How to Fix and Restore WordPress being Shell Hacked? Remove Malware from Website
If your WordPress website is being hacked and affected by the malware then you need to know how to fix and restore it (remove malware from your website)
Causes of the WordPress website getting hacked
- Use nulled or unknown theme and plugins
- Use default username and simple password so it’s easy to be attacked by Brute Force
- Hosting or Server security is bad, bugged or old, easily Exploit
- Installed plugins or themes have bugs and shells and are not updated for fixing
- WordPress has some errors but users are unaware to update
- Operating System of your computer is containing viruses and directly affects FTP Client, website, etc.
You can Google search with keywords “site:domain.com” or “site:domain.com hacked” to check if your website is hacked.
Why do hackers hack your website?
This might be a humorous question, since everybody knows when hackers successfully hack into your website, that would be the below reasons:
- Steal data (Database + Source)
- Steal customer information (CVV, PayPal, etc)
- Using SEO for their websites (Meta Keywords and Redirection)
- Install and spread malware to other websites on the same hosting.
- Install ransomware to ask for ransom
- Use server to request for cryptocurrency
- Use such server as proxy, C2C server, Botnet, etc
To prevent your WordPress is getting hacked, affected malware, you can refer to these articles:
- Security Methods for WordPress, Prevent Hacking your Website (Part 1)
- Security Methods for WordPress, Prevent Hacking your Website (Part 2)
When your WordPress website is hacked, what should you do? You can do following these instructions below to fix, restore your website.
Prepare and restore hacked website (Low Level)
If your website is just lightly affected then when discovering that your site is hacked you need to back up all the website. Then download all the set of source code and database (DB) to your computer, using virus killing software (including online scan to scan even Databases. Re-watch log files to see all the activities on the website to know when it’s attacked.
After knowing the time your website is attacked, if your website isn’t recently uploaded, then you can restore the backup of the last website. Then check out security problems for the website and update the system to make sure the website is no longer hacked in the future.
If your website has any newly uploaded contents then it’s necessary to back up like the below way to restore all the content and clean the website.
– For Source Code: if you have the previous backup then reuse it. As we recommend, you should delete it and use the new source code because the old one might have some security errors that haven’t been fixed. Do the same thing with the plugins list.
– For Database: because the majority of current shells are encoded with base64 so we should find whether exists base64 in the database. To search the database, you go to phpMyAdmin and open your database. Then click on tab Search and type “based64” and select all the table to search (click on Go button) as following:
If the result shows the tables containing such keywords then you need to carefully check that table. If there appears no result then your database isn’t attacked and you don’t have to worry about it.
Continue to follow these steps to remove malware from your website (orderly):
- Go to Admin Panel (Dashboard) of the hacked website and choose Tools -> Export to get the data. Choose All Content or other options if you think it’s necessary, etc. Click on Download Export File and the files will be exported.
- Download the newest version of WordPress. Then install a completely new WordPress with old theme or you can change into new theme.
- After successfully installing the new website, start to import datas from old website by clicking on Tools -> Import -> WordPress (Install Now). For the first time, you need to install data exporting tool. Then import file of
.xmlthat you already export from the first step of entering new website.
Note: At the step 1, you can get contents from the website by file
.xml according to WordPress standard, therefore it will delete the tables that don’t belong to WordPress code. And according to preferences on database, it’s hard to encrypt shell so this way of exporting data is clean and safe.
Fix and restore WordPress website shell hacked heavier (High Level)
- Firstly backup database (export DB). Go to the
/wp-content/pluginsfolder and save the plugins list that is currently in use.
- Change hosting/server password (including FTP or cPanel in case you have), if you use VPS and usually use account root then it’s best to change password of the root and the SSH port of VPS
- Change MySQL password if your hosting has many databases, change all of the equivalent data sets (applied both with VPS and Hosting)
- Delete all the current code but keep the
/wp-content/uploadsfolder. This folder mostly contains static files (mostly image or non-php files), then download this folder and use searching software (such as Notepad++) with an extended part of
.phpto delete normal PHP files which are shell files uploaded or hidden in this folder.
- Install a fresh WordPress (download from WordPress.org). Then import database file which is backed up at the first step, change the setting in
wp_config.phpfile in order that it’s in accordance with imported database (usually DB
- Go to phpMyAdmin checking
wp_userstable to see what account is suspicious and when you have administrator permission rights then immediately delete if account is unknown.
- Copy or move upload folders (on step 4) which are backed up to
/wp-content/(overwrite if necessary).
- Take a look at the plugins list above and start to download and install (in the
- Log in to WordPress Dashboard (/wp-admin) and check everything out for the last time.
- You’re done.
Notice: if theme and plugins are already bugged then every method of fixing and restoring is meaningless, because your website will be re-hacked.
Do following these steps above, you can restore your WordPress website when it’s hacked, affected by the malware. What you need to do that depends on how your website is hacked, shell.