WordPress hacking is happening at an alarming rate.
Even this site is constantly being attacked by unscrupulous people all over the world. Each attacker with their own motive.
One of the toughest things about getting hacked is trying to figure out how to undo the damage and trying to get back to normal. Plus the fear and anxiety that can occur from watching your dreams, your hard work and your reputation go up in smoke.
I’ve had my WordPress sites hacked in the past and its a tough job to recover from. I’ve tried everything from deleting and reinstalling to backing up and recovering to getting deep into the file system and database and trying to export/import the database. However, the best solution I have found was to use a combination of database hacking and using a powerful tool called Sucuri.
At the base of it all, WordPress is simply a PHP driven website with a MySQL database backend. Whether you’re using shared or dedicted hosting, the setup is the same.
In order to install a virus, a hacker needs to inject a payload (typically written as JavaScript) into the database. Such a hack on its own is very difficult to find and figure out how to safely remove without crashing your site.
The good news is that such payloads come with a typical signature. It typically comes as a set of 2 digit numbers such as 98, 34, 23, 45, etc. But without the proper tools, it would be difficult to find. Here is where Sucuri comes in.
The first step is to install the Sucuri plugin from WordPress. Go to Plugins and Add New and then search for Sucuri.
Click on install now.
Sucuri Installer WordPress
Once installed and activated, you will see Sucuri Security on the left. From there you can navigate to the dashboard. The dashboard shows everything going on related to your website. Sucuri will also start sending you emails indicating failed and successful login attempts and from which IP address these attempts came from.
Sucuri Dashboard
The dashboard shows recent file changes and will indicate if your site has issues. The audit logs are very useful for seeing which files were modified recently in order to see if any malware was injected into them.
Sucuri Audit Window
The space “site is not clean” is the first place to look.
Sucuri Site Not Clean Error
Hovering over the payload shows what malware signature was found in. This signature is how you are going to remove the malicious code.
Sucuri Malware Payload
Because signatures are unique and this isn’t typical text that you would see in your wordpress posts, it is possible to search for even a part of this code in your database and therefore remove that piece. Even noting down 3 numbers is sufficient.
The next step is to go to your database and search for these numbers. To do that, you will need to find out which database you need to access. This tutorial will assume you are using shared hosting with CPanel so you will open up your CPanel and go to file manager.
CPanel File Manager
Inside your files, find the file wp-config.php
CPanel File Explorer wp-config.php
open the file and you will find your database name as well as username and password to access the database.
The next step is to go back to CPanel and open PHPMyAdmin.
CPanel PHPMyAdmin
After selecting your database name on the left, select the search button on the right.
Removing Malware using PHPMyAdmin and Sucuri
In the search box, enter 3 consecutive digits separated by commas from the payload earlier. Don’t forget to select all tables as well to search in.
Removing Malware using PHPMyAdmin and Sucuri
Search will come back with which table(s) have the search results.
Removing Malware using PHPMyAdmin and Sucuri
Select browse and you will see the malicious code. Carefully delete the code ensuring you are not doing damage to the site.
Removing Malware using PHPMyAdmin and Sucuri
Now go ahead and open a browser and navigate to your site. You should no longer see the malicious code anymore. As well, you can return back to your Sucuri dashboard and look for this window:
Sucuri Site Clean
Sucuri is a fantastic tool that can help you remove malware however, if you’re having trouble, please don’t hesitate to reach out to me as I’d be more than happy to assist.
Until next time, stay safe online.
