Steps to removing malware, spam, and other hacks from any website
Sucuri has devoted years to helping website administrators identify and clean hacked websites. To continue with this process, we have put together this guide to show website owners how to clean malware from their website. This is not meant to be an all-encompassing guide, but if followed, should help address 70% of the infections we see.Protect your Site
In This Guidex
You can use tools that scan your site remotely to find malicious payloads and malware locations.
To scan a website for hacks:
If the remote scanner isn’t able to find a payload, continue with other tests in this section. You can also manually review the iFrames / Links / Scripts tab of the Malware Scan to look for unfamiliar or suspicious elements.
If you have multiple websites on the same server we recommend scanning them all (you can also use SiteCheck to do this). Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their hosting and web accounts.
A remote scanner will browse the site to identify potential security issues. Some issues do not show up in a browser, instead, they manifest on the server (i.e., backdoors, phishing, and server-based scripts). The most comprehensive approach to scanning includes remote and server-side scanners. Learn more about how remote scanners work.
Most core files should never be modified.
The quickest way to confirm the integrity of your website core files is by using the diff command in terminal. If you are not comfortable using the command line, you can manually check your files via SFTP.
If nothing has been modified, your core files are clean.
You may want to use an FTP client to quickly check for malware in directories like wp-content. We recommend using FTPS/SFTP/SSH rather than unencrypted FTP.
You can identify hacked files by seeing if they were recently modified.
To check recently modified files using terminal commands on Linux:
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
$ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
If your website has been blacklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your website.
To check your Google Transparency Report:
If you have added your site to any free webmaster tools, you can check their security ratings and reports for your website. If you do not already have accounts for these free monitoring tools, we highly recommend that you sign up as they are free to use:
Whenever an ecommerce website is hacked, one of the primary concerns is customer credit card data. If you process payments within your online store, you may have to respond to a possible data breach, including implications regarding Payment Card Industry (PCI) compliance.
If you suspect credit card data is being stolen, you can contact your bank to inquire about virtual credit cards. These can be used to test purchases on your site before cleaning the hack. Stolen credit cards are often used within 12 hours, so this exercise may indicate if further investigation is required. This is not a 100% reliable method, but it is one step you can take on your own before seeking help from a PCI Forensic Investigator (PFI).
In order to maintain PCI compliance in the event of a data breach, you must follow the requirements, specifically PCI DSS Requirement 12.10: Implement an incident response plan. Part of this requirement involves preserving evidence.
Please note that this is not legal advice.
Immediately back up your hacked site including:
If you process payments off-site via a secure payment gateway, API, or payment form (hosted by an external payment processor), then your customer data is secure against credit card stealer malware within your installation.
Now that you have information about malware locations, you can remove malware from your website and restore it to a clean state.
The best way to identify hacked files is by comparing the current state of the site with an old and clean backup. If a backup is available, you can use that to compare the two versions and identify what has been modified.
Some of these steps require web server and database access. If you are not familiar with manipulating database tables or editing PHP, please seek assistance from a professional Incident Response Team member who can completely remove malware from your website.
Files can be replaced with fresh copies or a recent backup (if it’s not infected).
You can use any malicious payloads or suspicious files found in the first step to remove the hack.
To manually remove a malware infection from your website files:
Manually removing “malicious” code from your website files can be extremely hazardous to the health of your website. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.
To remove a malware infection from your website database, use your database admin panel to connect to the database. You can also use tools like Search-Replace-DB or Adminer.
To manually remove a malware infection from your database tables:
Beginners can use the payload information provided by the malware scanner. Intermediate users can also manually look for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.
Note that these functions are also used by plugins and extensions for legitimate reasons. Be sure you test changes or get help so you do not accidentally break your site.
If you notice any unfamiliar users, remove them so that hackers no longer have access. We recommend assigning only one admin user and setting other user roles to the least amount of privileges needed (ie. contributor, author, editor).
Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked websites.
Backdoors commonly include the following PHP functions:
These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions.
The majority of malicious code we see uses some form of encoding to prevent detection.
It is critical that all backdoors are closed to successfully clean a website hack, otherwise your site will be reinfected quickly.
If you were blacklisted by Google, McAfee, Yandex (or any other web spam authorities), you can request a review after the hack has been fixed.
To remove malware warnings on your site:
With the Sucuri Website Security Platform, we submit blacklist review requests on your behalf. This helps ensure your site is absolutely ready for review. Some reviews, however, such as web spam hacks as a result of manual actions, can take up to two weeks.
In this final step, you will learn how to fix the issues that caused your site to be hacked in the first place. You will also perform essential steps to enhance the security of your site.
Out-of-date software is one of the leading causes of infections. This includes your CMS version, plugins, themes, and any other extension type. Potentially compromised credentials should also be reset to ensure you are not reinfected.
Update Your Website Software
Update all software on your server (i.e., Apache, cPanel, PHP) to ensure that there are no security patches missing.
It is critical that you change passwords for all access points. This includes user accounts, FTP/SFTP, SSH, cPanel, and your database.
You should reduce the number of admin accounts for all of your systems. Practice the concept of least privileged. Only give people the access they require to do the job they need.
All accounts should use strong passwords. A good password is built around three components – complexity, length, and uniqueness. Some say it’s too difficult to remember multiple passwords. This is true. That’s why password managers were created!
It is advisable to reinstall all plugins and extensions after a hack to ensure they are functional and free of residual malware. If you have deactivated plugins, we recommend you remove them from your web server.
Premium plugins and extensions will need to be reinstalled manually.
To harden a server or application means that you take steps to reduce the attack surface or entry points for attackers.
There are countless ways to harden your website. If you want to research hardening methods, see the Website Firewall section below for more information about how we offer virtual patching and hardening.
Backups function as a safety net. Now that your site is clean and you’ve taken some important post-hack steps, make a backup! Having a good backup strategy is at the core of a good security posture.
Here are some tips to help you with website backups:
Store your backups in an off-site location. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.
Ideally, your backup solution should run automatically at a frequency that suits the needs of your website.
This means that your backup strategy has to include redundancy, or in other words, backups of your backups.
Try the restore process to confirm your website functions correctly.
Some backup solutions exclude certain file types such as videos and archives.
Sucuri offers its customers an affordable system for secure website backups.
Have all website users run a scan with a reputable antivirus program on their operating systems.
A site can be compromised if a user with an infected computer has access to the dashboard. Some infections are designed to jump from a computer into text editors or FTP clients.
Here are some antivirus programs we recommend:
The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website Firewalls were invented to provide a perimeter defense system surrounding your website.
Benefits to using a website firewall:
By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.
2. Virtual Security Update
Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven’t applied security updates.
A website firewall should stop anyone from accessing your wp-admin or wp-login page if they aren’t supposed to be there, making sure they can’t use brute force automation to guess your password.
Distributed Denial of Service attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.
Most WAFs will offer to cache for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.
We offer all of these features with the Sucuri Firewall.