Today we will discuss how to remove malware from your website. Your website has been compromised, and you suspect that attackers have injected malware into its code. What can you do about it? There have many ways to approach a malware infection, and we’ll look at some in a moment. But your ultimate recourse may be to roll up your sleeves, search the site’s files, and remove the malware manually.
This article will show you how to find malware code on your sites. And how can search files and remove them, using a WordPress site as an example? You don’t have to be a developer to follow along, but if you have some familiarity with coding and the language the site is written in, you’ll be better able to identify malware; PHP in the case of WordPress…
How to avoid malware from your website?
In an ideal world, you wouldn’t have to manually remove the malware. This can be a tedious process. Especially if you can’t distinguish between malware and the innocent code your site relies on. Malware code is also easy to miss—online criminals are stealthy, and they go to great lengths to hide it. Unfortunately, you can spend hours searching for and removing traces of malware. Only to have a hidden backdoor immediately re-infect the site.
The best option is to avoid malware infection in the first step. Make sure your site is updated and turn on automatic updates if possible. Be careful when installing plugins and themes and avoid null or pirated software at all costs; It is always loaded with malicious code.
Automatic malware detection and removal is less demanding than manual malware removal. cPanel and WHM support the excellent free ImmunifyAV scanner, which you can install through WHM’s Security Center. It alerts you when it finds a suspected malware infection and tells you where it is If you upgrade to ImunifyAV+, you’ll be able to remove malware with the click of a button.
Finally, if you suspect an infection, you should try to restore a recent clean backup. Restoring from an uninfected backup overwrites corrupted files with clean originals cPanel’s WordPress Toolkit makes it easy to back up WordPress sites in seconds, or you can use one of the popular WordPress plugins that offer backup functionality.
If you don’t have a recent backup, you’ll have to dig in and manually replace the infected files.
How to remove malware from your website?
We are using WordPress in our walkthrough, because that’s the most popular CMS. But a similar process works for other content management systems and eCommerce stores.
It should be noted that we are making a large assumption in this article. We hope the malicious code is limited to your website and that the attacker did not gain access to your web hosting server. However, if the server is compromised, attackers can replace system binaries with rootkits and other malware. If this happens, you can’t trust any software on the server, including the software we’re going to use to clean up malicious code from the site.
Before tackling malware removal in WordPress, you should:
Take the site offline
If possible, use WordPress Toolkit’s maintenance mode to avoid putting users at further risk.
Make a backup
All time get Back up your site whenever you make any changes to its code or database.
Turn on debug settings
Debug setup allows WordPress to print error messages to the screen. If you make changes that break the site, they’ll help you figure out what went wrong. You can get more knowledge about debug settings and maintenance mode in WordPress. Debugging with cPanel and WordPress Toolkit.
First, we’ll check if any files have changed in the last few days. Most WordPress files aren’t changed frequently, except for static assets like images, so recent changes are a helpful clue.
Sign in to your server via SSH or open the cPanel terminal and navigate to the infected site’s directory. You can find the terminal under Advanced in the cPanel main page menu. Your WordPress site is probably in a directory inside public_html or public_html.
Run the following command:
find . -name ‘*.ph*’ -mtime -7
It displays a list of all PHP files that have changed in the last seven days. WordPress has hundreds of files that can hide malware, but let’s assume that wp-config.php is at the top of your list. Next, we need to look inside to see if there are any traces of malicious code.
Open the file in your text editor. If you prefer not to work with command-line text editors, find the file in cPanel’s File Manager and click Edit on the menu bar. You’re looking for something that seems out of place.
Watch out for these red flags:
Mismatched coding styles
Lines of code can be long, incorrectly indented, or overly complex.
Obfuscated code
Code that has been intentionally disguised. It looks like a long string of meaningless letters and numbers. Not all code that looks like this is malicious; You can see valid hashes that match this description, especially in configuration files.
Strange URLs
Most of the URLs in your site’s files are related to the site. If you see any unusually formatted or excessively long website address, it may link to a web server under the attacker’s control.
For example, if you see something like this mixed in with familiar PHP code, it’s almost certainly malware.
Remove malware and get backup
Most malicious code is unclear. However, you can compare it to the original file to see if anything looks out of place. Download a fresh copy of your original version of WordPress from WordPress.org. If a plugin or theme file is in doubt, download a newer version from the developer’s site or the WordPress repository.
Open your newly downloaded version and compare it to your site file. They may not be identical, but you should be suspicious of any significant differences.
In many cases, you can be attacked or simply replace an infected file. Manually cleaning malware is a careful process of exchanging infected files for uninfected originals. However, you must be careful not to simply replace the files that contain the necessary configuration data. For example, if you replace wp-config.php with a newly downloaded file, your site will stop working because that file contains the site and database configuration.
If you’re not sure what a file does, check the WordPress documentation to make sure it’s safe to exchange. You may need to copy the data from the infected file to replace it, ensuring that no malicious code crosses its path.
Use cPanel’s file manager to replace the files, delete the infected original and upload the replacement Then, verify that the site still works when you make a change. If you don’t check regularly and only notice the problem later, you may have no idea which edit did the damage.
As we mentioned in the first of this article, manual malware removal is a long & tedious process. And there is no guarantee that you will find all malicious code. However, this is a valuable technique to have under your belt, When automatic malware removal and back-ups let you down.
