In an ideal world, you wouldn\u2019t have to remove malware manually. It can be a tedious process, especially if you can\u2019t distinguish between malware and innocent code your site relies on. It\u2019s also easy to miss malware code\u2014online criminals are sneaky, and they go to great lengths to hide it. Unfortunately, you might spend hours hunting down and deleting malware traces, only for a hidden backdoor to reinfect the site immediately.<\/p>\n\n\n\n
The best option is to avoid malware infection in the first place. Make sure your site is updated, and turn on automatic updates if possible. Be careful when installing plugins and themes, and avoid nulled or pirate software at all costs; it is invariably loaded with malicious code. <\/p>\n\n\n\n
Automatic malware detection and removal is also less demanding than manual malware removal. cPanel & WHM supports the excellent free ImmunifyAV scanner<\/a>, which you can install via WHM\u2019s Security Center<\/em>. It alerts you when it finds a suspected malware infection and tells you where it is. If you upgrade to ImunifyAV+, you\u2019ll be able to remove malware with the click of a button too. <\/p>\n\n\n\n Finally, if you suspect an infection, you should attempt to restore a recent clean backup. Restoring from an uninfected backup overwrites malicious files with clean originals. cPanel\u2019s WP Toolkit<\/em><\/a> <\/em>makes it easy to back up WordPress sites in seconds, or you could use one of the many WordPress plugins that offer backup functionality. <\/p>\n\n\n\n If you don\u2019t have a recent backup, then you\u2019ll have to dig in and replace infected files manually. <\/p>\n\n\n\n We\u2019re using WordPress in our walkthrough because it\u2019s the most popular CMS, but a similar process works just as well on other content management systems and ecommerce stores.<\/p>\n\n\n\n It should be mentioned that we\u2019re making a big assumption in this article. We\u2019re hoping the malicious code is limited to your website and that the attacker hasn\u2019t gained access to your web hosting server. However, if the server is compromised, the attacker may have replaced system binaries with rootkits and other malware. If that\u2019s happened, you can\u2019t trust any software on the server, including the software we\u2019re about to use to clean malicious code from the site. <\/p>\n\n\n\n Before tackling malware removal on WordPress, you should:<\/p>\n\n\n\n First, we\u2019ll check to see if any files have been modified in the last few days. Most WordPress files are not frequently modified except for static assets like images, so recent changes are a helpful clue. <\/p>\n\n\n\n Log in to your server via SSH or open the cPanel Terminal <\/em>and navigate to the infected site\u2019s directory. You\u2019ll find the Terminal under Advanced <\/em>in the cPanel main page menu. Your WordPress site is most likely in public_html <\/em>or a directory inside public_html.<\/em><\/p>\n\n\n\n Run the following command:<\/p>\n\n\n\n This displays a list of all PHP files modified in the last seven days. WordPress has hundreds of files that might hide malware, but let\u2019s assume that wp-config.php <\/em>is at the top of your list. Next, we need to look inside to see if there is any sign of malicious code. <\/p>\n\n\n\n Open the file in your text editor. If you prefer not to work with command-line text editors, locate the file in cPanel\u2019s File Manager<\/em>, and click Edit <\/em>in the menu bar. You\u2019re looking for anything that seems out of place.<\/p>\n\n\n\n Keep an eye out for these red flags:<\/p>\n\n\n\n For example, if you see something like this mixed in with the familiar PHP code, it\u2019s almost certainly malware.<\/p>\n\n\n\n Most malicious code isn\u2019t that obvious. However, you can compare files with the original to see if anything looks out of place. Download a fresh copy of the same version of WordPress from WordPress.org<\/a>. If a plugin or theme file is under suspicion, download a new version from the developer\u2019s site or the WordPress repository. <\/p>\n\n\n\n Open your newly downloaded version and compare it to your site\u2019s file. They may not be identical, but you should view any significant differences with suspicion. <\/p>\n\n\n\n In many cases, you can simply replace an infected file. Manually clearing malware is a careful process of exchanging infected files for uninfected originals. However, you must be careful not to simply replace files that contain essential configuration data. For example, if you swap wp-config.php <\/em>for a freshly downloaded file, your site will stop working because that file contains site and database configurations. <\/p>\n\n\n\n If you aren\u2019t sure what a file does, check the WordPress documentation to ensure that it is safe to exchange. You may have to copy information from the infected file to its replacement, making sure no malicious code makes its way across. <\/p>\n\n\n\n To replace files, use cPanel\u2019s File Manager <\/em>to delete the infected original and upload the replacement. Then, verify the site still works every time you make a change. If you don\u2019t regularly check and only notice the problem later, you may have no idea which edit did the damage. <\/p>\n\n\n\n As we mentioned at the beginning of this article, manual malware removal is a long and tedious process. And there is no guarantee that you\u2019ll find all the malicious code. However, it\u2019s a valuable technique to have under your belt when automatic malware removal and back-ups let you down. As always, if you have any feedback or comments, please let us know. We are here to help in the best ways we can. You\u2019ll find us on Discord<\/a>, the cPanel forums<\/a>, and Reddit<\/a>. Be sure to also follow us on Facebook<\/a>, Instagram<\/a>, and Twitter<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Your website has been compromised, and you suspect the attackers have injected malware into its code. What can you do about it? There are many ways to approach a malware infection, and we\u2019ll look at some in a moment, but your final recourse may be to roll up your sleeves, hunt through the site\u2019s files, […]<\/p>\n","protected":false},"author":77,"featured_media":65817,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[289],"tags":[],"class_list":["post-61745","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-knowledge"],"acf":[],"yoast_head":"\nManually Removing Malware from a WordPress Site<\/strong><\/h2>\n\n\n\n
find . -name '*.ph*' -mtime -7<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\n