Having your WordPress website hacked is a frightening and horrible experience that can leave you feeling violated and an in panic. In such a situation, the best thing to do is take a deep breath and proceed with a cool and pragmatic approach. Install one of the listed WordPress malware removal plugins, scan your site and move beyond your site’s issues.
You may be asking yourself, why has this happened to me and what have I done to deserve this? The internet is full of bots crawling for vulnerable websites. Most attacks on the internet happen randomly, so don’t take it personally. Some hacks are motivated by illegal profit gains, religious and political ideology while others simply see the act as a sport.
Is It Hacked?
In some cases, the intruders don’t want you to know that your website has been hacked because they may want to exploit your site for as long as possible.
On the other hand, if you are staring in shock and awe at big awful message advertising that ‘Hack3d By Mr. [Hacker’s Name]”, the situation doesn’t need much explaining.
You may receive an email from your web hosting provider. The malicious party could be consuming bandwidth without your knowledge. In other cases, your hosting account may be suspended when infected files are found on the server. Web hosting companies take this rather drastic measure to protect your visitors but also to protect their network. When a hosting provider suspends the account, they normally will send you a list of infected files that were discovered when scanning your site. That list is a good place to start when repairing your website.
A sharp drop in traffic is a common effect and cause for suspicion, especially if your website has been blacklisted as an infected site. In this case, web browsers may even display a security warning when your domain is accessed.
You know the experience when you visit a site and then suddenly you get redirected to a suspicious or non-related site? That’s known as a malicious redirect where the objective is to illegally drive traffic to a site.
If a hacker gains access to your website, your web pages can be replaced with fishing pages (or near identical pages). The idea is to trick your customers into divulging valuable information.
If your website looks more like a pharmacy for prescription drugs, then you are the victim of a pharma hack. Note that these links are visible in the search engines.
On the WordPress side of things, check for unfamiliar users that may have been added to your site. Look for un-authorized posts that may have been published and un-wanted spammy links.
Finally, try Googling your company. If you see strange foreign characters or content not related to your business, that’s another indication that your site has been compromised. A handy tip, in this case, is to render your site with a search bot simulator. In some SEO hacks, the unwanted content is only visible to search engines.
In any case, if you have a suspicion that one of your sites in hacked run a quick scan with one of the plugins listed below.
Malware Scanner Plugins for WordPress
Wordfence is by far the most popular security plugin for WordPress and for good reason! The company distributes a free version and a premium version starting at $99 per year.
The plugin consists of 3 core features:
WordPress Firewall – Web Application Firewall identifies and blocks malicious traffic. Built, maintained and continuously updated by the team at WordFence focused 100% on WordPress security.
WordPress Security Scanner – Malware scanner checks core files, themes, and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.
WordPress Security Tools – The plugin also offers an array of security features such as live traffic monitoring, limit login attempts, spam comment filter, and IP address and user agent blocking, email notifications, and monthly reports.
If you would like to learn more about the software, have a look at our tutorial on how to enhance and secure a website with Wordfence.
MalCare is a new service by BlogVault offering daily malware scans starting at $99 per site and a hack repair service starting at $249.
Their advertised selling points are:
Early Malware Detection – MalCare’s automatic scanner ensures you get to know before any damage is done.
Light server usage – MalCare does all the heavy lifting on its own servers ensuring that there is Zero load on your WordPress site.
Detects hard to find Malware – MalCare was developed after analyzing over 240,000 websites and uses over 100 signals to accurately identify even the most complex malware.
One-Click Automatic Clean-Up – With MalCare’s One-Click Malware Cleaner, you no longer need to wait endlessly for technical help to clean your WordPress site.
Built-In Secure WP Backups – A backup is the quintessential safety net of your website when your website is hacked. Powered by BlogVault’s powerful backup service, you are always protected and have access to your backups when you need them.
3. Titan Anti-spam & Security
Number 3 on our list this year is Titan Anti-spam & Security. The plugin offers an all-in-one solution to protect your WordPress website and scan for infected files.
The UI is intuitive. When first installing the plugin, a wizard guides you through the configuration process. The plugin will audit your site, scan for malware, and recommend a few “tweaks” to harden security.
Though Titan does distribute a free version, it’s worth noting that most of the exciting features are included in the paid version. These include:
- Antispam PRO
- Firewall (WAF)
- WordPress Security Scanner PRO
- Malware scanner PRO
- Real-time IP Blacklist
- Detect Malicious Code in Themes and Plugins
- Site Checker
- Premium support
At the time of writing this review, a premium license costs $55 per year. Which, I find, is a very reasonable fee.
4. Cerber Security, Anti-spam & Malware Scan
WP Cerber offers an all-in-one solution to protect, monitor, and secure a WordPress installation.
The plugin features one of the best malware scanners, offering software to monitor file changes, verify the integrity of WordPress, plugins, and themes, and to remove malicious code and viruses from your website.
Once installed, you can choose between a Quick Scan and a Full Scan. During the Quick Scan, all files with executable extensions are tested for infections. During the Full Scan, all files (including media) are scanned for malicious payloads.
Additional features of the plugin include:
- Limit login attempts
- Monitors logins, XML-RPC requests or auth cookies
- Whitelist and blacklist IP addresses
- Custom login URL
- Protect contact forms from spam
- Protect post comment forms from spam
- WordPress, theme, and plugin authenticity check
- Monitor file changes
- Hide wp-login.php, wp-signup.php, and wp-register.php from possible attacks
- Hide wp-admin (dashboard) when a user isn’t logged in
- Disable WP REST API
- Disable XML-RPC (including Pingbacks and Trackbacks)
- Disable feeds (block access to the RSS, Atom, and RDF feeds)
- Disable automatic redirection to the login page
- Weekly security report sent by email
- Protection against DoS attacks
Sucuri is one of the better-known companies in the field of WordPress security.
Features of the Sucuri plugin include:
- Security Activity Auditing
- File Integrity Monitoring
- Remote Malware Scanning
- Blacklist Monitoring
- Effective Security Hardening
- Post-Hack Security Actions
- Security Notifications
- Website Firewall
Please note that the website firewall (WAF) is a premium feature offered at a starting price of $16.66 per month.
In the free version, the plugin will scan your WordPress installation and look for modifications to the core files as provided by WordPress.org. Files located in the root directory, wp-admin and wp-includes will be compared against the files distributed with your version number; all files with inconsistencies will be listed for you to review.
6. Anti-Malware Security and Brute-Force Firewall
One of the best malware scanning solutions for WordPress is the Anti-Malware Security plugin by ELI.
Features of the plugin include:
- Run a complete scan to automatically remove known security threats and backdoor scripts.
- Firewall block SoakSoak and other malware from exploiting known plugin vulnerabilities.
- Download definition updates to protect against the latest known security threats.
Premium features (requires a donation) include:
- Patch wp-login and XMLRPC to block brute-force and DDoS attacks.
- Check the integrity of your WordPress Core files.
- Automatically download new Definition Updates when running a Complete Scan.
When installing the plugin, you will have the option to register an account at GOTMLS.net. If you register an account, you can download the latest security definitions or “known threats” to help you analyze potential threats when scanning your application.
SucuPress, a new service, is one of the best security solutions for WordPress webmasters. An all-in-one solution, packed in a beautiful user interface.
Features of the plugin include:
- Brute force protection
- IP Blacklisting
- Built-in Firewall protection
- Malware Scanner
- Protection of Security Keys
- Block visits from Bad Bots
- Vulnerable Plugins & Themes detection
- Security alerts and reports in PDF format
The free malware scanner stands out as one of the finest products on the market. Not only will the plugin scan your website, but it will also provide a security audit report with recommendations to enhance the security of your website.
Premium subscribers have access to the “auto fix” features of the software, which will attempt to automatically remove and repair corrupted files.
8. Clean Talk
The Security & Malware scan by CleanTalk is a service that enhances the security of your website. Built into the plugin is one of the best malware scanners, free firewall service, and security log.
The malware scanner can be automated to run at a predefined interval but also on-demand when a website is compromised.
The scan will search for dangerous code in modified files, malicious signatures in files and will attempt to repair and remove known malware.
The full list features:
- Web Application Firewall
- Malware scanner with AntiVirus functions
- Daily auto malware scan
- Brute force protection
- Limit Login Attempts
- Enhanced login form protection
- Security daily report to email
- Security audit log
- Real-time traffic monitor
9. Astra Security Suite
Another new addition to this list is the Astra Security Suite. Please note that it is the only plugin in our top 10 that does not offer a free version.
Astra is an all in on security solution for WordPress webmasters. The list of security services provided is extensive. Some of them include a real-time web application firewall, on-demand machine learning-powered malware scanner, immediate malware cleanup, community vulnerability assessment, and penetration testing (VAPT).
As part of their subscriptions, they also offer a malware cleanup service (carried out by humans). While updating this list, their starter package is priced at €24 per month and their business plan is priced at €149 per month.
10. BulletProof Security
Last but not least on our list of the malware removal plugins is BulletProof Security, one of the oldest security plugins in the WordPress ecosystem!
Among the many features of the plugin, is a built-in malware scanner.
Though the interface is a little daunting and the options are many, with a few tweaks you can:
- Scan all files and directories located on the server
- Set performance options
- Exclude folders and files
- Scan the database
- Scan image files
Malware Infection Repair Tips
Fixing websites is always a little challenging. But for the DIY webmasters and WordPress developers, one way of going about repairing your site would be to:
Install one of the listed malware removal plugins and run a scan of your file system. Check the results for any unwanted scripts and files. Either delete them or replace them with an uninfected version (download a fresh copy of WordPress).
Don’t place all your bets with a plugin. Check crucial system files by yourself. You will want to pay extra attention to the following files in your theme and WordPress files:
And your theme’s:
It’s also recommended to manually update your WordPress website (please see our how-to guide). Updating WordPress will ensure that WordPress’s core files are free of any infection.
You will also want to remove any unwanted content from your blog (e.g. spammy SEO posts) and reinstate the appropriate content.
Next, determine the cause of the hack. Check if you are running any vulnerable plugins. The WPScan vulnerability database catalogs over 10,000 known vulnerabilities. Either replace the faulty plugins or delete them.
Now it’s time to harden your site’s security.
One consideration is to change hosting companies. Some hacks are caused by lax security measures at a hosting level.
Make sure all software is up to date and check out the WordPress documentation on hardening security. Some really handy tips in that post!
Installing a firewall can help block malicious requests, one of the most popular services is offered by WordFence.
Monitor your website during the next few weeks. It’s also advised to scan your personal computer for viruses.
It’s worth noting that a malware infected site should not be taken lightly.
The fall out could mean that your host suspends your account. Your site may also get blacklisted from search engines, and web browsers may display a security warning each time your site is accessed. Furthermore, a drop in search engine rankings is a likely outcome which could adversely affect your business’s online revenue.
And of course, your online reputation could be harmed. As most customers are unforgiving and may see your site as an untrustworthy service.
Let us know in the comment section below which malware scanner plugin you used to fix your website. We’re looking forward to your feedback!