Repairing An Unquarantined WP Site | Malware Removal 102
If you did not have your site quarantined before a malware attack, navigate to File Manager under the Advanced section, and then select the website root directory (public_html) from the list of folders on the left side of the screen. Similarly to the quarantined copy, back-up your public_html directory. Download and uncompress it to work with individual files. Confused? See part one.
- Download it to your local drive. Don’t open it! Return to cPanel. There are two common areas hackers place malware. In the root of your /public_html directory and your actual content folder, /wp-content. It’s worth drilling into all the directories including /plugins.
- Look through each folder for suspicious files or code snippets associated with malware, and delete or modify them as necessary. Highlight each file and use the cPanel ‘edit’ feature to view and inspect each file.
- You also want to locate files that are not core WordPress files. If you need a list to work from, consider downloading a copy of WordPress at wordpress.org/download. Upon unzipping that file, you can cross-reference that list against what does not match in your compromised root directory. Examples would be: .htaccess, index.php, web.config, wp-cron.php, and more.
- What should you look for? Hacked code generally looks like gibberish. You’ll find entirely new file names such as lead.php with inexplicable code, Ex. function uiRtviVVj59T7($ert755) { $tgu88=ti889base22_decode($ft5yyU); There can be 30 to 100 lines of code like this. Normal code leads with comments and is easy to read where functions are named and descriptions make sense.
- Change FTP and SSH passwords for your website to prevent future access by malicious actors.
- Scan your website using an online scanner such as Sucuri SiteCheck to ensure that no further malware is present.
Understanding How Malware Works
It’s important to understand how website malware can get onto a website in the first place so you can prevent it from happening again. Malware can spread in different ways, such as compromised credentials, vulnerable software, modified third-party components, third-party integrations, shared hosting cross-site contamination, social engineering (phishing), and server-level infections. Here’s more information on each type.
- Compromised credentials: Malware can spread through stolen login information, such as website usernames and passwords. It’s important to regularly change website credentials, especially for accounts with administrative privileges.
- Vulnerable software: Older versions of website software are more vulnerable to attacks from malicious actors, so webmasters should keep their website software up-to-date at all times.
- Modified third-party components: Malware can be hidden in website components that have been modified by malicious actors or bought from unreliable sources. It’s important to only download website components from trusted sources and check them for any malicious content before installing them on a website.
- Third-party integrations: Malicious actors can use third-party services, such as social media plugins, to infect websites with malware. Webmasters should regularly check and update all third-party integrations on their website, as well as remove any unnecessary ones.
- Compromised shared hosting cross-site contamination: Malware can spread from one website to another through shared hosting servers. Webmasters should be aware of the security status of other websites hosted on the same server as theirs and take extra precautions when setting up new websites in shared hosting environments.
- Social engineering (Phishing): Malicious actors will often use phishing techniques to gain access to website credentials or other private information. It’s important for webmasters to educate themselves on phishing techniques and be vigilant when clicking on suspicious links or emails.
- Server-level infection: Malicious actors can use exploits to gain access to website servers, allowing them to install malware on websites hosted on that server. Webmasters should keep their website software up-to-date and regularly scan their website for any suspicious activity.
Removing Website Malware Through SSH
If you do not have access to cPanel, another option is to use Secure Shell (SSH). SSH is a secure connection protocol that allows users to connect securely with a remote server using the command line interface (CLI).
To use SSH, log in using an SSH client such as PuTTY or Terminal for Macs, then navigate to the correct directory using commands like “cd” and “ls”. Once in the correct directory, use command line tools like grep and rm -rf [filename] to locate and delete malicious content found on your site in the following steps while observing the same changes to directories as outlined prior.
- Log in to your website through SSH using the root credentials.
- Navigate to the website’s home directory and run the following command to identify any malicious software on the website: `find -name “*.php” -exec grep “{malicious code}” {} \;`. This will locate any malicious code found on the website, as well as its location.
- Open each file located by the command above, and delete or modify any malicious code it contains.
- Change passwords for all user accounts associated with the website.
- Update website software, including the website’s content management system (CMS) and any plugins or themes. Ensure that all website components are up-to-date.
- Change FTP and SSH passwords for your website to prevent future access by malicious actors.
By following the steps outlined above, webmasters can remove malware from their websites and prevent it from happening again. Keeping website components up-to-date, changing passwords regularly, and being aware of phishing techniques are all important steps that webmasters should take in order to keep their websites safe from malicious actors.