What happen when your wordpress website got infected by a malware ?
- Website Functionality Issues: Malware can disrupt the normal functioning of your website. This may result in slow loading times, broken links, or pages not displaying correctly. In some cases, the entire website may become inaccessible. Most common issue is website page redirected to scam’s website.
- Data Theft: Malware can be used to steal sensitive data from your website and its users. This can include personal information, login credentials, payment information, and more. Malware also can create an administrator account in your wordpress website.
- SEO Damage: Some malware can manipulate your website’s content or insert links to malicious sites, which can harm your website’s search engine rankings. Google and other search engines may blacklist your website, making it difficult for users to find it through organic search results.
- Phishing Attacks: Malware can be used to create phishing pages on your website that impersonate trusted entities, such as banks or email providers, to steal user credentials or sensitive information.
- Spam Distribution: Malware-infected websites may send out spam emails or engage in other forms of spammy behavior, damaging your website’s reputation and potentially causing email deliverability issues.
- Loss of Trust: Visitors to your website who encounter malware or suspicious activity are likely to lose trust in your brand. This can lead to a loss of customers and revenue.
- Resource Drain: Some malware can consume significant server resources, causing slow performance and potentially leading to additional costs for hosting.
- Blacklisting: If your website is found to be infected with malware, web browsers and security tools may flag it as dangerous, warning visitors not to proceed. This can result in a significant drop in traffic.
Removing malware from a WordPress website is a critical task to ensure the security and integrity of your site.Here’s a step-by-step guide on how to do it:
Isolate the Infected Website:
- Take your website offline by putting it in maintenance mode or under construction. Because the malware will and can infect your other websites in same hosting.
- Inform your visitors about the situation and let them know the site will be back once it’s clean and secure.
Identify and Confirm the Malware:
- Use a security plugin like Wordfence or Sucuri to scan your website for malware. These plugins can help identify infected files and code.
- In some cases, malware can deactivate Wordfence plugin automatically, by change the name of Wordfence’s core files. To fix this, Open your file manager, make sure that
"wp-content/plugins/wordfence/waf/bootstrap.php"still has the correct file’s name.
- Check your website’s files and database for suspicious code or files. Malware will add some files in your website, if you are wordpress developer you will know what aliens files that you must remove.
- Check Your user list, make sure there is no additional administrator account that you don’t recognize.
Quarantine or Remove Malicious Files:
- Once you’ve identified malware, quarantine or delete the infected files. This may involve removing suspicious code from your theme files, plugins, or other areas.
- Be cautious and make sure you don’t accidentally remove essential files.
Update WordPress, Themes, and Plugins:
- Outdated software is a common entry point for malware. Update WordPress, themes, and plugins to their latest versions.
- Remove any inactive themes and plugins you no longer use.
- Change your WordPress admin passwords, including your database and FTP credentials.
- Ensure that your new passwords are strong and unique.
Scan and Clean the Database:
- Use a security plugin or tools like phpMyAdmin to search for and clean any malicious code in your database.
- Be cautious when editing the database; a mistake can break your site.
Secure File Permissions:
- Review and set appropriate file permissions for your WordPress files and directories. Generally, directories should be 755, and files should be 644.
- Consider installing a security plugin like Wordfence or Sucuri Security to monitor and protect your site from future threats.
Monitor for Suspicious Activity:
- Keep a close eye on your website for any unusual or suspicious activity, such as unexpected file changes or login attempts.
- Regularly backup your website so that you can quickly restore it if needed.
- Implement a strong firewall and consider using a Web Application Firewall (WAF).
- Disable directory listing.
- Limit login attempts to protect against brute force attacks.
- Consider a security plugin that offers real-time monitoring and protection.
Seek Professional Help:
- If you are unsure about any of these steps or if the malware is particularly persistent, it’s a good idea to seek professional assistance from a security expert or your hosting provider.
- Once you are confident that your website is clean and secure, take it out of maintenance mode and let your visitors know it’s safe to use again.
If your wordpress site is an active website like E-commerce website that has transactions and a lot of variations or even a blog. WordPress store all posts, pages, blocks and transactions in database.
You must check all this post type, the number could be hundreds or thousands of infected posts!
My 3 years e-commerce website, has 1.576 posts infected by this malware. It could be nightmare, if you check and fix this posts from wordpress admin. The only solution is run mySQL command in phpMyAdmin to fix all this posts. Follow this steps:
- Make sure you know the malicious code that infect the files, mine start with
var o=String;eval(o.fromCharCode(31402,11217,13310,9169,16716,18905,11231 ......
To find these, edit your infected page with wordpress code editor.
2. Open your database with phpMyAdmin, Select
wp_prefix_posts table, search post_content column for infected post.
3. If you got the results, that mean you need to delete that code, but make sure not to erase all the post_content. Please be careful or you will break the website structure!
4. Use mySQL command to delete the code.
UPDATE `your_prefix_posts` SET `post_content` = REPLACE (`post_content`, "malware_code"," ");
Congratulations, All malware codes erased!