Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

The Ultimate WordPress Hack Cleanup Guide

This WordPress malware cleanup guide will help you to protect your WordPress website from hackers & how you can fix your hacked website.

The Ultimate WordPress Hack Cleanup Guide

A sad reality for website owners and webmasters is that their running website could be hacked. We have saved people from getting their website hacked and have helped them clean their hacked WordPress websites. We have come up with another effort by building this comprehensive WordPress hack cleanup. Not to mention how bad it can be for your business and readership but being safe on the internet today from malicious attacks is again a task in itself.

Few Things to Know Before We Start

First and foremost, no matter what platform you use: WordPress, OpenCart, Drupal, Magento or any other CMS – it can be hacked. If hacked, you lose search engine rankings, get blacklisted by Google, expose your readers to malware, loose sensitive information, or rather you lose customers.

If your’s is not just another website then security must be your first priority. You need to have following things correct in place:

These things are good if you aren’t hacked, but chances are. Probably, it’s too late as of now as you’re reading this article.

Let’s dive into our WordPress hack cleanup guide and be considerate enough to follow this guide step by step to super secure your WordPress website.

Diagnose Hack

It’s really important for you to identify and diagnose your hacked website. Locating all such areas where malicious code would sit in your application. It could be in core files, database tables, logs and many other places. Be considerate enough to thoroughly follow WordPress hack cleanup guide.

Check core files

Most of the core WordPress files should never be modified. Understanding WordPress structure is very crucial in order to compare existing core files to the ones present in a fresh install.

A very quick way to do this is by using “diff” command in the terminal in Unix-like systems:

$ diff -r /Desktop/WordPress/wp-includes /public_html/your-site.[com]/wp-includes

Check Recently Modified Files

It is another possibility that recently modified files are the ones that have been hacked. Follow these steps to identify recently modified files:

  1. Log into your server using FTP or SSH terminal.
  2. If using SSH, you can use “find” command to list all files modified in the last 10 days:
    $ find ./ -type f -mtime -10
  3. If using FTP client, you can review last modification to every file.
  4. List the files that have been modified and check those for hack activity.

Check Diagnostic Pages

In case your website has been blacklisted by search engines then you can use their respective diagnostic tools to check the security status of your website. Following are some important tools:

Hack Cleanup

As now you have locations where malware’s located then the best bet now would be to clean the malware. We suggest you take a back-up before you start to clean the malware. Be considerate enough to follow the steps below to completely clean your WordPress website that makes this WordPress hack cleanup guide, a wonderful guide!

Clean hacked files

If the infection is in your core files, you can simply remove the malware manually. Don’t change content in wp-config file and wp-content folder (your application might break down).

Core .php files can be directly replaced with the files that you get in the fresh install. Get all .php core WordPress files. You can download the .zip and get all the files that are there in a fresh install.

Follow these steps to remove malware infected files:

  1. Collect recently changed files and confirm users about the change they made.
  2. Restore infected files against the files in fresh WordPress install.
  3. Even for theme files, you can simply replace malicious code by comparing to the original theme files or contact your theme distributor.

Note: I know it’s sometimes difficult checking all files for malware but “diff” and “grep” commands are handy when comparing files.

Clean hacked database tables

To remove malware/infection from hacked tables you need to be cautious enough so that your application doesn’t go down. Also, don’t forget to take a back-up for your application.

Follow these steps to remove malware/infection from database tables:

  1. Sign into your database admin panel (possibly phpMyAdmin)
  2. Take a back-up from your database (Select table and export your sql database)sql export database - WordPress hack cleanup
  3. Look for suspicious content(javascript code, hash codes etc.) and delete particular rows.
  4. Test if the site is still working fine or not. If yes, congratulations you’ve cleared all malware in your database tables.

Check User Accounts

It is really important to check users who are associated with your application. If you see an unauthorized user logged-in or any person who shouldn’t be using your application then restrict his access and restrict him from using your application. Follow the steps below so as to remove non-authorised users:

  1. In your wp-admin dashboard, go to Users->All Users.
  2. In the window, select the user (who shouldn’t be there) and expand “Bulk Actions” dropdown and select “Delete” and then “Apply” the settings.user changes - WordPress hack cleanup
  3. Do the above steps until all your users are authorized to use your application.

Note: If you allow malicious users to continue to use your application then every effort from this WordPress hack cleanup guide goes waste.

Check Image Files

Next step would be to check your image files. Hackers include malware code in image files and in a way acts as a backdoor. Since the malicious code(php) is kept as meta-data/comments in image files and later application is exploited using the injected code. The worst scenario would be to upload a web shell on your site and the hacker gets access to your server.

All possible images on a WordPress website would be:

  • Favicon icon (favicon.ico attack)
  • /wp-uploads
  • User’s profile picture

Delete Hidden Back-doors

It is very common for hackers to leave a backdoor (script/software on your server) to exploit your application. Back-doors can either be in your theme folder or your plugins folder or anywhere in your server.

There is a list of functions in PHP that come handy when writing backdoors:

  • eval
  • exec
  • strrev
  • assert
  • base64
  • str_rot13
  • gzuncompress
  • stripslashes

Note: These functions are also used by plugins/themes legitimately for their product development. You will need to understand the code and the application itself so as to remove backdoor.

Concurrently, check the application if it’s broken or not. If it’s broken then simply understand that a required function has been changed.

Check for Malware Warnings

You should visit respective search engine’s webmasters to check if you’ve been blacklisted by them or not. Here, are few important links:

Post Hack Precautions

Below are some must do things in this part of WordPress hack cleanup guide for water-tight security. If you think that once the malware is clean then hackers cannot do anything! Sorry, you are mistaken! :)

Check for Updates

Now you’ve cleaned all the malware from your site then it is the time when you super secure your application and check things from ground zero. Here, another must do the thing is to replace /wp-admin folder, /wp-includes from the one you get in a fresh WordPress install.

Next, always make sure that all plugins that you use are up-to-date. For that just log into your WordPress admin and click Dashboard > Updates. Make sure all your plugins are up-to-date.

update plugins - WordPress hack cleanup

WordPress Hardening and Best Security Practices

The very next step is to harden your WordPress website. Listed below are some really important security steps to have water-tight security for your application.

  • Modify database prefix
  • Disable xml-rpc in WordPress
  • Automatically logout idle users
  • Limit login attempts
  • Protect your wp-admin area
  • Check file permissions
  • Implement two factor authentication

You can look at our Comprehensive WordPress security guide.

Use a Web Application Firewall (WAF)

WAF is an application that sits in front of your application to protect it from multiple attacks. These attacks include Stored and Reflected XSS, SQLi, File Upload, Directory traversal to name a few.

One of the best option available at your disposal to prevent your WordPress website is to use a Website Firewall, like Astra. Our Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your website. Since you made it so far, we offer you a discount for ASTRA with this WordPress hack cleanup guide.

WordPress Security Suite

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.

Continue reading
Wordpress security coding checklist

WordPress Security Checklist

This checklist will help you with practices that you should implement while developing a WordPress website.

Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

WordPress Security Checklist

Every day thousands of WordPress websites get compromised because of malware infections. One of the prominent reason behind WordPress hacks is poor coding practices.

WordPress security is a cumbersome process, especially if you’re developing a website for the first time & don’t know much about security. Our WordPress security checklist contains easy to implement steps for beginners and experts alike. Following this WordPress secure coding checklist will help you to protect your website from hackers and make your website stand out and shine.

Here are some quick tips that you can follow while developing a WordPress website.
  1. The integrity of configuration files, libraries, executables, and interpreted code should be verified by the usage of checksums or hashes.
  2. Shared variables and resources must be secured from improper concurrent access.
  3. User-supplied data should not be passed to any dynamic execution function.
  4. Any third party code, secondary applications or libraries that are used must be properly reviewed in order to determine their business necessity and confirm its safe functionality, in order to avoid any new vulnerabilities.

For more tailored security practices for WordPress download our checklist & don’t forget to share it with your friends if you like it.

Rock solid security, amazing support

Super Secure My Business

Continue reading

WordPress Malware Scanner & Backdoor Removal Plugin

The page contain details about our WordPress malware scanner & how can you use it to clean your website

Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

WordPress Malware Scanner

Accurate, fast & machine learning powered WordPress malware scanner now at your finger tips. Astra’s WordPress malware scanner detects all malware, backdoors & core file changes on your website without effecting speed of your website in any way

Super Fast

Astra’s malware scanner optimizes itself with each scan making subsequent scans visibly faster making malware scanning a 5 minute affair for you

Ever Evolving

Our malware scanner is powered by machine learning which intelligently detects early signs of malware & flags them for you

Intuitive Reports

Malware, backdoors & core file changes are beautifully visualized telling the exact instances of malware within your code making everything super simple for you

Astra's WordPress Malware Scanner

Unveil all Malware & Backdoors

One-Click Start from Dashboard

Now scan your WordPress website by just a click of button, anytime as per your convenience 

Detects Hidden Malware & Backdoors

Our Malware scanner is highly tailored for WordPress & detects the hidden, encrypted malware 

Beyond Malware Signature Matching

Our malware scanner is deeply coupled with our firewall, security audit & community security offerings helping us stay on top of the security world & bringing in that intelligence to malware scanner 

Community Powered

Astra’s community powered WordPress malware scanner brings collective intelligence of thousands of website to your website’s security, helping you stay a step ahead of hackers 

Resource Optimized

Unlike other malware scanners, Astra’s malware scanner would never slow your website. Our intelligent scanning technology helps us scan faster than other scanners without slowing down your website 

Astra's Rock Solid Security For Your WordPress

Web Aplication Firewall

Astra’s Web Application Firewall is highly tailored for WordPress websites and stops attacks like XSS, SQLi, SEO Spam, RCE, Bad Bots & 100+types of threats in real time

Manual Malware Cleanup

Apart from automated scan, our engineers perform in-depth malware cleanup of your website & assure it remains secure throughout the year, no questions asked

Community Security

Lend a friendly hand to security researchers by running your own Bug Bounty program to reward hackers for finding vulnerabilities in your website

FAQs - WordPress Malware Scanner

Our Malware scanner can be installed as a WordPress plugin. You can download the plugin from Astra dashboard after the sign-up.

Our WordPress malware scanner which will give you a well detailed report of all malware & backdoors. Then you need to go to the file path & delete the malicious code or file.

Yes, with malware scanner you get access to Astra firewall which stops all malware attacks in real time.

Hosting malware scanners are not tailored as per CMS & they scan only limited files of your website. You need a scanner that is tailored for your CMS & updates periodically with the hacks

Still have a question? Read more FAQ’s or feel free to contact us

Astra is amazing!!! I bought Astra after having used malcare and webarx religiously. I run a digital marketing agency so having web security is extremely important. First I had malcare do a manual cleaning of my site cause they had said there were some malicious code in my site. They send me the email when they complete it and my site is in the clear…so I think. I immediately installed Astra about an hour later on my main site (no client sites yet). Astra did it’s initial scan and came back with 9 malicious codes installed!

I am thoroughly amazed and impressed by Astra and its abilities let alone the support response time. The report isn’t generalized in any way, it’s extremely specific and detailed about your specific site. This is a must in my opinion if you have any type of website. The security it gives me in knowing that I have a capable company like Astra watching over my site and if something goes wrong they are there to rid the problem. Astra is a major relief and weight of security off my shoulders.

Ferdinand Mehlinger

Owner of Bluoo Digital & Laptop Lyfestyle

Astra's WordPress Malware Scanner

Disclose all Malware & Backdoors

Top Brands Using Astra Security

What Our Customers Have to Say

Continue reading

WordPress Security Audit & VAPT

This contains all details of tests, pricing & sample WordPress Security Audit report.

Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

Astra Uncovers Security Vulnerabilities in your WordPress Website

The WordPress vulnerability assessment focuses on evaluating the security issues in your website by methodically validating & verifying the effectiveness of security controls. The process involves an active analysis of the WordPress website for any weaknesses, technical flaws, or vulnerabilities.

Comes with 150+ security tests followed by tests tailored to your tech stack & needs.

  • Detailed Code Analysis
  • Business Logic Testing
  • Dedicated Engineer
  • Prevent Credit Card Hack

Our team that has helped to secure

Buffer App

Super Secure My Business

WordPress Penetration Testing - Features

Vulnerability Assessment and Penetration Testing

Exhaustive VAPT for your WordPress website is performed that would identify security loopholes in the Web Application which could potentially allow a malicious user to gain access to the system or perform malicious operations.

Static & Dynamic Code Analysis

Astra’s Web Application Security Testing is based on the OWASP Testing Methodologies and the OWASP Testing Framework. We perform over 150+ ‘active’ tests that have been classified on the basis of type of vulnerabilities found.

Business Logic Testing

It is the core logic of your WordPress website. Here we check Price Manipulation, Getting More Discounts, Privilege Escalation, Bypass Security Restrictions, Access to Unauthorized Information. You can read more about it here.

Payment Handling & Integration

Checkout Portals and Payment Gateways are thoroughly checked for credit card hacks, formjacking, price manipulation vulnerabilities and more. Such vulnerabilities in a web application’s payment flow directly affects the business. 

Server Infrastructure Testing & DevOps

Securing the perimeter becomes the initial step here. The key activities would involve Auditing Existing Configurations, Ensuring Encryption & Safe Data Storage, Optimizing DevOps Processes & suggesting best practices.

Network Devices Configuration Audit​​

An assessment of the device patch level, the logging & auditing implementation, authentication mechanisms. Audit based on device configuration, administrative and authentication services, network filtering, protocol analysis.

Testing for Known CVEs

While WordPress security audit we test for common vulnerabilities and exposures. This will ensure that your website is protected from all known vulnerabilities that were exploited in the past

Assistance in Patching Security Vulnerabilities

Our engineers will share a detailed report with step by step POC (screenshots/videos) and detailed fix information with code/config examples that will help your developer to patch vulnerabilities. 

Dashboard for Vulnerability Reporting​​

Vulnerabilities are reported on our intuitive dashboard where your developers can interact directly with our security engineers. Also, you can request for a re-scan to ensure that the vulnerability is patched.

Top Security Issues Tested - WordPress Penetration Testing

  • Configuration and Deployment Misconfiguration

    Tests HTTP Methods, HTTP Strict Transport Security, Network/Infrastructure Configuration, Application Platform configuration

  • Application or Framework Specific Vulnerabilities

    We test for all possible major causes of WordPress hacks such as SQLi, XSS, RCE, CSRF, LFI, RFI etc.

  • Broken or Improper Authentication

    Tests for Weak & Guessable passwords, Test for lack of appropriate session Timeouts, User Enumeration, use of default credentials, Account Lockout Policy, Session ID randomness etc.

  • Identifying Technical & Business Logic Vulnerabilities

    We test for OWASP Top 10, WASC Top Threats, etc. and our Testing methodology is based on OWASP Testing Guide v4.

  • Over 150+ Active Security Tests

    Testing for Input Validation issues, SSL issues, Authorization/Authentication issues, security best practices etc.

Astra Pricing For WordPress Penetration Testing

CMS Scan

A comprehensive security audit for your website built with Magento, OpenCart, WordPress and other CMSs. We perform 80+ active tests with the right mix of automated & manual testing.

Be safe from critical issues like CC theft, Malware, Known Exploits, Security Misconfigurations, Vulnerable Plugins & more.

  • Cloud Dashboard
  • Steps to Fix
  • Amazing Support
Flat fee of

Business Logic Scan

An in-depth VAPT (Vulnerability Assessment & Penetration Testing) for custom built web-apps or CMSs with custom development. We perform 120+ active tests specific to your tech stack.

We pinpoint Business Logic Errors, Payment Gateway flaws, Price Manipulation Vulnerabilities, Customer Data Theft & more.

  • Security Manager
  • Cloud Dashboard
  • Steps to Fix
Starts from
Contact Us

Astra's Rock Solid Security For WordPress

Web Aplication Firewall

Our Web Application Firewall is highly tailored for WordPress & stops attacks like XSS, SQLi, SEO Spam, RCE, Bad Bots & 100+types of threats in real time.

On-Demand Malware Cleanup

Astra’s on demand malware scanner is super fast. It detects all malware & backdoors in your WordPress website. You can run scan as per your convenience.

Community Security

Lend a friendly hand to security researchers by running your own Bug Bounty program to reward hackers for finding vulnerabilities in your website.

Top Brands Using Astra Security

What Our Customers Have to Say

Frequently Asked Questions

Yes, a security audit is an in-depth exercise that requires hours of effort of human & technology resources. That’s why an upfront payment is expected.

Definitely, once you’ve fixed the vulnerabilities you can request a scan simply by clicking a button on your dashboard. Following which, our engineers are notified and they plan a re-scan. If you are a business plan customer, you get a re-scan every month. If you’ve opted for a security audit separately then one re-scan is available to you.

Not at all, the security audit and VAPT are agnostic of the technology stack and work well on all websites.

You start seeing vulnerabilities reported by us from the day testing is started. You can ask for support in fixing the vulnerabilities for 30-days, starting from the day our engineers finish testing. During these 30 days, our engineers will be available to work with you or your developers and assist them in fixing bugs via the comment system of our dashboard. At any point, if the engineers feel that there is a need for a chat, they’ll be happy to talk to you over a chat too.

Yes, for sure. We assist your developers in fixing the vulnerabilities reported. Your developer can comment under each vulnerability if they have any questions regarding the fixation process.

Definitely, we test mobile apps too. You can learn more about them here.

Still have a question? Read more FAQ's or drop us a message in the chat box

Super Secure My Business

Continue reading