WordPress Malware Recovery

Call us we can help: 541-961-1889

You might also try these tips;

If your WordPress site is hacked – take these steps.

Initial Steps and Diagnosis

Change your passwords

  1. Change the passwords for every WordPress user. You can do this in the “Users” menu via WordPress.
  2. Change both your hosting account password AND your php admin password.

Backup your account. !!!!!!

Cleaning up your site

Identifying and cleaning the infected files is one thing but do you know how your site was compromised in the first place? The usual suspects are weak, easily guessed passwords and compromised plugins. It’s possible the backdoor was installed on your website a while ago which means that just removing the infection you see or restoring to a recent backup isn’t enough.

In my case I didn’t identify the source of the inflection until later, so I took the cautious approach. Here is what I did:

  1. Completely removed the WordPress installation (since just re-installing WordPress doesn’t remove any new files created by the hacker) and installed the latest WordPress version into another, entirely different directory. This caused me some grief down the road with my images as their location changed and I had to re-upload them but saved me from losing sites, and my hardware, altogether.
  2. I created my users by hand, giving them strong passwords.
  3. Instead of just pointing my new WordPress installation to my original database, I exported my database, table by table and imported selected tables. This was probably overkilled, but there is a type of attack called “database injection” so I was being careful to make sure I was covering the worst-case scenario. I did run into an import problem where a column “post_category” was missing in my new wp_posts table. This is because this column is deprecated in more recent versions of WordPress. What I did was delete the table in the new WordPress database and let my script create the older version of the table – ta-dah.
  4. Reinstalled my theme and plugins – which I am still in the process of doing.

Getting off Google’s blacklist

If Google has identified you as an attack site, visitors will see a scary red image warning them away (see picture above). You want that to go away as soon as possible so you will need to ask Google for reconsideration. I did this as soon as I had reinstalled WordPress (step 1 above). If your website is already set up in Google Webmasters Tools just log in and request a malware review. My website had already been flagged by Google so it was pretty obvious how to request a review. The review took about a business day at which point the red attack page stopped appearing. I even got an email from Google warning me about the malware although by then I had already taken action.