WordPress Security

How Do I Remove a Virus or Malware From My Hacked WordPress Website?

WordPress is the ubiquitous and popular platform for blogging and, more recently, as a content management system (CMS) for millions of entire websites. WordPress is fairly user friendly, relatively simple to use (until you start getting into a lot of plug-ins or changing the PHP code), and usually secure. However, any website platform or CMS can be hacked and WordPress is no different–especially if you do not regularly update the blog, themes, plugins, or if you do not use blog security best practices and your WordPress installation is not “hardened” against virus or malware infections. When your blog gets hacked, you get viruses and then you have to know how to get rid of it! So, you will ask yourself: How do I remove a virus from my WordPress blog?

How a WordPress Blog Gets Hacked:

The primary reason for viruses or malware infection in your WordPress site is that it was compromised by a hacker. WordPress can get hacked in a number of ways:

  • – Outdated versions of WordPress
  • – WordPress passwords that are too simple
  • – Malware/phishing attacks
  • – SQL injection attempts, as well as Base64 (and various other) code injection
  • – Poorly coded and vulnerable plug-ins or themes installed to your WordPress site
  • – WordPress uses a writable PHP system which means that much of it can be overwritten by a clever hacker

Some of these things you cannot do anything about but you can do your best to protect your blog. Changing your password regularly, updating WordPress and using a regularly updated anti-virus system to harden your defenses, being very careful to only use well reviewed and verified plug-ins are all good ways to protect your blog, securing your .htaccess file.

However, viruses and malware still happen! You may wake up, go to check your blog and discover that your site is now attempting to install a virus or trojan on each visitor’s computer, being plagued with advertisements that can’t be stopped, or directing each visitor to a URL that’s not yours, diverting your hard-earned traffic and having Google replace your home page with a warning page! Unfortunately, even though you didn’t do this, your site will eventually get banned by Google and it’s possible that you could face legal issues if someone’s computer gets infected. It’s time to roll up your sleeves and clean up the mess.

How Do I Find a Virus In My WordPress Blog?

In order to get rid of the virus, you first have to find how many have been placed in your code, which files have been compromised, and if there are any “back doors” (a point of access on blog that hackers almost always install so that they can gain access again after you remove the virus infections). In general, you will need to:

  • – Search for any base64 encoding that shouldn’t be in your WordPress files.  Hackers have become very sophisticated at hiding their viruses in a blog and one of the ways they do it is by ‘obfuscating’ the code so that it is unreadable.  However, if you do not know what to look for, you can end up deleting legitimate WordPress code since it (or themes and plugins) also use base64 encoding in some files. I recommend logging into your server with shell access and using the   ‘grep’ command to find any out of place base64 encoding.
  • – Download the WordPress database and search the entries for malicious code or suspicious URL’s
  • – Check to see when changes were made to your files or if any new files have been placed which shouldn’t be there.
  • – See if any of your blog themes use “timthumb.php.” Timthumb is a very popular image thumbnail script and certain versions have a vulnerability which allows hackers to install a virus in Worpress and leave back-doors, etc. Upgrade to the newest version of Timthumb, or use a theme that doesn’t use this script.

This is quite labour intensive.  There are plenty of forums to give you a hand, but basically if something looks out of place within the php code, it probably is.

Get Your WordPress Security Issues Fixed Right Away!

Don’t have the experience or time to remove the virus or malware from your WordPress site and plug the security breach yourself? Let us do it for you: Click Here to get help immediately! If you need custom security or blog repair work done, please email us. Be sure to include the URL, specific info on what you need help with, and any login details for your blog as well as FTP or SSH (optional, but helps to identify the problem).

How Do I Remove the Virus?

Once you’ve identified where the hidden virus or malware code is, you may be able to delete them by wiping them out of your WordPress script. (Though this method can get very tedious; you may have to do some fine tooth combing to find it all.) However, many viruses are more persistent and you may need more technical help (we offer help in this area…please send us an email for a free quote). Ideally, restore your entire blog and databases from a known, clean backup (of course it needs to be from before the virus was installed), and close the vulnerability (and any “back doors”) so the hacker cannot gain access again. If repairing the site is not working and you do not have a clean backup you can restore from, then you are forced to consider either professional help–or deleting the entire website and databases and rebuilding everything from scratch.  Obviously, this is a last resort and should be considered very carefully. The upside is that you won’t have to worry about the WordPress virus anymore (assuming that you don’t use the same plugins, themes, or whatever else caused the hacker to gain access). To prepare for another potential security hole being exploited, it is important to keep frequent back-ups of your blog, plugins, themes, and databases, along with any coding changes so that it can all be restored with relative ease in the event of another security breach of your blog.

Once the virus has been taken out of your WordPress blog, it is important to take steps to make sure it doesn’t happen again. We recommend you invest in a good anti-virus plug-in or software, update WordPress and all of your themes and plug-ins–while disabling and uninstalling ones you never use, are not updated regularly, or are simply questionable with respect to WordPress security.  If you really want to be sure, you can download your blog and database regularly and go over the files to check for anything out of the ordinary; not only will this help get rid of any WordPress virus, but it will also give you a good idea of the inner workings of your blog.

It is not easy to learn how to remove a virus from a WordPress blog because viruses and the automated software that take advantage of any loopholes in WordPress platform, plugins, or themes are always advancing. Also, taking a virus out usually means spending a great deal of time combing over the code, identifying the virus or malware infection–which is usually hidden or encoded–plugging that security hole, and removing any “backdoors” that hackers almost always install so they can gain access again after you think you’ve removed the problem. Of course prevention is important and a good start is: using only verified plug-ins, changing passwords regularly, clearing your cookies and changing safe-keys, updating plugins and themes, and not giving out your information. You can also visit WordPress blog forums about tricks and tips to get rid of viruses and for support if your blog gets hacked. However, all this is only a small part of the picture. You need to harden your WordPress site and it’s .htaccess files to prevent hackers from injecting malicious code. This will help protect your site against hacking attacks such CSRF, RFI, CRLF, XSS, and Base64 code injection as well as SQL injection. Fortunately, we can do this for you: GetHits has trained technicians who are experts in identifying and removing WordPress and general website virus, malware, backdoors, and other security breaches. We then lock down your website, WordPress installation, plugins, and themes to help prevent further attacks. Go to our order page to receive immediate help.

Disclaimer: The information on this web page is for educational purposes only and is to be used at your own risk. Hackers and vulnerabilities in websites and blogs are always changing and once a hole is plugged we cannot guarantee that the site will not be infected again at some point in the future.