One day you discover with horror in your website. Hacked? We will guide you how to remove malware from wordpress website for free. You review the content and find strange links to websites that shouldn't be there... To add insult to injury, your site is listed as dangerous by Google, with the bad image that this implies facing the outside. ¿Now what do I do? You will wonder.
The first reaction will be to experience great stress, stress and haste to solve the problem. In such a situation it is easy to make mistakes and even take hasty actions that may later prove irreversible.
So the main thing is that you stay calm, take a deep breath and carefully follow the following indications:
In this way you will avoid giving a bad image and that both users and search engines detect an unwanted activity. You can do this in two ways: installing the plugin WP Maintenance Mode Or, if you have experience editing code, you can do it manually as follows:
1.1. Create a file in the root where you can call for example "maintenance.php".
1.2. Edit this file you just created and kill it to your liking. To simplify matters, a simple code example would be as follows:
<html>
<h1>Estamos realizando tareas de mantenimiento.</h1>
<h2>Por favor, vuelva a intentarlo más tarde. Disculpe las molestias.</h2>
</html>
1.3. Edit the file functions.php of your WordPress theme and add the following code:
function modo_mantenimiento() {
global $pagenow;
if ( $pagenow !== 'wp-login.php' && ! current_user_can( 'manage_options' ) && ! is_admin() ) {
header( $_SERVER["SERVER_PROTOCOL"] . ' 503 Service Temporarily Unavailable', true, 503 );
header( 'Content-Type: text/html; charset=utf-8' );
if ( file_exists(ABSPATH . 'maintenance.php') ) {
require_once(ABSPATH . 'maintenance.php');
}
die();
}
}
add_action( 'wp_loaded', 'maintenance_mode' );
With this we manage to prevent our users from seeing strange things on our website and, on the other hand, we keep intact the ability to access WordPress administration.
The next step is to try to identify the problem. For this you can visit the Google diagnostic website and see if your site is infected with malware. Also, I recommend that you use the free tool of Sucuri.
Surely now you have some more information. With this, plus the symptoms you are experiencing on your website, I recommend that you put yourself in contact your accommodation company to communicate the problem and follow their instructions. This is very important, especially in shared accommodation, as the attack may have affected more than one site. If the technical service leaves a lot to be desired and they are not in the effort to offer you help, consider changing your hosting company at the end of this guide.
Believe it or not, it is usually very common that the equipment we regularly use is the main source of all problems. Make sure you have a good antivirus installed and updated, and performs a full first scan. There are very good solutions in the market like the Antivirus Kaspersky, Panda Global Protection, etc. It is also good to complement it with specialized tools in the malware detection, how Malwarebytes Anti - Malware.
Fundamental, before making any changes, make a copy of website and database. In this way, you will avoid risks of loss of information if something goes wrong. You leave this copy kept separately.
It is imperative that you change all passwords to prevent attackers from continuing to act on your website:
When modifying the database password, you must immediately edit the file wp - config.php and write the new password, otherwise WordPress will not be able to establish a connection to the database and your site will be inaccessible.
Also, in this same file you must change the security keys. To do this, access the official WordPress security key generator, copy the generated code, and replace it where it corresponds in the file wp - config.php.
Take advantage of the fact that you are editing it to make sure there is nothing strange about it.
We are ready to start cleaning:
6.1. If you use a cache plugin, I recommend that you disable it and limpie the cache, Because if any infected files remain in the cache, it can leave your site infected again.
6.2. Install the plugin WordFence or Anti - Malware Security and Brute - Force Firewall with the aim of performing a check from your website. So you can see which files appear infected, which lines of code have been inserted and where. This is essential if you use your own custom theme.
6.3. Download your topic, which is inside the folder /wp - content/ and go reviewing and editing the files according to the instructions of the security plugin. As a result, you will have your clean theme on your computer. To make sure, you can analyze your topic files with your antivirus and your antimalware tool. If you use a commercial theme, I recommend that you download a clean copy from its official site.
6.4. Enter the section of plugins of your WordPress installation and point to the plugins that you have active and download the most updated versions of them on your team.
Very good. For now we have a clean theme and plugins.
Check the content of your website and search for iframs, rare codes, internal and external links that point to suspicious sites to remove them.
6.5. Now connect via FTP and sort the files by modification date. Pay special attention to the latest modified ones, as they are usually those that contain malicious code. Download the latest version of WordPress from the official site. Unzip the downloaded file into a folder on your computer. Check that structure of folders and files and compare it with the one existing on your server. So you can detect strange files they shouldn't be.
6.6. Sometimes you may find that it is not possible to remove all malicious code. In that case, it is most advisable that you replace the files of your WordPress installation with the WordPress files downloaded from the official site.
Check that everything works correctly and, to finish, delete or comment on the function you created at the beginning of the article and so on disable "maintenance mode".
6.7. To finish, access the tools to Google webmasters and request that they review your website. If you don't know how to do it, you can consult the Google help.
You already have your site clean and perfectly operational again. However, to avoid as far as possible that you see yourself in compromised situations again, it is essential that you take the following measures:
7.1. Change the prefix of your database. You can use the plugin Change DB Prefix. Of course, as always, before any major change, make a backup copy of your database.
7.2. Modify the permissions of the files hosted on your server at 755 and the directories at 644. Forget about granting 777 permissions to files or directories. Do not give facilities.
7.3. Generate files index.php empty to prevent directories from being accessible through the browser.
7.4. Check that there is no user "admin", since it is the first to be searched by potential attackers.
7.5. Create a file .htaccess with the following code:
<Files *.php>
deny from all
</Files>
And place it in the / wp - content / uploads folder. This way you will prevent .php files from running inside the folder "uploads", something that many attackers often try.
7.6. Perform periodic backups, both from the website and from the database. And keep it somewhere safe, if possible outside the hosting server.
7.7. Keep updated your WordPress, as well as the theme and plugins you use.
7.8. Delete spam type comments. You can help yourself with plugins like Akismet or Antispam Bee.
7.9. Activate a security plugin as Wordfence, All In One WP Security & Firewall or iThemes Security.
7.10. Always use secure passwords and educate your collaborators on the vital importance of this practice. To make your life easier, you can use this online password generator.
7.11. Apply, as a security supplement, some double authentication factor system as Latch, which we talked about earlier in an article about increase WordPress security with Latch.