How to Clean a Hacked WordPress Site using Wordfence

If your site has been hacked, Don’t Panic.

This article will describe how to clean your site if it has been hacked and infected with malicious code, backdoors, spam, malware, or other nastiness. This article was updated in December of 2021 with additional resources to help clean specific infection types. This article is written by Mark Maunder, the founder of Wordfence. I’m an accredited security researcher, a CISSP, a WordPress developer, and I’m the chief executive of Defiant Inc which makes Wordfence. Even if you aren’t running WordPress, this article includes several tools that you can use to help clean your site from an infection.

If you are running WordPress and you have been hacked, you can use Wordfence to clean much of the malicious code from your site. Wordfence lets you compare your hacked files against the original WordPress core files and the original copies of WordPress themes and plugins in the repository. Wordfence lets you see what has changed and gives you the option to repair or delete files with one click.

If you are a busy business owner and would prefer to have our experienced team take care of the problem for you, sign up for Wordfence Care now, then click the “Get Help” link on the Licenses Page to immediately open up a site cleaning request.

If you have a mission-critical website and need it cleaned immediately or outside of regular business hours, sign up for Wordfence Response now and open up a site cleaning request, and our 24-hour incident response team will start work within 1 hour. They move incredibly quickly and will have the entire problem resolved within 24 hours. As with Wordfence Care, go to the Licenses page once you’ve signed up and click “Get Help” on your license and you’ll go into the priority queue for Response customers.

If you want to take care of the problem yourself, or if Wordfence Care or Response is out of your budget, read on. WE CAN DO THIS!! Cleaning your hacked site is one of the reasons I created Wordfence, and the free version of Wordfence includes powerful tools to help you clean your site.

Have you really been hacked?

If you suspect you have been hacked, first make sure that you have actually been hacked. We sometimes get panicked site administrators contacting us thinking they’ve been hacked when their site is just misbehaving, an update went awry, or some other problem is happening. Sometimes site owners might see spammy comments and can’t tell the difference between that and a hack.

Your site has been hacked if:

  • You are seeing spam appearing in your site header or footer that contains adverts for things like pornography, drugs, illegal services, etc. Often it will be injected into your page content without any thought for presentation, so it might appear as dark text on a dark background and not be very visible to human eyes (but the search engines can see it).
  • You do a site:example.com (replace example.com with your site) search on Google and you see pages or content that you don’t recognize and that looks malicious.
  • You receive reports from your users that they are being redirected to a malicious or spammy website. Pay special attention to these because many hacks will detect that you are the site administrator and not show you anything spammy but will only show spam to your visitors or to the search engine crawlers. Try using an Incognito window when visiting your site, as well as visiting your site from a search result rather than typing in the URL directly.
  • You receive a report from your hosting provider that your website is doing something malicious or spammy. For example, if your host tells you that they are getting reports of spam email that contains a link to your website, this may mean you have been hacked. What the attackers are doing in this case is sending spam from somewhere and using your website as a link to redirect people to a website they own. They do this because including a link to your website will avoid spam filters while including a link to their own website will get caught in spam filters.

Wordfence detects many of these problems as well as others that I haven’t mentioned here, so pay attention to our alerts and respond accordingly.

Back up your site right now. Here’s why:

Once you’ve ascertained that you’ve been hacked, back up your site immediately. Use FTP, your hosting provider’s backup system, or a backup plugin to download a copy of your entire website. You must do this because many hosting providers will immediately delete your entire site if you report that it has been hacked, or if they detect malicious content. Sounds crazy right? But this is standard procedure in some cases to prevent other systems on their network from becoming infected.

Make sure you also back up your website database. Backing up your files and database should be your first priority. Get this done, then you can safely move on to the next step of cleaning your site, comfortable with the knowledge that at least you have a copy of your hacked site and you won’t lose everything.

Things you should know before cleaning a WordPress site that has been hacked:

Here are the rules of the road when cleaning your site:

  • You can usually delete anything in the wp-content/plugins/ directory and you won’t lose data or break your site. These are plugin files that you can reinstall, so you’re not deleting data that you can’t easily replace. When you delete these files, WordPress will automatically detect that you have deleted a plugin and will disable it. So it won’t cause your site to crash. Just make sure to delete entire directories in wp-content/plugins and not just individual files. For example, if you want to delete the Wordfence plugin, you must delete wp-content/plugins/wordfence and everything within that directory including the directory itself. If you only delete a few files from a plugin you can leave your site inoperable.
  • You usually only have one theme directory that is used for your site in the wp-content/themes directory. If you know which one this is you can delete all other theme directories. Be aware that if you have a “child theme” you may be using two directories in wp-content/themes. This is not a common configuration.
  • The wp-admin and wp-includes directories very rarely have new files added to them. So if you find anything new in those directories it has a high probability of being malicious.

Watch out for old WordPress installations and backups. We often see sites infected where someone says, “But I kept my site up-to-date and had a security plugin installed so why did I get hacked?” What sometimes happens is you or a developer will back up a copy of all your site files into a subdirectory like /old/ that is accessible from the web. This backup is not maintained and even though your main site is secure, an attacker can get in to the old site, infect it and access your main site from the backdoor they planted. So never leave old WordPress installations lying around, and if you do get hacked, check those first because it’s likely they are full of malware.

A few useful tools:

If you have SSH access to your server, sign in and run the following command to see all files that were modified during the last 2 days. Note that the dot indicates the current directory. This will cause the command below to search the current directory and all subdirectories for recently modified files. To find out what your current directory is when using SSH, type ‘pwd’ without quotes and hit enter.

find . -mtime -2 -ls

Or you can specify a specific directory:

find /home/yourdirectory/yoursite/ -mtime -2 -ls

Or you can change the search to show files modified in the last 10 days:

find /home/yourdirectory/yoursite/ -mtime -10 -ls

We suggest that you do the search above and gradually increase the number of days until you start seeing changed files. If you haven’t changed anything yourself since you were hacked, it’s very likely that you will see the files that the attacker changed. You can then edit or delete them yourself to clean the hack. This is by far the most effective and simple way to find out which files were infected and it is used by every professional site cleaning service.

Another useful tool in SSH is ‘grep’. For example, to search for files that reference base64 encoding(commonly used by hackers) you can run the following command:

grep -ril base64 *

This will just list the file names. You can omit the ‘l’ option to see the actual contents of the file where the base64 string occurs:

grep -ri base64 *

Keep in mind that “base64” can occur in legitimate code as well. Before you delete anything, you’ll want to make sure that you are not deleting a file that is being used by a theme or plugin on your site. A more refined search could look like this:

grep --include=*.php -rn . -e "base64_decode"

This command will dig through all directories and subdirectories looking for files that end in .php and search them for the text string “base64_decode” and will print any results it finds including the line number so that you can easily find where it occurs in each file.

Now that you know how to use ‘grep’, we recommend that you use grep in combination with ‘find’. What you should do is find files that were recently modified, see what was modified in the file and if you find a common string of text like “bad hacker was here” then you can just grep all your files for that text like so:

grep -irl "bad hacker was here" *

and that will show you all infected files containing the text “bad hacker was here”. Don’t forget the asterisk (the star) at the end of that last command.

Told you that we can do this! I’m sure at this point you’re feeling a lot less stressed about your hacked site, now that you have a few tools to sort malicious files from your regular WordPress installation.

Let’s go even deeper! If you clean a lot of infected sites you will start noticing patterns in where malicious code is commonly found. One such place is the uploads directory in WordPress installations. The command below shows you how to find all files in the uploads directory that are not image files. The output is saved in a log file called “uploads-non-binary.log” in your current directory.

find public_html/wp-content/uploads/ -type f -not -name "*.jpg" -not -name "*.png" -not -name "*.gif" -not -name "*.jpeg" -not -name “*.webp” >uploads-non-binary.log

Notice the directory path just after the ‘find’ command above. We’re assuming that your current directory is your home directory on your web server. We’re also assuming that your website lives in public_html/ directly off that home directory path. Remember, you can type ‘pwd’ to find which directory you’re currently in. You can also type ‘ls’ to see all files in your current directory or ‘ls -la’ to the files in your current directory with more data about each file, like permissions, owner and when the file was last modified.

Using the two simple command line tools “grep” and “find” you can often clean an entire infected website. How easy is that! I bet you’re ready to start your own site cleaning business at this point.

How to clean your hacked WordPress site with Wordfence:

Now that you have some powerful tools in your arsenal and you’ve already done some basic cleaning, let’s launch Wordfence and run a full scan to clean your site. This step is important because Wordfence does some very advanced searching for infections. For example:

  • We know what all WordPress core files, open source themes, and open source plugins should look like so Wordfence can tell if one of your source files are infected even if it’s a new infection that no one has ever seen before. We do this by comparing the publicly available original files with what you have, and flagging anything that has changed. It’s actually one of the coolest features in Wordfence, and it’s totally free!
  • We search using complex regular expressions which we call “malware signatures” for indicators of compromise. Our malware signatures are continually updated based on our database of known infections and our Premium customers get the newest signatures immediately. You can’t do this with simple unix command line tools or with cPanel. We have the best malware signatures in the business!
  • We search your files for known malicious domain names which are commonly found in malware and spam files.
  • We use SpamHaus to determine if your site’s domain or IP address has been used to send spam.
  • The Wordfence scan is also designed to run VERY quickly, considering how much work it does, and searches specifically for WordPress malware, unlike generic scanners.

To clean your hacked site using Wordfence:

  1. Upgrade your site to the newest version of WordPress. This is important because older versions of WordPress can have unpatched vulnerabilities.
  2. Upgrade all your themes and plugins to their newest versions. The same applies here. Developers are constantly fixing vulnerabilities and security issues in themes and plugins, so get the latest version of any theme or plugin you’re using.
  3. Change all passwords on the site, especially administrative passwords. If a user, or worse, an administrator has re-used a password, this may have been how the attacker got into your site in the first place, so making this change is important.
  4. Make another backup and store it separately from the backup we recommended you make above. Now you have an infected site but that site is running the newest version of everything. If you break anything while cleaning your site using Wordfence you can go back to this backup and you don’t have to retrace all the steps above.
  5. Make sure you have Wordfence installed. The free version will do just fine, but the Premium version will give you the newest malware signatures and malicious domains.
  6. Go to the Wordfence “Scan” menu and just click “Start Scan”. This will do an initial scan and may give you a lot of results that you will need to work through. Each result will explain what Wordfence found and guide you into resolving it.
  7. Once the scan is complete and you’ve resolved the issues that Wordfence found, you can do an even deeper scan. Go to the “All Options” menu on the left. Scroll about two thirds of the way down to the heading that says “Basic Scan Type Options” and check the box to enable “High Sensitivity”. This will do a much deeper scan that will take a bit longer, but this scan will find really stubborn malware that is harder to detect and get rid of.
  8. If you’d like to do additional scans, you can use the “All Options” page to customize your Wordfence scan for your exact needs. Do as many scans as you’d like. There is no limit on how many scans you can do, even for our free customers.
  9. When the results come up you may see a very long list of infected files. Take your time and slowly work through the list.
  10. Examine any suspicious files and either edit those files by hand to clean them or delete the file. Remember that you can’t undo deletions. But as long as you took the backup we recommended above, you can always restore the file if you delete the wrong thing.
  11. Look at any changed core, theme, and plugin files. Use the option Wordfence provides to see what has changed between the original file and your file. If the changes look malicious, use the Wordfence option to repair the file.
  12. Slowly work your way through the list until it is empty.
  13. Run another scan and confirm your site is clean.

If you still need help, you can sign up for Wordfence Care for help during regular business hours, or Wordfence Response if you want 24 hour service with a 1 hour response time.

I have a file that looks suspicious, but I’m not sure if it is. How can I tell?

Email it to us at samples@wordfence.com and we’ll let you know. If your WordPress wp-config.php configuration file is infected then do not send a copy of that file to us without first removing your database credentials and the Authentication Unique Keys and Salts.

If you don’t receive a reply, either your mail system or ours may have discarded the message thinking it was malicious because of your attachment. So please email us a message without the attachment letting us know that you’re trying to send us something and we’ll work with you to get the sample.

Where can I find help cleaning a specific kind of infection?

The Wordfence Learning Center has a range of articles that will help you. Here is a list of articles that will help you with specific infection types:

I’ve cleaned my hacked WordPress site but Google Chrome is still giving me the malware warning. What should I do?

You need to get your site removed from the Google Safe Browsing list. To do that you need to request a review from Google. You can find detailed steps on this page in the Google documentation on how to do this.

My site visitors are getting warnings from other security products and anti-virus systems. What should I do?

Getting off the Google Safe Browsing list is a big step, but you may have some work ahead of you. You need to keep a list of every anti-virus product that is saying your site is infected. This may include products like ESET anti-virus, McAfee’s Web Advisor and others.

Visit each anti-virus maker’s website and find their instructions for removing your site from their list of dangerous sites. This is often called “whitelisting” by anti-virus makers, so Googling for terms like ‘whitelisting’, ‘site removal’, ‘false positive’ and the product name will usually lead you to the place where you can get your site removed.

How can I manually check if my site is listed on Google’s Safe Browsing List?

Visit the following URL and replace example.com with your own site address.

https://transparencyreport.google.com/safe-browsing/search?url=https://example.com/

You can include a sub-directory if your site has one. The page that appears is very plain, but contains detailed information about the current status of your site, why it is listed on Google’s safe browsing list, and what to do next.

What to do once your site is clean:

Congratulations!! Definitely crack open your favorite beverage and take a long sip! Now you need to make darn sure your site doesn’t get hacked again. Here’s how:

  • Install Wordfence and run regular scans on your WordPress site.
  • Make sure WordPress and all plugins and themes are kept up to date. This is the most important thing you can do to secure your site.
  • Make sure you use strong passwords that are hard to guess.
  • Enable two factor authentication. Wordfence provides this, even in our free version!
  • Get rid of all old WordPress installations lying around on your server.
  • Sign up for our WordPress security mailing list to get alerted to important security updates related to WordPress. This is a low traffic, high signal-to-noise email list focused on WordPress security.
  • Connect your site to Wordfence Central to make managing your site’s security much easier. Central allows you to trigger a scan on all your WordPress sites with one click, and to easily manage security configuration across all your WordPress sites. Effective configuration management is an extremely effective way to avoid a hacked site.

Thanks for reading this, and I hope it helped you. If not, you can tag @wordfence on Twitter or tag me directly @mmaunder.

Stay safe and secure!!

Mark Maunder – Wordfence Founder and Defiant Inc CEO.