How to clean your hacked site using Wordfence:
Now that you have a WordPress site, it’s time to make use of some powerful tools. I’ll be using Wordfence as this is the choice tool, so go ahead and install it and use it to run a full scan to clean your site.
Wordfence is my choice as it does some very advanced searching for infections. For example:
- It knows all of the WordPress core files, and open source themes and plugins should look like so we can tell if one of your source files are infected even if it’s a new infection that no one has ever seen before.
- It searches using complex regular expressions for infection signatures and our database of known infections is continually updated. You can’t do this with simple unix command line tools or CPanel.
- It searches for malware URLs using the Google Safe Browsing list.
- It uses many other data sources like SpamHaus to find malware and infections on your system.
Steps to clean your hacked site using Wordfence:
- Upgrade your site to the newest version of WordPress.
- Upgrade all your themes and plugins to their newest versions.
- Change all passwords on the site, especially admin passwords.
- Make another backup and store it separately to the backup we recommended you make above. Now you have an infected site but that site is running the newest version of everything. If you break anything while cleaning your site using Wordfence you can go back to this backup and you don’t have to retrace all the steps above.
- Go to the Wordfence options page and make sure that under the “Scans to include” heading, absolutely everything is selected including the option to scan files outside your WordPress installation. If the scan takes too long or does not complete, you can deselect this last option and also disable “high sensitivity” scanning and “image file” scanning. Then try again.
- When the results come up you may see a very long list of infected files. Take your time and slowly work through the list.
- Examine any suspicious files and either edit those files by hand to clean them or delete the file. Remember that you can’t undo deletions. But as long as you took the backup we recommended above, you can always restore the file if you delete the wrong thing.
- Look at any changed core, theme and plugin files. Use the option Wordfence provides to see what has changed between the original file and your file. If the changes look malicious, use the Wordfence option to repair the file.
- Slowly work your way through the list until it is empty.
- Run another scan and confirm your site is clean.
- If you still need help, I offer a commercial site cleaning service. You can find out more by emailing firstname.lastname@example.org with the subject “Paid site cleaning service”.
Get off Google’s BlackList.
After doing the cleanup, you’ll need to get your site removed from the Google Safe Browsing list. Make sure your site is already added to your Webmaster Tools and request a review. If not, Here are the steps:
- First sign-in to Google Webmaster Tools.
- Add your site if you haven’t already.
- Verify your site, following Google’s instructions.
- On the Webmaster Tools home page, select your site.
- Click Site status, and then click Malware.
- Click Request a review.
You can check if your site is on Google’s Safe Browsing List by going to Google’s site diagnostic page and entering your website’s URL.
The page that appears is very plain, but contains detailed information about the current status of your site, why it is listed on Google’s malware or phishing list (The google safe browsing list is actually two lists) and what to do next.
What to do once your site is clean:
Congratulations if you have managed to clean your site. Now to make darn sure it doesn’t get hacked again. Here’s how:
- Install Wordfence and run regular scans on your WordPress site.
- Make sure WordPress and all plugins and themes are kept up to date. This is the most important thing you can do to secure your site. You can check out my WordPress maintenance plan if you need help with this.
- Make sure you use strong passwords that are hard to guess.
- Get rid of all old WordPress installations lying around on your server.
About Jacy The Hosting Guy
Over at Jacy The Hosting Guy, besides making sure your web hosting needs are taken care of, your account also comes default with CDN (CloudFlare) and caching enabled to make sure your site is loaded quickly for your visitor no matter where they are.
Free WordPress site transfers are included when signing up with Jacy The Hosting Guy.