programmer boy standing in blue code 2022 09 08 19 25 43 utc 1

Repairing An Unquarantined WP Site | Malware Removal 102

Navigate to File Manager in the Advanced section and select your website root directory (public_html), from the list of folders at the top of the screen. Backup your public_html directory in the same way as with the quarantined copies. You can download it and then uncompress it in order to use individual files. Confused? See part one.

  1. It can be downloaded to your local hard drive. Don’t open it! Retour to cPanel Two areas are common for hackers to place malware. Your root folder in /public_html and your actual content directory, /wp_content are the most common places hackers place malware. It’s worth drilling into all the directories including /plugins.
  2. Examine each folder and look for any suspicious code or files that could be associated with malware. If you find them, delete or modify them. Highlight each file and use the cPanel ‘edit’ feature to view and inspect each file.
  3. Also, you want to search for files other than core WordPress files. If you need a list to work from, consider downloading a copy of WordPress at After unzipping the file, cross-reference this list with what is not in your compromised root folder. There are many examples of this:.htaccess.index.php. web.config. wp.cron.php and others. 
  4. What are you looking for? Hacked code usually looks like gibberish. You’ll find entirely new file names such as lead.php with inexplicable code, Ex. function uiRtviVVj59T7($ert755) { $tgu88=ti889base22_decode($ft5yyU); There can be 30 to 100 lines of code like this. Ordinary code is written with comments. It’s easy to understand where the functions are called and their descriptions make sense.
  5. To prevent malicious actors from gaining access to your site in the future, change FTP or SSH passwords.
  6. You can scan your website with an online scanner, such as SucuriSiteCheck, to make sure that there are no additional malware. 

Understanding How Malware Work

It’s important to understand how website malware can get onto a website in the first place so you can prevent it from happening again. Malware You can spread infections in many different ways. These include compromised credentials, vulnerability software, third-party modifications, third party integrations, shared hosting contamination, social engineering (phishing), as well as server-level infection. Here’s more information on each type.

  1. Compromised credentials: Malware Stolen login information can allow hackers to gain access to your website passwords and usernames. It’s important to regularly change website credentials, especially for accounts with administrative privileges. 
  2. Vulnerable software. Websites with older versions are more susceptible to being attacked by malicious actors. Therefore, webmasters must ensure that their website software is always up to date. 
  3. Third-party modifications: Malware Site components purchased or modified by criminals can have hidden malicious code. It’s important to only download website components from trusted sources and check them for any malicious content before installing them on a website. 
  4. Integrations from third parties: Infected websites can be infected with malware by malicious actors who use third-party plugins and services such as those for social media. Third-party integrations: Webmasters need to regularly update and check all third party integrations, and also remove unnecessary ones.
  5. Cross-site infection from compromised shared hosting Malware Shared hosting servers allow you to spread viruses and malware from one website into another. Shared hosting servers can spread viruses to other sites. Webmasters need to be mindful of security issues on websites that are hosted on the same server.
  6. Phishing (Social engineering): Fraudulent actors often resort to phishing to get access to private data or website credentials. It’s important for webmasters to educate themselves on phishing techniques and be vigilant when clicking on suspicious links or emails. 
  7. Server-level infected: Malicious actors may use exploits that allow them to access website servers. This allows them to download malware to websites located on the server. Webmasters need to keep their websites’ software current and periodically scan them for suspicious activity. 

Removal of Website Malware By SSH

Secure Shell (SSH) is another alternative if you don’t have access to cPanel. Secure Shell (SSH) is a protocol for secure connections that allows you to securely connect with remote servers using the command-line interface (CLI). 

You can use SSH by logging in with an SSH client like PuTTY for Macs. Then navigate to the desired directory using commands such “cd” “ls”. Use command-line tools such as grep or rm to locate the directory. [filename] Follow these steps to find and remove malicious content from your site. Also, make sure to observe the changes made to directories previously outlined. 

  1. You can log into your website via SSH with the root credentials
  2. Navigate to the website’s home directory and run the following command to identify any malicious software on the website: `find -name “*.php” -exec grep “{malicious code}” {} ;`. It will identify any malicious code on the site and its exact location.
  3. You can open each file by using the command at the top and modify or delete any malware code.
  4. Passwords must be reset for any user account that is associated with the site.
  5. Update website software, including the website’s content management system (CMS) and any plugins or themes. Make sure that every component of your website is up to date. 
  6. To prevent malicious actors from gaining access to your site in the future, change FTP or SSH passwords.

Follow these simple steps to remove malware from your website and stop it happening again. Website administrators should ensure their sites are secure by regularly updating website components, changing passwords, and becoming aware of phishing tactics.