How to Clean Your WordPress Site If It Gets Virus, Malware or Hacked?

socialagency

New member
Joined
Jan 28, 2013
Messages
26
Points
0
Hello,

I want to know how to clean my wordPress site If It gets Virus, Malware or Hacked?

One of our team websites using wordpress got this problem when I searched on google
site:www.mydomain.com
It showed 85.000 results while our real site only has about real 1000 pages on the system. I heard it's the WordPress Pharma Hack??

what is your way to clean wordpress cms?

Do I need to re-install new wordpess?

Please share your suggestions.
 

elcidofaguy

Well-known member
Joined
Jan 13, 2015
Messages
1,281
Points
113
Hi socialagency,

Even with post categories and tags which might increase your index count, the difference between 1000 pages to 85,000 is significant... So it does sound like your team's website has been compromised.

With WP most of the hacks relate to plugins or theme - especially if you are using one which has been nullled (unofficial copy which are freely distributed without owners consent which bypasses licensing, payment etc...)

First you need to identify where the problem is on your website... Typically when logged into WP - the malicious code tends to hide itself.... So check your website without logging in and also check it against different IP proxies e.g. check to see how it looks from different countries as the code may be clever enough to hide itself from admin IP... Usually these hacks display links in the header or footer pointing to their dodgy sites....

Once you can see the problem - next step is to disable all plugins... and one by one activate it... Doing so check your website to see if the malicious code appears.. Usually you will find the problem that way... If not disable the theme and use another one to check if that is the case....

If neither of these are the problem - then you know need to check server logs... Look for unusual IPs and posts/pages which have been called too many times... For example xmlrpc.php is a typical one which hackers target.... If its called too many times then you know that the hackers have compromised your logon.... Either way you should change all logon/passwords as well as checking all users - as the hack may create one, usually they try to hide it by calling it system or something like that... If so delete that user and block access to xmlrpc.php

If neither of these solves the problem - then let me know as we can go through a more detailed diagnostic check list....

Finally once the problem is identified and removed - also check all posts/pages and if delete the ones which may have been created by the hacker....

Best of Luck!

Sid
 

socialagency

New member
Joined
Jan 28, 2013
Messages
26
Points
0
socialagency
Thanks @elcidofaguy, it's awesome information!

I am doubting plugins because my site is using over 15 plugins, I think some plugins are more potentials for hackers exploit via them because my PC used Kaspersky Internet Security Anti Virus hence the reason for malware and virus is ignored.

Big problem now is google indexed 85K pages of my website on search results, I'm finding ways to remove these results.
 

elcidofaguy

Well-known member
Joined
Jan 13, 2015
Messages
1,281
Points
113
elcidofaguy
A lot of free plugins have trojan horses - in that they have some code which leaves a back door for hackers... So you got to be careful.. Especially if you come across nulled ones as that's an approach which gets a lot of people downloading, installing them.... 15 plugins that's a lot... Indeed it can definitely be one of them.... You need to rule out if that is the case as described....

I really recommend that you disable all of them and then re-activate each one by one, whilst comparing it to a page/post where you can see the offending hack output - such as footer or header.. Or alternatively look for encrypted code (base64) within the plugin source files...

Okay... Let's say that you cant see that and its not plugins then the vulnerability is elsewhere... Check your theme... Also check your server log files and see which system/set-up files have been accessed which are not the host/server IP or your IP address..... From there you will see how you are being hacked.... Double check xmlrpc.php for IPs which have accessed this file... They use that as a back door to logon to WP with bypassing standard logon...

In addition - please check your .htaccess file... I have a hunch that given the large number of indexed pages - it could be related to 301 redirects.... So have a look at this file and see if there is anything unusual....

Important thing as outlined is to do the investigation and figure out why.... Yep it can be looking for a needle in the haystack - but again the clues are all on your server and in the log files... Once found you'll easy be able to fix it with checking it online....

Again Best Of Luck! Cheers, Sid
 
Newer threads
Replies
2
Views
3,374
Replies
6
Views
4,175
Replies
20
Views
9,732
Recommended threads
Replies
6
Views
4,269
Replies
2
Views
4,700
Replies
13
Views
6,477
Replies
6
Views
5,280

Referral contests

Referral link for :

Sponsors

Popular tags

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top