How to Fix and Restore WordPress being Shell Hacked? Remove Malware from Website

How to Fix and Restore WordPress being Shell Hacked, Remove Malware from Website

If your WordPress website is being hacked and affected by the malware then you need to know how to fix and restore it (remove malware from your website)

Causes of the WordPress website getting hacked

  • Use nulled or unknown theme and plugins
  • Use default username and simple password so it’s easy to be attacked by Brute Force
  • Hosting or Server security is bad, bugged or old, easily Exploit
  • Installed plugins or themes have bugs and shells and are not updated for fixing
  • WordPress has some errors but users are unaware to update
  • Operating System of your computer  is containing viruses and directly affects FTP Client, website, etc.

You can Google search with keywords “” or “ hacked” to check if your website is hacked.

WordPress website shell hacked

Why do hackers hack your website?

This might be a humorous question, since everybody knows when hackers successfully hack into your website, that would be the below reasons:

  • Steal data (Database + Source)
  • Steal customer information (CVV, PayPal, etc)
  • Using SEO for their websites (Meta Keywords and Redirection)
  • Install and spread malware to other websites on the same hosting.
  • Install ransomware to ask for ransom
  • Use server to request for cryptocurrency
  • Use such server as proxy, C2C server, Botnet, etc

To prevent your WordPress is getting hacked, affected malware, you can refer to these articles:

When your WordPress website is hacked, what should you do? You can do following these instructions below to fix, restore your website.

Prepare and restore hacked website (Low Level)

If your website is just lightly affected then when discovering that your site is hacked you need to back up all the website. Then download all the set of source code and database (DB) to your computer, using virus killing software (including online scan to scan even Databases. Re-watch log files to see all the activities on the website to know when it’s attacked.

After knowing the time your website is attacked, if your website isn’t recently uploaded, then you can restore the backup of the last website. Then check out security problems for the website and update the system to make sure the website is no longer hacked in the future.

If your website has any newly uploaded contents then it’s necessary to back up like the below way to restore all the content and clean the website.

– For Source Code: if you have the previous backup then reuse it. As we recommend, you should delete it and use the new source code because the old one might have some security errors that haven’t been fixed. Do the same thing with the plugins list.

– For Database: because the majority of current shells are encoded with base64 so we should find whether exists base64 in the database. To search the database, you go to phpMyAdmin and open your database. Then click on tab Search and type “based64” and select all the table to search (click on Go button) as following:

Search shell in database with base64

If the result shows the tables containing such keywords then you need to carefully check that table. If there appears no result then your database isn’t attacked and you don’t have to worry about it.

Continue to follow these steps to remove malware from your website (orderly):

  1. Go to Admin Panel (Dashboard) of the hacked website and choose Tools -> Export to get the data. Choose All Content or other options if you think it’s necessary, etc. Click on Download Export File and the files will be exported.WordPress download export file
  2. Download the newest version of WordPress. Then install a completely new WordPress with old theme or you can change into new theme.
  3. After successfully installing the new website, start to import datas from old website by clicking on Tools -> Import -> WordPress (Install Now). For the first time, you need to install data exporting tool. Then import file of .xml that you already export from the first step of entering new website.

WordPress import from a export file

Note: At the step 1, you can get contents from the website by file .xml according to WordPress standard, therefore it will delete the tables that don’t belong to WordPress code. And according to preferences on database, it’s hard to encrypt shell so this way of exporting data is clean and safe.

Fix and restore WordPress website shell hacked heavier (High Level)

  1. Firstly backup database (export DB). Go to the /wp-content/plugins folder and save the plugins list that is currently in use.
  2. Change hosting/server password (including FTP or cPanel in case you have), if you use VPS and usually use account root then it’s best to change password of the root and the SSH port of VPS
  3. Change MySQL password if your hosting has many databases, change all of the equivalent data sets (applied both with VPS and Hosting)
  4. Delete all the current code but keep the /wp-content/uploads folder. This folder mostly contains static files (mostly image or non-php files), then download this folder and use searching software (such as Notepad++) with an extended part of .php to delete normal PHP files which are shell files uploaded or hidden in this folder.
  5. Install a fresh WordPress (download from Then import database file which is backed up at the first step, change the setting in wp_config.php file in order that it’s in accordance with imported database (usually DB prefix)Download and install a fresh WordPress
  6. Go to phpMyAdmin checking wp_users table to see what account is suspicious and when you have administrator permission rights then immediately delete if account is unknown.
  7. Copy or move upload folders (on step 4) which are backed up to /wp-content/ (overwrite if necessary).
  8. Take a look at the plugins list above and start to download and install (in the /wp-content/plugins folder)
  9. Log in to WordPress Dashboard (/wp-admin) and check everything out for the last time.
  10. You’re done.

Notice: if theme and plugins are already bugged then every method of fixing and restoring is meaningless, because your website will be re-hacked.

Do following these steps above, you can restore your WordPress website when it’s hacked, affected by the malware. What you need to do that depends on how your website is hacked, shell.

Post a Comment

Please keep in mind that all comments are read and moderation.
Your email address WILL NOT be published. Please DO NOT use keywords in the Real Name field. Thank you !

Get $100 Free from Vultr to accelerate your website and application Register a Domain Name on Namesilo