How to Investigate and Remove Malware From a Hacked WordPress

Published on June 20th, 2012

Last Updated on December 12th, 2018


Share This Article

As one of the most commonly used Web Publishing Platform, WordPress is often targeted by malware, trojans, code injection and other evil things on the web. There are several tutorials about WordPress security and how to clean your WordPress site from malware. The topic is so crucial and important for website owners that there is no harm in discussing it over and over again.

New website owners, who just started using a CMS on their own web servers, get panicked when they first encounter malware. In the attempt to recover their websites they make further mistakes and sometimes end up losing their data or important files. In this tutorial we are going to learn how to investigate, detect and remove a malware without harming your Data and Files.

Back Up Your Website

Before we get into the discussion about malware and hacked WordPress sites. It is important that we discuss Backups. If you are a new WordPress user with a serious passion for web publishing, then you must quickly adapt this habit. Take regular backups of your website, this includes your database and files. It does not take more than a few minutes but will save you from some very serious problems in the future. I strongly recommend Backup Buddy, Cloudsafe365, and VaultPress as premium backup and recovery solutions. There are also free plugins like WP-DBManager and manual instructions for complete backups.

Restoring Your Website or Investigating Malware?

If you have a backup service such as Backup Buddy or VaultPress then you have an option to restore your website to an earlier state. However, I feel that this is not a good idea. Restoring your website without investigating or removing the malware could still leave your website in the vulnerable state. So the better approach is to find the vulnerability, restore your site and then fix the vulnerability.

Detecting the Malware

Malware is usually malicious content distributed through your website by inserting code into your themes, plugins, files or database. This code can store badware on visitor’s computers, redirect them to bad websites, or open the website inside iframes on your own websites. Many techniques have been used to attack WordPress websites.

Check Processed HTML

You can begin your malware investigation by finding out how and where the malicious code appears on your website.

  • Is it on all pages?
  • Is it on particular pages or posts?
  • Where exactly the code appears? Is it in the footer, header, content or the sidebar?

These questions will give you clues as to which files you should check out first.

Checking your Themes and Plugins for Malicious Code

The most common culprits are theme or plugin files. You can start by checking out your theme’s source files for the malicious code. If you have more than one theme in your themes directory, then you need to check all the themes even those not activated.

An easier way to go through your themes is to download a backup of themes directory and then delete all the themes from your webserver. Download a fresh copy TwentyEleven (Default WordPress Theme) from WordPress and upload it to your web server. Now check your website, if the malicious code is gone then it was in one of your theme files. Now you can clean your old theme files by manually opening each one of them in a text editor and combing through the code to find the suspicious looking malicious code. Or, you can download a fresh copy of your active theme from the developer website.

Article Continues Below

Lets suppose you went through your themes and couldn’t find the malicious code then next step is to look for it in your plugins. Go through the same method used above for themes, download a backup of your plugins folder and delete the one on your server. Now visit your site in the browser and see if the malicious code is gone. If the malware code disappears then it was in one of your plugins. Download fresh copies of each plugin and activate them one by one. If you find out that the malware appears again after downloading or activating a plugin then delete that plugin from your server.

Best Practices to Secure your Themes and Plugins:

  • Delete unwanted themes and plugins from your web server.
  • Make sure your theme and plugins come from reliable source.
  • Keep your theme and plugins updated.
  • Do not use premium themes and plugins downloaded from torrent websites or unofficial sources.

Detecting Malicious Code Injected in Core WordPress Files

When you are already gone through your themes and plugins and the malicious code is still there, then the next step in your investigation is to investigate your core WordPress files. I will again recommend the same approach we used to investigate themes and plugins.

Firstly make a backup of all files on your website (Important files that you must backup are wp-config, wp-content directory, .htaccess and robots.txt). After that, start deleting all files on your web server. Now download a fresh copy of WordPress and upload it to your server. Fill in your wp-config with database information. Visit your website in a browser to find out if the malicious code is still there. If the malicious code is gone now then this means that it was in your core WordPress files. Upload your images, video or audio files carefully from the backup.

Best Practices to Protect Core WordPress Files

  • Make sure that all your file permissions are set to 644.
  • Do not modify or replace a core WordPress files.
  • Strong Shell, FTP, Database, WordPress admin passwords.

Detecting Malicious SQL Injection in WordPress

Once you have gone through your themes, plugins and core WordPress files. The next stop is to investigate your database and see if it is compromised. First of all make sure you have a backup of your database. If you regularly take backups of your website then you can quickly restore, but first you need to be sure that there is malicious code in your database.

Download and install WordPress Exploit Scanner plugin. Activate the plugin and scan your website. Exploit Scanner plugin checks your database, core files, plugins and themes for suspicious looking code and generates results. Once the scan is complete you need to go through the results. It shows a lot of false alarms and warnings so you need to check all the results carefully. It does not remove or delete anything from your files or database. So once you find out the malicious code you need to manually delete it from your database.

If you have not backed up your database do it now before making any changes to the database. Having backup database with malicious code in it is still better than having none at all.

Copy the suspicious looking code exploit scanner detected and then run a mysql query like this using phpmyadmin.

[sql]SELECT * From wp_comments where comment_content Like ‘%SuspiciousCodeHere%'[/sql]

Depending on where the suspicious code is injected like in posts, comments or some other table you will have to run this query on different tables and different fields. If the resulting rows are not too many then you can manually edit those fields to remove the suspicious code. On the other hand, if there are too many rows then you probably need to run Find and Replace queries on your database which are very risky and if you don’t know how to use them you will end up losing data.

Done Everything and Still Clueless?

I think most people could easily detect, investigate and fix malware injected on their WordPress powered websites. But some malware could be tricky. If you have taken all the steps mentioned above and still can’t figure it out. Then there are WordPress security experts, online services and consultants who can clean your website for a small fee.

Article Continues Below

Sucuri Website Monitoring and Cleanup Services

Sucuri is an online website monitoring and security company. They offer security plans, malware removal, website monitoring, and free website scan services. The process is very simple and does not comes in your way, they monitor your website, send you an alert if they find something suspicious, upon receiving an alert you open a removal ticket, and then your Sucuri assigns the task to an specialist. Their website claims that they can clean up most websites in 4 hours.

Sucuri Website Monitoring »

Finding an Individual WordPress Security Expert

There are many freelancing websites where you can post your problem as a job. Receive the responses and award the job to the person you find most experienced and knowledgeable. You can also post a job on WordPress Jobs board, or Smashing Magazine’s Jobs Board. Just be sure that the person you are hiring has a good reputation, references, and experience.


WordPress is as secure as it could possibly be. As a website owner you have the responsibility to use common sense to protect your website from common threats. Use strong passwords, check file permissions, clean up clutter regularly, and backup regularly.

Noumaan is a blogger and social media expert. He loves Quora, Facebook, Wordpress, OpenSource Software and The Sims.