How to Clean a Hacked WordPress Site using Wordfence

If your site has been hacked, Don’t Panic.

This article will describe how to clean your site if it has been hacked and infected with malicious code, backdoors, spam, malware or other nastiness. This article was updated on Friday March 20th, 2015 with additional tools you can use to clean your site. This article is written by Mark Maunder, the founder of Wordfence. I’m also an accredited security researcher, WordPress developer and I own and operate many of my own WordPress powered websites including this one. Even if you aren’t running WordPress, this article includes several tools that you can use to help clean your site from an infection.

If you are running WordPress and you have been hacked, you can use Wordfence to clean much of the malicious code from your site. Wordfence lets you compare your hacked files against the original WordPress core files, and the original copies of WordPress themes and plugins in the repository. Wordfence lets you see what has changed (do a diff) and gives you the option to repair files with one click and take other actions.

Have you really been hacked?

Wordfence Site Cleanings Ad

If you suspect you have been hacked, first make sure that you HAVE actually been hacked. We sometimes get panicked site administrators contacting us thinking they’ve been hacked when their site is just misbehaving or they are seeing spammy comments and can’t tell the difference between that and a hack.

Your site has been hacked if:

Back up your site right now. Here’s why:

Once you’ve ascertained that you’ve been hacked, back up your site immediately. Use FTP, your hosting provider’s backup system or a backup plugin to download a copy of your entire website. The reason you need to do this is because many hosting providers will immediately delete your entire site if you report that it has been hacked or if they detect this. Sounds crazy, but this is standard procedure in some cases to prevent other systems on their network from getting infected.

Make sure you also back up your website database. Backing up your files and database should be your first priority. Get this done, then you can safely move on to the next step of cleaning your site comfortable with the knowledge that at least you have a copy of your hacked site and you won’t lose everything.

Things you should know before cleaning a WordPress site that has been hacked:

Here are the rules of the road when cleaning your site:

A few useful tools:

If you have SSH access to your server, sign in and run the following command to see all files that were modified during the last 2 days. Note that the dot indicates the current directory. This will cause the command below to search the current directory and all subdirectories for recently modified files. (To find out what your current directory is in SSH, type ‘pwd’ without quotes).

find . -mtime -2 -ls

Or you can specify a specific directory:

find /home/yourdirectory/yoursite/ -mtime -2 -ls

Or you can change the search to show files modified in the last 10 days:

find /home/yourdirectory/yoursite/ -mtime -10 -ls

We suggest that you do the search above and gradually increase the number of days until you start seeing changed files. If you haven’t changed anything yourself since you were hacked, it’s very likely that you will see the files that the hacker changed. You can then edit them yourself to clean the hack. This is by far the most effective and simple way to find out which files were infected and it is used by every professional site cleaning service.

Another useful tool in SSH is ‘grep’. For example to search for files that contain base64 (commonly used by hackers) you can run the following command:

grep -ril base64 *

This will just list the file names. You can omit the ‘l’ option to see the actual contents of the file where the base64 string occurs:

grep -ri base64 *

Keep in mind that “base64” can occur in legitimate code as well. Before you delete anything, you’ll want to make sure that you are not deleting a file that is being used by a theme or plugin on your site. A more refined search could look like this:

grep --include=*.php -rn . -e "base64_decode"

This command searches all files recursively that end with .php for the string “base64_decode” and prints the line number so that you can more easily find the context that the string occurs in.

Now that you know how to use ‘grep’, we recommend that you use grep in combination with ‘find’. What you should do is find files that were recently modified, see what was modified in the file and if you find a common string of text like “bad hacker was here” then you can just grep all your files for that text like so:

grep -irl "bad hacker was here" *

and that will show you all infected files containing the text “bad hacker was here”.

If you clean a lot of infected sites you will start noticing patterns in where malicious code is commonly found. One such place is the uploads directory in WordPress installations. The command below shows how to find all files in the uploads directory that are NOT image files. The output is saved in a log file called “uploads-non-binary.log” in your current directory.

find public_html/wp-content/uploads/ -type f -not -name "*.jpg" -not -name "*.png" -not -name "*.gif" -not -name "*.jpeg" >uploads-non-binary.log

Using the two simple command line tools “grep” and “find” you can clean an entire infected website. How easy is that! I bet you’re ready to start your own site cleaning business at this point.

How to clean your hacked WordPress site with Wordfence:

Now that you have some powerful tools in your arsenal and you’ve already done some basic cleaning, lets launch Wordfence and run a full scan to clean your site. This step is important because Wordfence does some very advanced searching for infections. For example:

How to clean your hacked site using Wordfence:

  1. Upgrade your site to the newest version of WordPress.
  2. Upgrade all your themes and plugins to their newest versions.
  3. Change all passwords on the site, especially admin passwords.
  4. Make another backup and store it separately to the backup we recommended you make above. Now you have an infected site but that site is running the newest version of everything. If you break anything while cleaning your site using Wordfence you can go back to this backup and you don’t have to retrace all the steps above.
  5. Go to the Wordfence options page and make sure that under the “Scans to include” heading, absolutely everything is selected including the option to scan files outside your WordPress installation. If the scan takes too long or does not complete, you can deselect this last option and also disable “high sensitivity” scanning and “image file” scanning. Then try again.
  6. When the results come up you may see a very long list of infected files. Take your time and slowly work through the list.
  7. Examine any suspicious files and either edit those files by hand to clean them or delete the file. Remember that you can’t undo deletions. But as long as you took the backup we recommended above, you can always restore the file if you delete the wrong thing.
  8. Look at any changed core, theme and plugin files. Use the option Wordfence provides to see what has changed between the original file and your file. If the changes look malicious, use the Wordfence option to repair the file.
  9. Slowly work your way through the list until it is empty.
  10. Run another scan and confirm your site is clean.
  11. If you still need help, we offer a commercial site cleaning service. You can find out more by emailing genbiz@wordfence.com with the subject “Paid site cleaning service”.

I have a file that looks suspicious, but I’m not sure if it is. How can I tell?

Email it to us at samples@wordfence.com and we’ll let you know. If you don’t receive a reply, either your mail system or ours may have discarded the message thinking it was malicious because of your attachment. So please email us a message without the attachment letting us now that you’re trying to send us something and we’ll try to help get it through.

I’ve cleaned my hacked WordPress site but Google Chrome is still giving me the malware warning. What should I do?

You need to get your site removed from the Google Safe Browsing list. Read this Google document on how to clean your site. Here are the steps:

  1. First sign-in to Google Webmaster Tools.
  2. Add your site if you haven’t already.
  3. Verify your site, following Google’s instructions.
  4. On the Webmaster Tools home page, select your site.
  5. Click Site status, and then click Malware.
  6.  Click Request a review.

My site visitors are getting warnings from other security products and anti-virus systems. What should I do?

Getting off the Google Safe Browsing list is a big step, but you may have some work ahead of you. You need to keep a list of every anti-virus product that is saying your site is infected. This may include products like ESET anti-virus, McAfee’s Site Advisor and others. Visit each anti-virus makers website and find their instructions for removing your site from their list of dangerous sites. This is often called “whitelisting” by anti-virus makers, so Googling for terms like ‘whitelisting’, ‘site removal’, ‘false positive’ and the product name will usually lead you to the place where you can get your site removed.

How can I manually check if my site is listed on Google’s Safe Browsing List?

Visit the following URL and replace example.com with your own site address.

http://www.google.com/safebrowsing/diagnostic?site=http://example.com/

You can include a sub-directory if your site has one. The page that appears is very plain, but contains detailed information about the current status of your site, why it is listed on Google’s malware or phishing list (The google safe browsing list is actually two lists) and what to do next.

What to do once your site is clean:

Congratulations if you have managed to clean your site. Now you need to make darn sure it doesn’t get hacked again. Here’s how: