• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Cleaning Up Your WordPress Site with the Free Sucuri Plugin

October 16, 2013Daniel Cid

496
SHARES
FacebookTwitterSubscribe

Update 9/9/16:

We released a new guide to cleaning a hacked WordPress site with our plugin.


If your site has been recently hacked and you are trying to clean it up yourself, we recommend that you use SiteCheck Malware Scanner, our Free WordPress plugin to help you during that task.

The plugin has a collection of useful tools that can guide you along the way. The steps provided here are not final, and there are some variations that require more work, but by just following these steps you will get very far. We will also not rely on any specific signature or malware strings since those can easily be evaded by the clever bad guys.

As always, if you need professional help, the Sucuri team is here for you.

Step 1 – Scan your site remotely (Remote Scanner)

After a site is compromised, it is likely to be used by the bad guys to distribute malware or spam. This can be easily detected by our free remote scanner, SiteCheck.

With our plugin installed, you can click on “Sucuri-Free / Sucuri Scanner” and run the remote scan right from your WordPress dashboard. If the site is infected, you will likely get a warning similar to this one:

Sucuri WordPress Plugin

Even if the remote scanner doesn’t find anything, you can keep moving to the other tests.

If it does find an injection, you will receive the malicious string detected and a reference link with more details. Keep that saved since it can be useful when cleaning files manually or searching in the database.

Step 2 – Check the integrity of your WordPress core files

The WordPress core files should never be modified and inside “Sucuri-Free / WordPress Integrity”, you will find a place to verify that they are indeed clean.

If you click on the first test called “Verify Integrity of WordPress Core Files”, you will get a full list of files that are not supposed to be there.

Something like this:

Sucuri WordPress Core Integrity Check

If any file(s) are modified, we recommend reinstalling WordPress by hand. You can do this by removing all top files (along with the wp-includes and wp-admin directories) and re-uploading from a clean source. By replacing and reinstalling, you know the files are fresh and clean and shouldn’t pose aย threat.

Step 3 – Check the latest modified files

If the WordPress core files are intact, or if you just reinstalled WordPress, there is still one place left where the bad guys can hide their code: wp-content/themes and wp-content/plugins.

If you go back to “Sucuri-Free / WordPress Integrity” in WordPress admin and click on the second test called “Latest modified files”, you can see all the latest modified files. If you noticed that your site was just hacked or blacklisted, any files modified in the last 7 days are likely to be suspicious. You can even go back the last 30 days just to be sure:

Sucuri WordPress Latest Modified Files

If there are too many files modified, you are out of luck. In those cases, we recommend deleting all plugins and themes and reinstalling them manually after. With the plugins, it is not a big deal since typically they aren’t customized. However, we hope you have backups of your theme, especially if you have customized it.

Often times you will notice that just two or three files inside your active theme were modified to serve spam or malware. You can manually fix them by removing the bad code. You can use the results from the first step (remote scanner) as a reference to what to remove.

Step 4- List all admin users and their login times

A lot of compromises happen due to stolen passwords, so we recommend you head back to “Sucuri-Free / WordPress Integrity” and click on “Admin List dump”. That will show all admin users that logged in, their IP address and login time.

You can see if someone was able to compromise your admin passwords and get in via wp-admin. Notice that it will only list logins from the time you had the plugin installed. So it might not work 100% if you just installed it after you got hacked.

Sucuri WordPress Admin User Dump

If your site is currently clean and you are reading this just to learn, I recommend installing the plugin even if just for the “last Login” feature. That will help tremendously if later you find any security issues on your site.

Step 5- Reset all passwords and secret keys

Our plugin has another very nice feature called “Post Hack”. It allows you to reset all passwords and secret keys for all users. We highly recommend that you run this if you have been hacked:

Sucuri WordPress Password Reset

By running this tool you know that any stolen password can’t be used to reinfect your site and that any active session is killed throughout your site. You should also look at the email addresses for each registered user to see if any of them were modified. We often see addresses modified to an email controlled by the bad guys so they can later reset the passwords and get back in.

Step 6- Apply our hardening suggestions

The plugin has a series of hardening suggestions that we also recommend you run. These options can be found under “Sucuri Free / 1-click Hardening”. The main ones would be the Uploads and Wp-content PHP execution hardening.

These hardening options prevent any uploaded or malicious PHP files within the wp-content directory from directly executing.

Additional Files & Protection Steps

These, of course, are just some suggestions for your cleaning up process. You should also look at your .htaccess files and wp-config file to double check them for signs of compromises. If it is spam, you can look at your posts/pages/widgets to see if any of them were modified. If you have root access to your servers, we highly recommend verifying the integrity of Apache/Nginx and their modules, to rule out any server-level compromise.

Lastly, we also suggest that you protect your site with a web application firewall (WAF). A strong WAF will help thwart many of the popular attacks from penetrating your website. Of course, we are biased and highly recommend you check out Sucuri’s Website Firewall ๐Ÿ™‚

What else did we miss here? I would love to hear some opinions on additional checks we can take.

496
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Sucuri Updates, WordPress SecurityTags: Malware Cleanup, Sucuri WordPress Plugin

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. M Jati Munggaran

    October 17, 2013

    Wow!! Very cool!!

  2. Nina

    October 19, 2013

    Thanks so much for this plugin. It is really amazing. I have one question. I am going through the hardening list of items and one of them could not be completed. Specifically that one is related to hardening the wp-content directory. I’m using a Better WP Security plugin through which I changed the name of the wp-content directory to something else as leaving it as default could cause a security issue. Obviously, since the hardening script looks for the wp-content directory it cannot find it as it was renamed. At this point, would you suggest me just updating the hardening.php script under lib directory to use the new name for the wp-content directory? Is there anything else I should be aware of that also needs to change (for both hardening and for the security scan)?
    Since I have seen in quite a few places that changing the name for the wp-content directory is recommended (mainly for the new sites), maybe it would be good to have an additional feature to ask the user for their wp-content directory name. That way, the above mentioned issues will be prevented. Looking forward to some guidance.
    Thanks so much for an amazing plugin.
    Nina

    • Nina

      October 19, 2013

      Changing wp-content directory name in sucuri.php and hardening.php files worked for me. I hope it’s not going to break anything else.
      So, from your expert standpoint, do you think that changing the wp-content directory is a good idea? I’m just afraid that each plugin will need to be modified as I’m pretty sure that the majority of them look for the wp-content directory as that is a default one.
      Thanks a lot,
      Nina

  3. Jugar Jugar

    October 21, 2013

    It’s really that useful. I tried to install and it helps me very much to prevent malicious. Thank you for sharing.

  4. Ruby USA

    October 24, 2013

    Very impressive and useful plugin ………. here one more plugin with j query and filters for WordPress http://wordpress.org/plugins/evm-portfolio/

    Thanks
    Ruby

  5. Junior

    October 30, 2013

    Hi, I’d like to know how can I remove the alert on top showing last logins. Thanks

  6. witoon

    November 8, 2013

    It can scan for security WP Theme in case of I download free WP theme version, or any one have a method for scan security for free theme.

    Thank

  7. Endless Geek

    April 25, 2014

    Do you any command line tools, free or paid-for to help sysadmins? Having to install a plugin is fine, but there are obviously many advantages to being able to point a perl/python/ruby script at a WP installation and let it do it’s thing ๐Ÿ™‚

  8. dfgfdg

    January 27, 2016

    lk;kl;l;

  9. Tyrohn White

    August 31, 2016

    Blog is nice. But it only described only one free plugin their are other option available that could also have been added in. If one does not want to use free plugin person can also make its wordpress website free from malware. I read it on some blog called template toaster. They described it in better way.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

Getting Started with Sucuri Webinar

Getting Started with Sucuri Guide

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.