Things you should know before cleaning a WordPress site that has been hacked
1. You can usually delete anything in the wp-content/plugins/ directory and you won’t lose data or break your site. The reason is that these are plugin files that you can reinstall and WordPress will automatically detect if you’ve deleted a plugin and will disable it. Just make sure to delete entire directories in wp-content/plugins and not just individual files. For example, if you want to delete the Wordfence plugin, you must delete wp-content/plugins/wordfence and everything within that directory including the directory itself. If you only delete a few files from a plugin you can leave your site inoperable.
2. You usually only have one theme directory that is used for your site in the wp-content/themes directory. If you know which one this is you can delete all other theme directories. Beware if you have a “child theme” you may be using two directories in wp-content/themes.
3.. The wp-admin and wp-includes directories very rarely have new files added to them. So if you find anything new in those directories it has a high probability of being malicious.
4. Watch out for old WordPress installations and backups. We often see sites infected where someone says, “But I kept my site up-to-date and had a security plugin installed so why did I get hacked?” What sometimes happens is you or a developer will back-up a copy of all your site files into a subdirectory like /old/ that is accessible from the web. This backup is not maintained and even though your main site is secure, a hacker can get in there, infect it and access your main site from the backdoor they planted. So never leave old WordPress installations lying around and if you do get hacked, check those first because it’s likely they are full of malware.
Running a scan using the Commands:
In Linux Server, you can access your server via SSH, sign in and run the following command to see all files that were modified during the last 2 days. The below command runs a scan on the path in which you have installed Wordpress and identifies files modified in the last 2 or 10 days:
find /home/yourdirectory/yoursite/ -mtime -2 -ls
find /home/yourdirectory/yoursite/ -mtime -10 -ls
The below command searches for files that contain base64 (commonly used by hackers):
grep -ril base64 *
You can omit the ‘l’ option to see the actual contents of the file where the base64 string occurs:
grep -ri base64 *
Keep in mind that “base64” can occur in legitimate code as well. Before you delete anything, you’ll want to make sure that you are not deleting a file that is being used by a theme or plugin on your site. This command searches all files recursively that end with .php for the string “base64_decode” and prints the line number so that you can more easily find the context that the string occurs in.
grep --include=*.php -rn . -e "base64_decode"
If you clean a lot of infected files you will start noticing patterns in where malicious code is commonly found. One such place is the uploads directory in WordPress installations. The command below shows how to find all files in the uploads directory that are NOT image files. The output is saved in a log file called “uploads-non-binary.log” in your current directory.
1. Upgrade your site to the newest version of WordPress.Upgrade all your themes and plugins to their newest versions.
2. Change all passwords on the site, especially administrative passwords.
3. Make another backup and store it separately to the backup we recommended you make above. Now you have an infected site but that site is running the newest version of everything. If you break anything while cleaning your site using Wordfence you can go back to this backup and you don’t have to retrace all the steps above.
4. Go to the Wordfence Scan page. Click on the “Scan Options and Scheduling” link. Enable the “High Sensitivity” scanning option. If the scan takes too long or does not complete then expand the “General Options” section. Deselect the options “Scan files outside your WordPress installation” and “Scan images, binary, and other files as if they were executable”. Save the changes and try a new scan.
5. When the results come up you may see a very long list of infected files. Take your time and slowly work through the list.
6. Examine any suspicious files and either edit those files by hand to clean them or delete the file. Remember that you can’t undo deletions. But as long as you took the backup we recommended above, you can always restore the file if you delete the wrong thing.
7. Look at any changed core, theme and plugin files. Use the option Wordfence provides to see what has changed between the original file and your file. If the changes look malicious, use the Wordfence option to repair the file.
8. Slowly work your way through the list until it is empty.
9. Run another scan and confirm your site is clean.