Recently I was contacted by a friend who told me that he believes his website was infected by a virus. When asked why he believes why is that, he told me that he noticed increased CPU consumption on his VPS. If you run your own VPS, one of the tools I highly recommend is called NewRelic. It can save you some time debugging your WordPress problems. Anyways, I told him that we have to act quickly. I would like to tell you about the process and tools I have used to clean virus from WordPress website.
If you don’t solve the problem soon, Google will detect that your website is infected and will remove it from the search results, and when someone would visit your site directly, Google Chrome would serve a big red warning that the site they want to visit is harmful.
What’s even worse is that malware could infect visitors coming to your website.
How can a WordPress website get infected?
WordPress is pretty secure out of the box. It has some security shortcomings like XMLRPC which enables attackers to exploit it in some cases (depending on the security plugin you use). What’s even worse is a function called system.multicall which can enable attackers that can with ONE request probe hundreds of password and security plugins won’t even notice. That means that in a short time they can probe thousands of passwords easily and if your password is weak can get it.
This problem can be fixed with the right Security plugin.
If WordPress is secure, what else can cause a breach? A bad password which can be easily probed. Common passwords like Password, 123456 or even name of the website will make your website fall to the wrong hands pretty soon.
Third point of break in is a bad hosting company. If the web server is not configured by a professionals, soon attackers will find a way to break in infecting thousands of websites.
The fourth break in point can be via plugins. WordPress plugin repository is full of old unsupported plugins which can still be installed. Plugins can have security holes which can be exploited to gain access to your website. So you need to make sure that you use the most popular plugins with a big install base or premium plugins which are actively developed and coded with best practices and security in mind.
Fifth point of break are badly coded themes which are not supported anymore. Make sure that you use a good theme and that it’s regularly updated. Nuked themes and nuked plugins are usually already hacked with malware or added security holes which can be exploited.
How to detect and remove malware from infected WordPress site
In order to begin removing a virus from infected WordPress website you will need 3 things:
- Premium theme you have installed on your site (If you use a free theme, proceed to the next item)
- Premium plugins you have installed (reason we need theme is because plugins you have installed are infected)
- Anti virus plugins that will help us remove virus.
- FTP Client (we will use it to transfer our premium plugins and a theme to our site)
There are some amazing security plugins available in WordPress repository which can help you fix the problem:
- Anti-Malware and Brute-Force Security by ELI
- Antivirus Site Protection (by SiteGuarding.com)
Oh, did I mention they are free? I have used all of them as each has their own benefits. Some are almost perfect and some complement others with great features. Read on to find out more.
WordFence is one of the most popular security plugin. It can protect your website (Website Firewall), Secure and change a login page to URL of your choosing. It can do many things to make your WordPress website really secure. What we are looking for is a good virus/malware scanner with good detection rate. WordFence has a very powerful antivirus engine and will find infection. Not only because it has a good detection rate, but also because it can compare installed files with the original files from WordPress repository. Even if it won’t detect that plugins are infected, it will compare files with originals and in case they are different, will let you know.
Before you begin, go to settings, scroll down to Scan settings and select all the settings. You can leave HIGH SENSITIVITY for the end, in case it won’t find any virus.
Then go to Scan and start a WordFence Scan. If your site is infected you will know very soon. In case you leave your computer WordFence will send you email with scan result.
Now, this was the easy part. Once we know our website is infected, we have to replace all infected plugins and a theme and remove files which don’t belong to WordPress, plugins or a theme. We will re-install WordPress, plugins and a theme. In same cases infections create files in various places which are hard to recognized as infections. WordFence can detect, delete or Quarantine files that are infections and don’t belong in the place it was found. I suggest you start uploading transferring all premium plugins and a theme to your web-server. Location you are interested in is wpcontent folder on the remote site.
In order to reinstall WordPress, go to Dashboard, click on Updates and find Re-install WordPress now.
Sucuri is one of the best Security solutions for WordPress and it shows (They also have editions for major CMS platforms like Magento, Joomla, etc…). They have put a lot of thought in protection and security. Sucuri has one unique feature which is really awesome and will help us remove the virus. The feature is called – Reset plugins.
You have to navigate to Post-Hack and Reset Plugins. Here, select all the plugins and select them for Reset. Reset will delete the plugin folder, download plugins from original location and re-install them in a clean state. That way, if the plugin was infected, it’s files will be removed and non-infected version will be installed.
What a great idea.
You should know one thing though. If you use many plugins (50+) the process may take a long time, as Sucuri can’t load all the plugins at the same time. Reason is pretty simple, by doing so, it could make problems to WordPress servers hosting the files if many sites would download all the plugins at the same time.
I would recommend that before going to the Reset plugins feature, you should go and review plugins. Find the ones that are essential for the site and delete the ones that the site can leave without for a while. If you delete a theme, settings will remain in the database, just note that you should not select Delete plugin data if you want to preserve settings. And I hope you have a backup of your website just in case.
Once you re-install WordPress, theme, premium and free plugins and have deleted files that don’t belong to the theme, plugins or WordPress, it’s time to re-scan again with WordFence. Should you find infected files or plugins again, you should repeat the process until you get rid of infections.
Once WordFence won’t find malware, it’s time to check your site with two additional plugins, just in case and to be on the safe side.
Anti Malware Security and Brute-Force Firewall by ELI
Anti Malware Security and Brute Force Firewall by ELI is another is an interesting plugin which protects your website against Brute force attacks. In addition it also has a good scanning engine which can detect infections. You can scan all the folders or you can choose to scan individual folders like plugins, wp-content or public.
WP Antivirus Site Protection by SiteGuarding.com
WP Antivirus Site Protection by SiteGuarding is a great virus scanner for WordPress. Plugin is commercial but when you install the plugin , you will enable a trial mode. You can scan several times before the trial expires.
While detection rate is pretty good, you may see false positives if you enable high sensitivity. If you want to be sure that files are virus free once, you can manually download and replace a theme or a plugin, just to be on the safe side.
There are many way how WP site can get infected. First rule for your site should be to have a good backup in place. You should avoid having common usernames like Admin, Administrator and common passwords like 12345, password and so on. You should install firewall like WordFence or iThemes security and regularly scan your files.
If you detect infection soon, it won’t create a big damage, but if a malware starts spreading malicious files to your visitors, Google will soon remove you from search results and notify visitors using a chrome browsers that website is infected.