Working with WordPress has hundreds of benefits and you can do almost anything with it, but if you don’t take some precautions and it is not installed on the correct WordPress hosting platform, you run the risk of it being hit by malware. This is often stressful for WordPress website owners whether they are novice, intermediate or advanced. Nobody likes to have their website infected.
Without a doubt, this means a negative impact for your business and a real security threat for your visitors, who will encounter malicious content and links when accessing your site. The first thing we want to tell you is not to worry, and we will reveal here the recommendations of our WordPress gurus that have been effective for us to clean sites for a long time.
Symptoms that your WordPress is infected
While it might just be a suspicion, most of the time when you think your WordPress website has been compromised, it really is. A link directed elsewhere, slowness, red Google screens, or your hosting provider having suspended your website without prior notice (Wrong! It’s very bad!!!), could be indicators that something is wrong. good.
Among some common symptoms you will find that:
- Your site is automatically redirected to another URL.
- You cannot access WP Admin.
- Your website traffic has dropped.
- Your WordPress looks a little strange.
- Some random links take you to external sites.
- You find strange files inside the File Manager.
- You see user accounts that you never created.
- You receive email bounces in your notification box.
- The website is slow or suddenly throws 500 errors.
- Google warns that your site is compromised because it detected something.
How to clean an infected WordPress website
All over the Internet you will find hundreds of recommendations, and you may have to read and put into practice several guides and tutorials to solve it, so we put together this definitive guide with everything you need to repair your WordPress, keep it protected, and It won’t happen to you again. At WNPower we value your time above all, and that is why many of the steps to clean your WordPress can be executed in one (literal) click with our exclusive tools if your site is hosted on our platform.
Don’t stress too much
If you are panicking, relax. We need you to be able to analyze what happened, and to calmly read each of these recommendations to apply them and achieve your goal: clean your WordPress. We know that your WordPress is like a member of your family to you and you will want to defend it no matter what.
Restore a clean backup
Whoever makes a WordPress backup has two lives (or as many lives as backups have been saved). Making backup copies should be part of your routine as well as updating content and core, or WordPress plugins. If you have a backup of WordPress, restore it to the last date you remember it working normally, and then apply all these security recommendations that we will give you below.
And if you didn’t have a backup to restore, well, good. It is not the best time to make a backup with the compromised site, but you can do it later as soon as you finish cleaning it. Maybe you can ask your hosting provider to restore a backup for you, if they have a responsible backup policy.
Update all your passwords and activate 2FA
Another of the most urgent actions is that you update all passwords that are involved in your website. Remember that passwords should not be saved in your browser or written down in separate files on your device. When generating a password, use alphanumeric characters, special characters, and capital letters. Use your imagination.
In every login where you can, try to activate the second authentication factor. This is super useful so that, if your passwords are stolen or if they fall into the wrong hands, they cannot access your account unless they go through this step.
Scan your equipment and devices
Vulnerabilities in devices and equipment where you access to manage your WordPress often trigger security problems in the sites you manage. Internet viruses spread from: sites, infecting devices or computers when browsing them; and infected computers delivering information stored in themselves to violate websites. If your computer is healthy, updated and has a good antivirus, then you are contributing to making the Internet safer.
If you have doubts at this point, scan all the PCs or devices from which you access your hosting and your WordPress admin with an antivirus.
Review users created in WP Admin
If when you list your WordPress users more than necessary appear, or you cannot identify them all, it is likely that additional users have been created to be used as a backdoor. Take the trouble to eliminate the ones you don’t recognize.
Remove any pirated plugins or themes
When we talk about pirated plugins or themes, they are paid templates or add-ons that you have obtained by other means than by purchasing them on their official site, or paying the corresponding amount. We know that it is tempting to get plugins or themes that are paid, at a low price or completely free; but the consequences are usually fatal for your website and the reputation of your business over time.
If you want to keep them, we recommend uninstalling them, purchasing the original copies, and then legally installing them accordingly. It will be quite an investment and you will save yourself several headaches.
Keep your copy of WordPress, plugins and themes up to date
We almost don’t need to mention it: it is vitally necessary that you keep WordPress, its plugins and your theme updated. Any of these 3 items are a real security strainer if they are not up to date, and you need to keep them updated without exceptions. Hundreds of developers work hard every day to make more secure versions of WordPress and its additional apps; and you just have to be responsible for keeping your software updated.
Nowadays, automatic updates can be configured in the WordPress core so that it updates on its own as soon as a new version is released. This also applies to templates and plugins.
Check if you can access WP Admin with your username and password
If you lost access to your WordPress admin panel because your password was changed by someone else, you could easily recover it from the “forgot password” link, but if your WordPress account profile was changed by whoever has control now , you would only trigger an alert to the email that the imposter has configured. It is best to regain access by surprise.
Every hosting provider has phpMyAdmin in their control panel: a panel to manage your site’s databases; and since WordPress stores absolutely everything in the database, we are going to force change our password.
Next, you will need to search for the database corresponding to your WordPress, select the wp_users table (or the prefix plus “_users”) and edit the user you normally log in with.
To finish, edit the user_pass field, select the MD5 option from the drop-down menu and enter a secure password. When finished, save the changes with the Continue button.
Check if you can access the hosting control panel
In case you cannot access your cPanel control panel (or the control panel provided by your hosting provider), then we are a little more complicated, and your entire hosting account may be compromised (including the billing part ). If this is what happens to you, it is crucial that you contact your provider so that they can do a general review and generate new access credentials for you.
What about file and folder permissions?
While there are files or folders that require special permissions, most WordPress content should be set to:
- Files: 644
- Folders: 755
No more putting 777 on everything or on specific folders! Permission 777 is an “allow” everything and could cause a catastrophe on your site.
If you want to check how your site’s permissions are, you can use our Reset Permissions tool included in your cPanel. If you do not host on WNPower, this plugin allows you, among other things, to regulate the permissions of your site in WordPress: iThemes Security.
Check the last modified files
Check if files have been modified recently. The normal thing is that if you did not make changes recently and there are modified files, you will notice more recent dates than you remember. You can see this in the File Manager, ordering the contents of your home directory called public_html by last modification date. Then open those files and check if you notice anything out of the ordinary.
Check your WordPress .htaccess and wp-admin.php files
The .htaccess and wp-admin files located in the home dir of your hosting have all the necessary directives for your WordPress website to work perfectly. When a WordPress site is infected and these files have malicious code inserted, strange behavior may occur such as sporadic redirects to other external sites. Open them with the online editor or by downloading them first.
Check towards the end of the files if there is a redirect code followed by a URL external to your site that you do not recognize. If so, delete the entire line and save the changes.
Perform a check of integrity and excess files
If you do not have a native tool from the hosting provider to check the integrity of your WordPress installation, you can use a plugin to do so.
For this you can use Sucuri Security Auditing, Malware Scanner and Security Hardening, which is very easy to install, and which in its free version will allow you to see what is wrong and what files are left over, so that you can later correct the problem manually. This plugin has almost 1 million active installations with hundreds of positive reviews! Trust.
Install a security plugin
Installing a security plugin will keep your WordPress from walking around naked for life. It is necessary due to the number of threats floating around today that you must install a security plugin.
Check your WordPress URL
In many cases we detect that the WordPress URL was tampered with and this produces redirects, errors and unusual behavior. If you can’t check it by opening WP Admin because it also redirects or has another problem, then check your WordPress URL in its database.
To do this, again open PHPMyAdmin, find the database of your WordPress installation and open the wp_options table (or replace “wp” with the corresponding prefix). Now check the siteurl and homeurl options. If they match the URL of your site, then everything is fine; If not, edit and replace it with the URL corresponding to your WordPress.
Hide WP Admin URL
The default WP Admin URL should be one of the most recognized web addresses. Unfortunately it is also the case for malware, who knows that behind it lies the control of millions of websites made in WordPress. That is why we recommend hiding the URL by moving it to a custom one, so that bots roaming the Internet can no longer detect it.
In this note that we link here, we show you how to protect your WordPress URL using WPS Hide Login. How to change or protect the wp-admin URL.
How to remove unsafe site warnings in the browser
This is the browser’s red warning screen. If your website was infected, Google may preventively apply this red screen to protect your visitors from having their devices infected with malicious code inserted into your website.
If you have already fixed the error, and for example, the Chrome browser displays warnings that visiting the website is not safe, go to the Google Search Console to request a manual review. It may also happen that after a few days it disappears automatically (that is, when the Google crawler goes through your website again and checks that it was fixed).
