So you were either unlucky or careless and you got hacked, this post will help you to remove malware from your WordPress blog and couple of things you can do after getting hacked.
0. My WordPress website has malware, what to do?
Depending on what actually have happened there are couple of paths to take, but first of all you should check if you can restore your site from backup.
If that’s possible then you’re good as gold, before you do so make sure that backup you’re restoring contains your latest posts and if no create a new one.
The malware could leave something in your posts content which are stored in database and in WordPress, themes, plugins files.
We have couple of points to check so let’s get on with it.
1. Preparing for removal
We’re not speaking here about forensic analysis so we’ll skip making an exact image of your server after attack, but if you’re using WordPress cloud hosting with snapshot options you could create one. We’ll speak about this approach in another post, for now let’s work on live hacked system.
First and most important make backup of database in current state and while you do so make sure you don’t overwrite your old backups (just in case you need to get some data back) and that current backup holds pages with code modified by malware or other attack. You can as well make copy of the files in case you would like to analyse/isolate infected files.
You can backup database either using command line or one of many plugins, the same can be done with files.
Here’s how to backup WP database from command line:
> check the name of your database, user and password, they’re all in wp-config.php file in your WP installation directory
> log in via terminal, get in your WP dir:
mysqldump -u yourWPuser -p WpDatabaseName > mydbbackup.sql
After you’re done you can download that file on your local machine.
You can then download that backup together with WordPress files using SFTP or copy it to another location on server.
This will be useful for future analysis and serves as help if something goes wrong when reinstalling WP.
Now that you have:
– database backup,
– files backup
2. Finding recently modified files
Let’s quickly see recently modified files, just in case they were modified by malware.
#find php files modified within last 30 minutes
find -cmin -30 --name '*.php' /your/wordpress/directory
#find php files modified within last day, output to file
find -mtime 0 -name '*.php' >> last_day_php_modified
#find php files modified within last 3 days
find -mtime 0 -name '*.php' >> last_3_days_php_modified
#all files modified within last 24 hours, excluding uploads directory
find -mtime 0 -not -path "/your/wordpress/directory/wp-content/uploads/*" /your/wordpress/directory
3. Reinstalling standard WordPress files
Check out the version of your current WP and then go to WordPress releases page to get clean version and download it.
After that upload it via SFTP or download in terminal:
#change link according to version
You can overwrite all default WP files with original ones.
3. Searching for malware using findbot.pl
This requires access via command line/terminal. We’ll use findbot.pl which is perl script that detects a lot of different malware and bot types.
Let’s type those commands:
If output is too big you can redirect it for further analysis by changing last line to
./findbot.pl /wordpress/directory >> results.txt
The latter will send command’s output to results.txt file.
Findbot checks for various strings commonly used by malware and viruses so your results might contain false positives and need to be checked manually.
4. Searching for malware using ClamAV
ClamAV is great free antivirus for Linux which helps to detect various malwares, trojans etc.
First we’ll install & update:
yum install clamav
apt-get install clamav
clamscan --max-filesize=3999M --max-scansize=3999M --exclude-dir=/sys/* -i -r /
5. Scanning your WordPress themes and plugins for well known exploits
A great tool to use for this purpose is WPScan, you can check here how to install it.
It might be that your website got hacked through one of exploits in WordPress, its plugins or themes that are publicly known.
This scanner is connected to live exploits database and it’s free so test it out.
6. Securing your WordPress
Securing your WP is a subject for probably a series of post, you can start by installing security plugin of your choice.
Here’s a good post with comparison of WP Security plugins I’ve done some time ago.
7. Checking black lists for your email
In case malware went deeper into server and managed to use it as a spam relay you should check if your website is not on major email blacklists as this can cause emails sent from your server to bounce back, here’s a list of sites you can use:
If you’re lucky then after doing above your server SHOULD BE clean, but of course as after every hack you should change your passwords and logins, make sure that your WP installation and plugins are up to date and that you’re not using ones with security holes.
This post will be expanded in future so feel free to bookmark it!