Removing Malware From WordPress And Hardening

Removing Malware From WordPress And Hardening

How bad it feels when you open your site usually and browser is blocking your site as it contains malware ahead and your daily visitors are dropped to zero. You just simply don’t need to get worried and follow the steps being discussed in this article and get rid of malware within few hours. Not only this, if you implement all given steps, you will also prevent your WordPress from future attacks.

How malware enters a wordpress site and what it does?

WordPress is unbreakable in an ideal condition. WordPress without plugins is like a home without furniture so plugins are necessary to enhance WordPress functionality. WordPress team is not responsible for the security of plugins so definitely plugins can contain security bugs that is why WordPress is mostly hacked because of vulnerabilities in plugins. Hackers exploit those vulnerabilities in plugins and inject malware in your site. These malwares can contain download link to malicious softwares or can contain drive-by auto download and execute exploits that can effect visitors. So to keep the visitors safe, google and browsers block access to that site.

How to remove malware?

Most of the times, malware is injected in all JS or PHP files so it is very difficult to go through each file and remove the infected code. This process also contains the risk of removal of core code. WordPress contains 3 directories.


Every kind of custom work is done in wp-content directory as all themes and plugins exist in this directory. The rest 2 directories are ideally same as downloaded from Before starting malware removal work, just take backup of wp-content directory and database as safety and also temporarily switch off your wordpress. Now you can remove malware in following 5 steps.

  1. Delete all wordpress files except wp-content directory, htaccess and wp-config.php
  2. Download fresh copy of wordpress of same version and extract and replace all those files which were deleted.
  3. Manually review htaccess and wp-config.php files for any malicious code and remove it if any. Now only theme and plugins files are left. Remove the default themes which are not in used (i.e. twentyten, twentyeleven etc) from themes directory. Remove unused plugins from plugins directory.
  4. Only your main theme and plugins are left which needed to be cleaned. Reinstall all other plugins by re-downloading and make sure no custom changing were made in previous plugins or it will effect your site’s functionality. Re-upload your theme files making sure no custom changing were made in theme files. You don’t need to be worried about content and theme settings because they are stored in database and we haven’t changed database. In case if any changing were made in plugins or theme files in past, you must not replace the edited files with fresh one. Review the edited files manually and remove any malicious code if found.
  5. Login to your wordpress admin panel and update all plugins. Plugins that are bundled with theme, mostly do not show update option so you have to make sure that all plugins are up to date.

Remove general backdoors

You are now done with removing malware. Now you need to remove general backdoors through which hackers can come back. Just remember when hackers hacked into your site, they might have your Database dump, your wp-config.php file backup which contains your Database username and password. Having database dump, they can decrypt your admin password and can come back again so you must change your admin password as well. You can remove general backdoors in following steps.

  • Go to “users” in wordpress admin dashboard and make sure only you and known users are Administrators, remove any unknown Admin user.
  • admin users

  • Go to your MySQL user setup in Cpanel and change password of MySQL user that contains database of your wordpress. Edit your wp-config.php file and change replace password with new one.
    mysql user
  • Set wp-config.php file permission to 400 if your site is hosted on a linux shared server. Its prevents Symlink attack on shared server with poor security. By hacking one site on that server can lead to hack all other sites hosted on same server. Giant hosts like Godaddy, Bluehost, Hostmonster etc are secured from Symlink attack.
  • Do not use any custom script database with wordpress database. Keep wordpress database separate under unique MySQL user and unique database. Lets suppose you are using a custom PHP script which is vulnerable to SQL Injection and database used by that script is under same user as of wordpress database then hackers can hack your wordpress with that SQL Injection in custom script.
    wordpress user
  • Do not use nulled themes because 99% of nulled themes contain malwares and backdoors. Spending few bucks buying a theme can save thousands in future.

Hardening WordPress

This is the final step to provide your wordpress bulletproof security. This goes in following steps.

  • Password protect admin directory with an extra login layer

It prevents brute force attacks and also from those hackers who even know your wordpress admin password. You can add security layer by generating .htpasswd using htpasswd generator. Copy that generated text in a file and name it “.htpasswd”. Upload that file in wp-admin directory. Create “.htaccess” file in wp-admin directory and add this code in it.

AuthType Basic
AuthName "Only Admin Allowed"
AuthUserFile /server/path/to/wp-admin/.htpasswd
Require valid-user
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any

Sometimes .htpasswd causes redirect loop so wp-admin directory is not loaded correctly. To counter this issue, add this code in end of .htaccess file present in wp-admin directory.

ErrorDocument 401 default

Thus your wp-admin directory is protected by another login layer. You need to 1st login with this layer to proceed to your wordpress admin login.


  • Prevent direct access to PHP files in wp-content directory

WordPress is ideally working on main index.php file in root directory. PHP files in wp-content directory are not meant to be accessed directly. So you need to restrict PHP files in wp-content directory by creating “.htaccess” file in wp-content directory and adding this code in it.

<Files *.php>
Order Deny,Allow
Deny from all
Allow from

It will not allow any PHP file to be accessed directly in wp-content directory. Sometimes CSS and JS files of themes are loaded through PHP files or any other exceptional file which stopped working by this method then you can add exception in .htaccess in wp-content directory by adding this code.

<Files CSS-JS-loading-script.php>
Order allow,deny
Allow from all
Satisfy any

Just like we added exception of admin-ajax.php in password protecting method. If there are more exceptional files, copy paste above code again in .htaccess present in wp-content directory and replace the file name with that exceptional file name.

Do Security Plugins Help Securing Website?

Sometimes yes but mostly no. Security plugins like wordfence update themselves with latest public exploits so when an attack is made using a public exploit, they stop it. But what about private exploits? Lets say I got wp-config.php file through Symlink attack and I connect to victim’s database using credentials that wp-config.php file so I can easily switch off security plugins from database. Thus I can easily upload my backdoors through admin panel.

Expert in PHP, Wordpress and Web Security Analyst
  • Kevin Kibue Kariuki

    Nice article thanks alot