• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Website Malware Removal – WordPress Tips & Tricks

July 19, 2012Tony Perez

37
SHARES
FacebookTwitterSubscribe

We released a new guide in 2016 that provides better instructions on how to clean a hacked WordPress site using the free WordPress security plugin.

Guide on How to Clean a Hacked WordPress Site


We often write posts that give you advice and recommendations about how to harden your websites, yet have only recently begun to advise on ways to navigate your backend and remove infections via terminal. But what about all the basics?

That’s what I want to cover in this post. All those things that you should know when trying to remove web malware from your site. Alternatively, if you’re already hacked, you can enlist Sucuri to clean your website regardless of CMS.

Cleaning Basics

When working to clean your site there are a number of things you should know. I’ll wrap it into four key ones:

  • Use Live Scanners
  • Default WP File Structure
  • File Permissions
  • Disabling Plugins

1. Use Live Scanners

Contrary to popular belief, utilizing web-based scanners are a necessity in this day and age. False positives are an acceptable risk in today’s fight against web malware – much better than false negatives! In other words, it is better to flag something for review than to miss a possible infection. This balance is an important factor in any website scanner you use.

Of course, there aren’t many live scanners out there on the market that are truly free and willing to give you a report without asking to register or make a payment of some kind:

  • Sucuri SiteCheck

Disclaimer: The scanner is not 100% accurate, and furthermore no malware scanning product should ever boast 100% certainty. It is just not possible in this domain. If it were, there wouldn’t be any competitors or service providers.

2. Default WP File Structure

What most don’t understand is that WordPress is organized by default. This is an important point to make. In every install, there are core directories and files.

This is what a clean install looks like:

July 2012 - WordPress Core Files
July 2012 – WordPress Core Files

You should become familiar with how your website file system looks and pay attention to changes. One option is to do your own integrity checks by comparing your base install to the core install. As you might imagine, there is a way to do this via terminal. Here is an example:

$ diff -r /Documents/WordPress/wp-includes /public_html/happysite.com/wp-includes

Why is this important?

File integrity monitoring is important because, in more cases than most, folks realize you’ll want to replace your core install when something goes wrong.

The reasoning is simple. From what we see in a lot of infections, once access is gained to the environment, the backdoor payloads are pushed into the core install directories. This allows bad actors to gain access to your environment directly. If you don’t have the ability to effectively scan every directory for backdoors, then it’s good practice to replace the two core directories wp-admin and wp-includes any time you suspect an issue.

Please note the emphasis on replace, not update. This is important because an update will simply overwrite the existing files – it will not purge the directory. This means if a backdoor resides in a non-root file the update won’t clear the issue.

Tip: SEO spam is notorious for this.

3. File Permissions

The ever important file permissions. The WordPress.org Codex offers some very good advice on specific permissions for WordPress installs. You can find a good article on the Codex: Changing File Permissions

The biggest takeaway:

  • Directories: 755
  • Files: 644

There is a simple method to apply the changes via terminal:

Directories:
find [path to install] -type d -exec chmod 755 {} ;

Files:
Find [path to install] -type f -exec chmod 644 {} ;

But what about the non-terminal types? No problem! Using your favorite FTP client you should be able to do this easily. In this instance I’ll show you in FileZilla. While I wouldn’t recommend storing the credentials in the client, I’d recommend FileZilla to anyone trying to work in FTP.

What I particularly like about it is you can use this client across the three most common platforms (e.g., MAC, Windows, Linux)

To change the permissions for all directories it’s easy:

  1. Log into your server and click on the directory for your web-files. It can be: www, public_html, htdocs, httpdocs, etc…
  2. Once at the directory, right-click and click on File Permissions….file permissions
  3. On the next screen, you can type in 755 where it says Numeric value.
  4. Be sure to also click Recurse into subdirectories and select Apply to directories only.
    1. This will apply the 755 permission to all directories within the web directory

Screen-Shot-2012-07-19-at-5.20.13-PM

The good news is that the file permissions are just as easy. Simply follow the same steps as above. This time though you’ll type 644 and select Apply to files only.

Screen-Shot-2012-07-19-at-5.25.00-PM

As you can see, there is no real secret here. Simply follow the recommendations you are given.

Another important note. In Filezilla you can easily see the permission of your directories and files by looking to the far right column of the directory or file listing, like the screenshot below:

Screen-Shot-2012-07-19-at-5.28.33-PM

4. Disable Plugins

Here is another good tip. When using a scanner, if you continue to struggle with identifying the location of the infection, one very common place to look is in the plugins directory.

What most people don’t realize is that you have the option to disable the plugins directory. Don’t be afraid of “disable”. It simply means you can’t use the plugins. One very easy way to do this is to rename the directory:

Example: plugins -> plugins.backup

This will kill all your plugins rendering them useless to your website. The point of doing this is to see if the infection is tied to the plugins. If it is, you’ll see that the live scanners will show clean when you rescan your website. If this is the case, another very good trick is to narrow down the infection further by disabling one plugin at a time.

Yes, this works and it’s very easy to do for novices.

Note: Renaming is not going to hurt your site. When you rename it back to its default name, the site will be fully functional again.

If you disable plugins and the infection is still present, then you know it’s due to one of these three things: core files, theme files, or database. If you followed the steps in Tips & Tricks 2 then you know it’s in either the themes or the database.


This post is not meant to be a technical overview of how to remove website malware, but instead to help diagnose the location of infections, which in turn helps you locate and remove the infection. It’s fundamentally a different approach. Believe it or not, the most novice of users would be able to use these techniques to quickly narrow down infections.

If you have any questions please contact us at info@sucuri.net.

37
SHARES
FacebookTwitterSubscribe

Categories: Security Education, WordPress SecurityTags: Best Practices, Malware Cleanup

About Tony Perez

Tony is the Head of Security Products at GoDaddy and Sucuri Co-Founder. His passion lies in educating and bringing awareness about online threats to business owners. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at perezbox.com and you can follow him on Twitter at @perezbox.

Reader Interactions

Comments

  1. Kathy Smith

    August 30, 2012

    Thank you so much for this–I use your free scanner every week–wish I could afford to easily pay for Sucuri for all the sites I work on. As it is, I’ve purchased it for one of my sites as a thank you to you. Have asked our company president to recommend to our customers that they buy it. & thanks for the technical tips–have put some into place.

  2. malware removal

    December 1, 2012

    Do the use of the
    live scanner requires internet connection to scan and update?

  3. DCGWS

    December 15, 2012

    Thank you so much for this article. This is really interesting! 🙂 I shall retweet this 🙂

  4. kizi

    March 30, 2013

    Thank you for this post, It was a great read which was extremely helpful.

  5. Rajesh

    May 2, 2013

    Hi, My wordpress website is not yet live after removed virus threats. can i know the reason?

  6. Darius Harris

    July 9, 2013

    Need help.

    • Александр Калашников

      August 2, 2015

      I have lot of experience in removing any malware from websites. i have clean already more than 300 websites.

  7. Thomas C.Vandyke

    February 18, 2014

    Thank You for this great post, this is really helpful to find out virus and remove it. I also use antiviruses like avast, avg, optimo defender, etc to detect it and they also helpful in other way. Really Thank You.

  8. Pete

    January 13, 2015

    This will surely help me . I have been getting some emails that makes you wondder whether all the WordPress Antispam plugins don’t work. It has to be one of these issues I will try these steps.

  9. asmaamurad

    March 7, 2016

    really useful article thank you for the detailed insight wordfence helped me a lot to clean up the site along with your tips.

  10. computergeekblog

    April 27, 2016

    Extremely useful. Thanks a lot to share

  11. Fathers4Justice

    August 29, 2016

    Thanks Tony,

    Wish I would have read this before hand, $299.00 to clean my malware

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.