify first which files caused the infection, i.e., the source of infection. If the source is in your computer files, then it may happen again even when you bring back the website. Also, other parts of your systems might be infected too in that case. So, thoroughly scan your computer first. Download all the website files as well using an FTP program, so they are also scanned well along with the computer files.
Any potential threats saved in your computer or part of your website files will be detected at this stage.
If you still don't see any potential threats that might have caused the infection, then run an online scan on your website with a website malware scanner. Once that scan is also complete, you can view the report to see if anything suspicious is happening.
Google Webmaster tool also helps you review your website and highlight the problematic areas.
Plugins and Themes
We are talking about WordPress, so how can we leave behind plugins and themes. You are most likely to get infected due to an outdated plugin or theme because that's the backdoor from where the hackers enter or send the bad code to do its dirty work.
Abandoned plugins or old themes files are easy prey for hackers. You have to manually check for theme files and plugin files to pinpoint the infection's location. Themes files are the ones that have a .php extension. Run a scan on your theme and plugin files thoroughly.
- Theme Authenticity Checker
- Quttera Web Malware Scanner
- Exploit Scanner
- Anti Malware Scanner
- WP Antivirus Site Protection
- Google Safe's Browsing
Delete and Replace
WP Core is the main file, a.k.a. the heartbeat of a WordPress website. Delete the main file but keep wp-content and wp-config; you need these later.
Salt replacement in WPconfig file – Salts are the methods to keep the passwords of WordPress users safe and secure. Periodically changing your salts keeps the attackers at bay. Also, at this time, when it is already infected by a malicious attack, replace the salts in the wp-config file.
Database connection files replacement - Hackers get access to the config file, where database connection details exist, such as database name, database username, password, and database prefix. All of this must be replaced. And username must not be a standard dictionary keyword like admin, password, or any keyword matching brand name.
Passwords for the database – Change login access credentials for the database and backend for all users.
Wp-config URL - Hardcode wp-config URL and keep it unique so that the bots don't see the URL's common pattern, terms, or structure.
Debugging mode - Debugging mode displays the errors at the frontend and stores those errors in a log file. When we restore the plugins and files at the end, we can fix those errors and make the site more secure.
Download a fresh copy of WordPress core files, and extract them in a folder.
It is a no-brainer to scan every file that you re-upload to the website. This is to make sure that no malicious content or code goes back again while you clean up the website. While re-uploading, paste the files in the new directories and rename them accordingly so that no file gets overwritten.
When the site starts working, we will activate themes and the plugins and if you want to be safe this time, choose a paid theme from a reliable source, and the same goes for the plugins. Choose a trusted source for the plugins. Test all the plugins before applying them to your website.
To Make Your WordPress Website Secure
Disable XML RPC attacks – XML RPC is used to make the WordPress website communicate with external environments such as WordPress updates and applications, mobile applications for REST API. If the website is not communicating with the external environment, then we can simply disable the XML RPC. If we keep the communication open, we might receive a DDOS attack that will affect your database and pingbacks; it will slow down your website. Hacker might as well try to login from an XML RPC connection.
Other general and non-technical instructions include installing the WordPress security plugins, choosing complex usernames and passwords, stopping malicious web bots from crawling your websites, get a secured hosting and SSL certificate.