How to Find and Remove Malware from Your WordPress Site

Running a successful online sales website on WordPress can be a rewarding experience, with thousands of daily visitors and orders flowing in smoothly. However, what happens when you wake up one day to find that your traffic has plummeted, orders have vanished, and your website has become a chaotic maze of strange ads and redirects? Chances are, your website has fallen victim to a hacking attack. In such a dire situation, it’s crucial to take immediate action to search and destroy the malicious code causing the chaos. Here’s how you can handle it:

1. Why Were You Hacked?

Understanding why your website was hacked is the first step in dealing with the situation effectively. While there are numerous guides available on how to fix WordPress sites infected with malicious code, they often skip over the critical aspect of identifying the root cause. Without addressing the underlying issue, you may find yourself vulnerable to future attacks.

1.1. Play Hacker – Hack Your Website Again

To identify potential vulnerabilities in your website’s security, consider adopting the mindset of a hacker:

1.1.2. Check Login Information

Review your website’s login details. Ensure that the path to the website administration area is not default or easily guessable (e.g., /wp-admin, /wp-login.php). Additionally, make sure your password is secure, with adequate length, a combination of upper and lower case letters, not tied to personal information, and not used for other services.

1.1.3. Check if “Your Neighbor” Is Safe

If you are using shared hosting, assess whether other websites on the same server are secure or if they have experienced similar hacking incidents. Sometimes, the problem may not originate from your website but from others sharing the same server.

1.1.4. Check Your Website’s Overall Security

This step involves a more technical examination. Consider seeking assistance or hiring a professional to assess your website’s security thoroughly. One useful tool for this purpose is WPSCAN.

Use WPSCAN to Scan for Security Vulnerabilities on Your Website

WPSCAN is a powerful tool for identifying security vulnerabilities in WordPress. Here’s how you can install and use it:

Install WPSCAN via RubyGems (Ubuntu 20.04)

  • Update and upgrade your system:
sudo apt-get update
sudo apt-get upgrade -y
  • Install necessary packages:
sudo apt-get install curl git libcurl4-openssl-dev make zlib1g-dev \
gawk g++ gcc libreadline6-dev libssl-dev libyaml-dev\
liblzma-dev autoconf libgdbm-dev libncurses5-dev automake\
libtool bison pkg-config ruby ruby-bundler ruby-dev libsqlite3-dev sqlite3 -y
  • Install Ruby Version Manager (RVM):
gpg --keyserver hkp:// --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
\curl -sSL | bash -s stable --ruby
  • Install necessary gems:
gem install nokogiri
gem install wpscan

Use WPSCAN to Scan for Security Vulnerabilities

WPSCAN can scan various aspects of your website’s security:

  • To scan for security vulnerabilities in themes:
wpscan --url http(s):// --enumerate vt
  • To scan for security vulnerabilities in plugins:
wpscan --url http(s):// --enumerate vp
  • To scan for security vulnerabilities based on an API key:
wpscan --url http(s):// -e vp --api-token API_KEY

As a result, you will receive a report highlighting safe and problematic themes/plugins with a blue or red [+] sign, respectively.

1.1.4. Check if Your Server Is Secure

Ensure that SSH, FTP, and RDP ports on your server are adequately secured. Avoid exposing them to the internet and use strong, unique passwords that are not easily guessable or found on popular password lists.

Check whether sensitive files like “wp-config.php,” “/etc/passwd,” or “/etc/shadow” are leaked online, possibly due to accidental uploads to personal repositories.

2. Dissecting Malicious Code

Once you’ve assessed external vulnerabilities, it’s time to examine the malicious code from within your website:

  • Check the content of recently modified files on the system, particularly within the WordPress directory. Use commands like find ./ -type f -mtime -15 to identify files modified in the last 15 days and find ./ -type f -mtime -30 for the last 30 days.
  • Carefully analyze the content of these files to pinpoint the malicious code.

Dealing with a hacked WordPress website can be challenging, but a systematic approach that addresses vulnerabilities and eliminates malicious code can help you recover your website’s security and reputation. Always prioritize security measures to prevent future attacks and keep your online business safe

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top