Step by Step Guide to Removing Malware from Your Website Yourself

If your website has been hacked, attackers have likely added malicious code (malware) to your files. So, what can you do?

here are different ways to handle this kind of problem, and we’ll explore them shortly. However, sometimes the best option is to dig into your site’s files and remove the malware yourself.

In this guide, we’ll explain how to search for and remove malware code from your website. We’ll use a WordPress site as an example. You don’t need to be a professional developer to follow along, but having some basic coding knowledge—especially about PHP, the language WordPress uses—will make it easier to spot malicious code.

How to Avoid Removing Malware from Your Website by Hand

Manually removing malware can be tricky and time-consuming. It’s hard to tell the difference between harmful malware and the normal code your site needs to work. Hackers also hide malware in clever ways, so you might spend hours cleaning your site only to miss a hidden backdoor that reinfects it.

The best solution is to prevent malware infections altogether. Here’s how you can keep your site safe:

Keep everything updated: Regularly update your website, plugins, and themes. Turn on automatic updates whenever possible.
Be careful with plugins and themes: Only download from trusted sources. Avoid using nulled or pirated software—they often contain malware.

If malware does get into your site, automatic tools can make the cleanup much easier. For example:

Use malware scanners: cPanel & WHM offers the free ImunifyAV scanner, which you can install from WHM’s Security Center. It scans for malware and shows you where the problem is.
One click Remove: Upgrade to ImunifyAV+ to remove malware with a single click.

Another great way to protect your site is by keeping regular backups. If you suspect malware, you can restore your site to a recent clean version. Tools like cPanel’s WP Toolkit or WordPress backup plugins make it simple to create and restore backups.

But if you don’t have a backup, you’ll need to manually clean your site by replacing the infected files. That’s why staying prepared with backups and using security tools can save you a lot of trouble.


How to Manually Remove Malware from a WordPress Site

In this guide, we’ll focus on WordPress because it’s the most popular content management system (CMS). However, you can use a similar approach for other CMS platforms and eCommerce websites.

Before we begin, it’s important to note something critical: this guide assumes that only your website is infected, not your hosting server. If attackers have compromised the server, they may have installed advanced malware like rootkits, which makes it impossible to trust any of the tools or software on the server. In such cases, manual cleaning may not work, and you’ll need professional help.

Steps to Prepare Before Removing Malware

  • Take your site offline: Use tools like WP Toolkit’s maintenance mode to ensure visitors don’t access the infected site and risk further harm.
  • Create a backup: Back up your site before making any changes to the code or database.
  • Enable debug mode: Turn on WordPress debug settings to display error messages if something goes wrong during the process. Debugging helps pinpoint issues and can be enabled via tools like cPanel’s WP Toolkit.
Step 1: Identify Recently Modified Files

Malware is often hidden in recently changed files. To find these, log in to your server through SSH or open the Terminal in cPanel (under the Advanced section). Navigate to your website’s directory, usually located in public_html or a subfolder within it.

Run this command to list PHP files modified in the past seven days:

Copy Code

find . -name '*.ph*' -mtime -7

The results will show recently modified PHP files. For example, you might see wp-config.php at the top of the list. This file could be a target for malware.

Step 2: Check for Malicious Code

Open the suspicious file using a text editor. If you prefer not to use the command line, you can edit the file directly in cPanel’s File Manager by selecting the file and clicking Edit.

  • Unusual coding styles: Lines of code that are excessively long, messy, or improperly formatted.
  • Obfuscated code: Code that’s hard to read, with long strings of random characters and numbers. While some legitimate code may look this way, such as configuration hashes, it can also indicate malware.
  • Suspicious URLs: Most URLs in your site’s files should relate to your website. Strange, lengthy, or unfamiliar URLs may point to malicious servers controlled by attackers.

Example:

If you find any of the above, investigate further or consult a professional. Identifying and removing malware manually requires attention to detail, so be thorough to avoid missing any threats.

17 *
18 * @package WordPress
19 */
20
21 // ** MySQL settings - You can get this info from your web host ** //
23 /** The name of the database for WordPress */
24 define('WP_CACHE', true);
25 define( 'WPCACHEHOME', '/home/user/public_html/wp-content/plugins/wp-super-cache/');
26 define('DB_NAME', 'user_wp_haike' );
27
28
29 /** MySQL database username */
30 define('DB_USER', 'user_wp_0xkvu' );
31
32 /** MySQL database password */
33 define('DB_PASSWORD', 'Fh^w^xn4k7Bo~3% X' );
34
35 /** MySQL hostname */
36 define('DB_HOST', 'localhost:3306' );
37
38 /** Database Charset to use in creating database tables. */
39 define('DB_CHARSET', 'utf8' );
40
41 /** The Database Collate type. Don't change this if in doubt. */
42 define('DB_COLLATE','');
43
44 $malware = file_get_contents
("SSBhbSBtYWxpY2lvdXMgY29kZSBhbmQgSSB3YW50IHRvIHNOZWFsIGFsbCB5b3VyIHNlY3JldHMuIFlvdSBzaG91bGQgcmVwbGFjZSB0aGlzIGZpbGUgd210aCBhIGNsZWFuIHZlcnNpb24gZG93bmxvYWRlZCBmcm9tIFdvcmRQcmVzcy5jb20=")
 45
46 /**
47 * Authentication Unique Keys and Salts.
48 * Change these to different unique phrases!
49 * You can generate these using the {@link https://api.wordpress.org/secret-key /1.1/salt/ WordPress.org secret-key service}
50

How to Replace Infected Files and Remove Malware

Malicious code can sometimes be hard to spot. A good way to identify it is by comparing your website’s files with original, clean versions. Here’s how to do it:

1. Get clean copies of files:

  • Download the same version of WordPress from WordPress.org.
  • If a plugin or theme is suspicious, download a fresh version from the developer’s site or the WordPress repository.

2. Compare the files:

  • Open the clean files and compare them to the ones on your site.
  • The files won’t always match perfectly, but pay close attention to anything unusual or different.

3. Replace infected files carefully:

  • Swap infected files with clean versions by using cPanel’s File Manager. Delete the infected file, then upload the clean one.
  • Be cautious with files like wp-config.php. This file contains important configuration data for your site and database. If you replace it with a new version, your site may stop working.

4. Check before replacing configuration files:

  • If you’re unsure about a file’s purpose, check the WordPress documentation.
  • For configuration files, copy the necessary data from the infected file to the clean one while making sure no malicious code is transferred.

5. Verify after every change:

  • Test your site after replacing each file to ensure it still works. This way, if something breaks, you’ll know which file caused the problem.

A Few Things to Remember

Manually removing malware is a slow and careful process, and it’s not always guaranteed to catch everything. However, it can be a lifesaver when automated tools or backups fail.
We’re here to help if you have questions or need support. Feel free to share your feedback or concerns so we can assist you better.

Copyright Servers99. All Rights Reserved