Cleaning a WordPress Website
WordPress's popularity makes it an unfortunate target for attackers. When a WordPress site is compromised, the easiest fix is to restore from a good set of backups.
But if you're reading this guide, chances are you don't have a clean set of backups. Don't worry. Recovery is possible. While your theme, plugins, and site setup may change some of the details presented in this guide, the general concepts will be the same.
Additionally, this guide can't cover every infection, especially those from more severe or targeted attacks. If you need help beyond these steps, please contact us for assistance.
Upgrading WordPress is the best first step to take. Since most site compromises occur through an outdated install of WordPress or its plugins and themes, starting with a secure installation gives you a significant advantage.
Try to upgrade WordPress via the admin dashboard by clicking Updates under Dashboard and applying any pending updates for WordPress. If your WordPress is up to date, reinstalling is still a good idea because the attacker may have altered some core WordPress files.
If you can't access the admin dashboard, replacing the WordPress files via FTP or SSH is your only option. If you aren't sure how to do this, contact your hosting provider. If you're with my hosting company, OCS Solutions, just contact us and let us know you need an up-to-date refresh of the WordPress files on your account. We'll be happy to help.
Once you have a functioning WordPress dashboard, go to the Users listing, then click Administrator to see all admin users. If you see anyone other than you or other admins you have previously set up in WordPress, remove those accounts. For the remaining admins (including yourself), reset all passwords. To do this, click on the user in question and scroll to Set New Password. Don't forget to use a strong, secure password. The passwords that WordPress generates for you are very safe.
Update Themes and Plugins
Return to the Updates section under Dashboard and apply any pending Plugin and Theme updates. While it's true that upgrading these can sometimes cause problems, your site is already experiencing security issues, so it's almost certainly best to proceed with the updates. Security issues are more significant problems than any code incompatibility situation, so you're better off having parts of your website not functioning correctly than to leave yourself open to another attack.
Installing and Scanning with Wordfence
Click on Plugins in the admin dashboard, then click Add New. In the search box, type Wordfence. Install this plugin, then follow the prompts to both secure your site and perform a full scan. If it doesn't prompt you to scan, click on the newly added Wordfence section on the left-hand menu, then click Scan. Click Start New Scan and take any actions recommended by the results.
At this point, your site is likely in good shape, but there could still be malware files in your website files that can open the door to continued infection. Wordfence scans are usually pretty good about detecting these, but the only way to be entirely sure is to check your files for signs of damage or malware.
To do this, use an FTP client or web hosting file manager to browse your site and look for any files that have suspicious names (including random letters and numbers). You can also open a file in your text editor to inspect its contents. If you see many random characters, it is likely a binary or encoded file that can contain malware. You can upload the file to virustotal.com to see if the file is listed as malicious by leading anti-malware vendors.
You'll also want to inspect the .htaccess file in the site's root to see if it has any unusual off-site links. If you've never edited it before, any URL in the file is likely suspect and should be removed. To be sure the file is clean, you can always replace it with precisely this content.
An Ounce of Prevention
The best way to secure your site is to keep WordPress and its plugins/themes up to date. I also recommend installing Wordfence and running a regular scan on your site. You should also regularly check the administration users on the site to ensure new ones haven't been added without your knowledge or permission.
Additionally, ensure that any computer you use to work on your WordPress site, especially in the admin panel or via FTP, is entirely up to date, secure, and malware-free. Malware installed on a computer can steal passwords to your site, making all your on-site security efforts meaningless.
I hope this guide has helped you clean and secure your WordPress site. As I stated before, it's impossible to create a guide to remove all infections or address all malware situations. Regardless, every malware cleaning task starts with these steps.
Once your site is clean, don't forget to take a complete backup of your site. Regular backups, WordPress updates, theme and plugin updates, and a careful eye on your site's users will help keep your site healthy and malware-free.