Dealing with Malware or a Hacked Website

Uh oh, your security plugin or web host has notified you that malware has been found on your website. What do we do now?

Don’t Panic

Stay calm. Malware is annoying, but not impossible to overcome. 

Take stock of the situation:

  • Has your website been defaced (vandalized) or has there just been a text or links added to your site? 
  • Is the page you are looking at actually yourwebsite.com? Or is yourwebsite.com sending you to a different URL?
  • Are you able to login to WordPress (yourwebsite.com/wp-admin/)?

Attempt to fix with Wordfence

If you’re able to login to your WordPress dashboard, try to fix the malware with the free Wordfence plugin.

Start by making a backup of your website. It’s always good to make sure we have a backup in case we make things worse.

Install the Wordfence plugin. Run a scan and wait for it to complete. At the end of the scan, Wordfence will tell you the issues it found and offer to delete or fix the files it found. Delete all deletable files, and repair all repairable files.

Run a second scan to see if the problem has been fixed. Verify the status by using a 3rd-party malware scanner like Sucuri Sitecheck: sitecheck.sucuri.net

If the second scan came back clean, visually inspect your website for any errors. Continue running scans daily because malware can hide itself and re-infect your website. Proceed to the Post-hack Lockdown section below.

Restore to a Backup

Another way to fix the hack is to simply rewind your website to a time before the hack. This is only viable if you haven’t made any changes to the site, or if you don’t mind losing some content on the site (because you can easily re-publish it, for example).

Start by restoring to the last backup. Scan your website with the Wordfence plugin and Sucuri Sitecheck to see if the hack has been removed. If that didn’t fix the problem, restore to a further backup point and scan your site again. Otherwise you may have to request a professional clean up.

Hopefully that resolves the malware. If so, proceed to the Post-hack Lockdown section below. 

Request A Clean Up 

If your troubleshooting failed to fix the malware, you should get a professional to fix it for you. 

Your web hosting company may offer hack fixes or malware removal. Some premium WordPress hosts like Kinsta offer malware removal at no cost.

Your backup service may have integrated malware removal. For example, the backup service BlogVault has a sibling company called Malcare which specializes in WordPress security.

FixmysiteWP Fix ItMalcure and ThriveWP provide 1-off malware removal and hack fix services. 

Wordfence and Sucuri are the biggest names in WordPress security. Their malware removal service also includes a year of their premium services.

ClickWP will fix most malware and hacks at no extra cost when you sign up for for a website care plan. Really complicated cases may incur additional fees.

Post-hack Lockdown

You’ve fixed the malware, hooray! Now let’s take some steps to prevent it from happening again.

Update your website

The number one cause of website hacks and malware infections are outdated software. This includes plugins, themes and WordPress itself. Learn how to safely update your website.

Review WordPress user accounts

Navigate to your WordPress dashboard → Users and review the list. Delete any user accounts that you don’t recognize. Also consider deleting any user accounts that haven’t been used in a while e.g. those belonging to your web designer or assistant.

!! Note that deleting a user will also prompt you to delete their content. Be sure to assign their content to a different user account to avoid inadvertently deleting content from your site.

Update the passwords for all administrators, and all users if possible. You can do this by editing the user and then clicking the Generate Password button. 

Update your hosting account passwords

Most web hosting companies offer several types of access. Be sure to change the password for all of them. Check with your web host to find out what types of access you have if you are not sure.

  1. Customer portal where you manage your plan and billing e.g. my.bluehost.com
  2. Hosting control panel where you find tools like the File Manager e.g. yourwebsite.com/cpanel
  3. FTP or SFTP accounts which allow you to upload and download files to your website with a program like Filezilla or WinSCP.
  4. SSH or shell accounts which allows you to manage your website with the Terminal or SSH client.

Run a virus scan on your personal computer

Viruses on your laptop or smartphone can actually cause your website to be compromised. That’s why it’s important to ensure your device is clean to eliminate that vector.

Techradar has a good list of antivirus software for Windows and PC.

Review your website security

Read through our WordPress Maintenance and Security guide again to review where you can add additional layers of security to prevent getting hacked again.

And if you need help with any of this, just reach out to us for advice and a no-obligations consult.

Stay safe!

Back to: Keep Your Website Hacker-Free and Running Smoothly