How To Cleanup Your WordPress Website From A Hack (Malware)
There is nothing more frustrating having a hacked WordPress website and not knowing where to turn.
A lot of companies in the hosting industry will simply suspend the account and tell the customer to "fix it."
In my opinion that only makes a bad decision worse.
Here at NameHero we try to help our customers that face this unfortunate situation as much as we can so they can return to business as usual as quickly as possible.
Obviously, it's much better to prevent a hack from taking place.
If you've been fortunate enough to never have your WordPress compromised it's likely you've followed these:
Use strong cPanel, FTP, Email, WordPress credentials (i.e. passwords with letters, numbers, special characters)
Keep WordPress core files updated along with plugins and themes
Regularly keep your own backups
Use a good WordPress security plugin
I've published a lot of good resources on the blog, but here are some helpful articles you should check out:
How To Secure Your WordPress Admin Area
6 Simple Tips To Keep Your WordPress Website Secure
How To Secure WordPress With Wordfence Security
ManageWP Review – How To Manage Multiple WordPress Websites
Here at NameHero we try to help you be proactive by automatically scanning accounts each night for Malware.
When detected, the files are automatically removed, preventing most attacks from going too far (i.e. infecting the entire cPanel account).
However, it's important to remember the account was still injected with malware, meaning their is a vulnerability in your website that needs patched.
You can follow the below steps to secure your installation.
_Before beginning the next steps, it's important to have a FULL backup of your account. You can generate this by going to cPanel -> Backups -> Download A Full Backup._
The first thing you want to do when your WordPress website has been injected with malicious content is to replace your core WordPress files with clean ones.
You can easily download these from WordPress.org and use your favorite FTP program (such as Filezilla) to upload over your current ones.
If you're not running the latest version of WordPress, it's important to download the correct version and then immediately upgrade once you can.
Once you've secured your core WordPress files, and have upgraded to the latest release, you need to replace ALL your themes and plugins with new versions as well.
Most plugins can easily be upgraded inside of your wp-admin under the Plugins menu. Many of the default themes can be upgraded here as well, but if you have a custom one, you may need to go to the theme developer's website to download the latest files.
If you have a completely custom theme, you may need to get with your developer to assist you in the upgrade.
WordFence is a security plugin that has a free version that includes Malware scanning. Once you have things updated, it's important to run a scan to see if you detected anything additional.
WordFence will also ask for your email so they can alert you when a plugin/theme/core file needs to be updated. They also have a powerful firewall that will help block some hacking attempts.
If your WordPress website has been hacked, you need to assume all of your passwords have been compromised.
You need to change everything:
Master cPanel password
All email account passwords
All FTP account passwords
All mySQL user passwords (make sure to update wp-config.php)
Your WordPress admin password AND users
When changing, make sure to use a strong password generator and not a random string that could be vulnerable to dictionary-based attacks.
If you have more than one WordPress installation in your cPanel, you should complete the above for ALL of them.
If you complete everything but still run into malware injections, spam, or other malicious activity, it's possible the entire cPanel account has been compromised and needs to be rebuilt.
This is a worse-case scenario, but we've seen it happen.
You'll need to first take a full backup of the account (cPanel -> Backups -> Download a full website backup) and then submit a ticket to have our team delete the entire account. If you have a Reseller account, you can do this on your end.
The most cost-effective way to recover from a WordPress hack is to do all of the above steps yourself.
However if you're not willing (or don't have the time) our team can do it for you at the price of $75 per hour. Please submit a ticket and our management team will provide you with a quote then an invoice to begin working.
There are also a number of different third-party services that you can use. Submit a ticket for our recommendation of a known provider.
I filmed a video tutorial where I walk you through all of the above steps:
WordPress hacks suck, but if you fall victim, it's not the end of the world.
Once you recover though, make sure to use some better preventative maintenance so you don't have to go through it again!
Feel free to ask questions below!
A lot of companies in the hosting industry will simply suspend the account and tell the customer to "fix it."
In my opinion that only makes a bad decision worse.
Here at NameHero we try to help our customers that face this unfortunate situation as much as we can so they can return to business as usual as quickly as possible.
Preventative Maintenance
Obviously, it's much better to prevent a hack from taking place.
If you've been fortunate enough to never have your WordPress compromised it's likely you've followed these:
Use strong cPanel, FTP, Email, WordPress credentials (i.e. passwords with letters, numbers, special characters)
Keep WordPress core files updated along with plugins and themes
Regularly keep your own backups
Use a good WordPress security plugin
I've published a lot of good resources on the blog, but here are some helpful articles you should check out:
How To Secure Your WordPress Admin Area
6 Simple Tips To Keep Your WordPress Website Secure
How To Secure WordPress With Wordfence Security
ManageWP Review – How To Manage Multiple WordPress Websites
Nightly Malware Scanning
Here at NameHero we try to help you be proactive by automatically scanning accounts each night for Malware.
When detected, the files are automatically removed, preventing most attacks from going too far (i.e. infecting the entire cPanel account).
However, it's important to remember the account was still injected with malware, meaning their is a vulnerability in your website that needs patched.
You can follow the below steps to secure your installation.
_Before beginning the next steps, it's important to have a FULL backup of your account. You can generate this by going to cPanel -> Backups -> Download A Full Backup._
Replace Core WordPress Files
The first thing you want to do when your WordPress website has been injected with malicious content is to replace your core WordPress files with clean ones.
You can easily download these from WordPress.org and use your favorite FTP program (such as Filezilla) to upload over your current ones.
If you're not running the latest version of WordPress, it's important to download the correct version and then immediately upgrade once you can.
Update Themes And Plugins
Once you've secured your core WordPress files, and have upgraded to the latest release, you need to replace ALL your themes and plugins with new versions as well.
Most plugins can easily be upgraded inside of your wp-admin under the Plugins menu. Many of the default themes can be upgraded here as well, but if you have a custom one, you may need to go to the theme developer's website to download the latest files.
If you have a completely custom theme, you may need to get with your developer to assist you in the upgrade.
Scan With Wordfence
WordFence is a security plugin that has a free version that includes Malware scanning. Once you have things updated, it's important to run a scan to see if you detected anything additional.
WordFence will also ask for your email so they can alert you when a plugin/theme/core file needs to be updated. They also have a powerful firewall that will help block some hacking attempts.
Change All Passwords
If your WordPress website has been hacked, you need to assume all of your passwords have been compromised.
You need to change everything:
Master cPanel password
All email account passwords
All FTP account passwords
All mySQL user passwords (make sure to update wp-config.php)
Your WordPress admin password AND users
When changing, make sure to use a strong password generator and not a random string that could be vulnerable to dictionary-based attacks.
If you have more than one WordPress installation in your cPanel, you should complete the above for ALL of them.
Rebuild The Entire cPanel Account
If you complete everything but still run into malware injections, spam, or other malicious activity, it's possible the entire cPanel account has been compromised and needs to be rebuilt.
This is a worse-case scenario, but we've seen it happen.
You'll need to first take a full backup of the account (cPanel -> Backups -> Download a full website backup) and then submit a ticket to have our team delete the entire account. If you have a Reseller account, you can do this on your end.
If You Don't Want To Do This Yourself
The most cost-effective way to recover from a WordPress hack is to do all of the above steps yourself.
However if you're not willing (or don't have the time) our team can do it for you at the price of $75 per hour. Please submit a ticket and our management team will provide you with a quote then an invoice to begin working.
There are also a number of different third-party services that you can use. Submit a ticket for our recommendation of a known provider.
How To Clean Up A WordPress Hack
I filmed a video tutorial where I walk you through all of the above steps:
WordPress hacks suck, but if you fall victim, it's not the end of the world.
Once you recover though, make sure to use some better preventative maintenance so you don't have to go through it again!
Feel free to ask questions below!
Updated on: 10/10/2024
Thank you!