Since some of our customers are getting their Wordpress website defaced we thought we should write this article explaining how to protect your Wordpress website.
First Thing to do is to backup your Malicious Website. Yes you heard it right backup the Infected Website.
To Backup your website headover to your cPanel account & log in & Navigate to Backup
Once Navigated click on Download a Full Account Backup
Press on Generate Backup, You can select whether to get notifications or not. I have selected 'Do not send an email notification' option.
Let the backup run in the background.
Once Completed download the generated backup .
Now let's move to the cleaning part. First we will scan the directory with ClamAV Virus Scanner for malicious content.
Select the Scan Mode I'm choosing Scan Entire Home Directory to scan the whole account. Click Scan Now to proceed.
Scan will now start scanning the directory, Once Completed you will get the option to delete or quarantine. You can choose one of the either options.
Sometime the scan results can come as clean since the malware is new and ClamAV virus database signatures are not updated yet with the new one.
Let's Clean our Wordpress directory . You can start by looking for:
- Strange named Files
- Suspicious files
- Newly Modified files
- Plugin Directories
First check for modified date; check whether you see files/directories modified (not by you)
Let's make hidden files appear as well. To do that click on Settings
and check the Show Hidden Files (dotfiles) and click Save
Now let's check these directories as well and look for any unfamiliar files.
I found some malicious files in above mentioned directories. One of them were in the plugin directory called 'xaisyndicate' inside the folder there were some shell scripts that attempted to get access to the whole directory. I deleted the whole folder.
Check Skip the trash and permanently delete the files option and click confirm.
There were some other files as well on the public_html directory as well. We can identify them by their name the name was random & gibberish. I deleted that file as well. Make sure to check any suspicious directory or files including the above directories as well.
Now let's check our database as well. As the first option we will change our database password. You can change the password by clicking on MySQL Databases
Once navigated scroll down until you find the Current Users section. Click Change Password on the user you want.
Now generate a password by clicking on Password Generator copy the password and click Change Password
Now we have to change the password in Wordpress configuration. You can either edit and replace the password field with the above generated password or continue with the following
Once clicked you will be navigated to Softaculous Apps Installer. Once navigated press on All installations ( A small box icon on top right side) and click on the pencil icon to edit the installation of the website you want.
Now paste the password that you generated earlier in the Database Password field and to auto update Wordpress now on check the Upgrade to any latest version available (Major as well as Minor) option.
Once done scroll down and click on Save Installation Details
Okay! Now we have to upgrade our Wordpress version. You can upgrade it simply by clicking upgrade button in Softaculous
Always Select the latest version available to upgrade from the drop down menu and if you want to backup your configuration before the upgrade check on the Create Backup box. It's always recommended to have a backup.
Select the Full Backup option to get a full backup of your wordpress site and you can enable Loginizer to get notifications of logins.Once done click on Upgrade.
Give some time for it to complete the upgrade
Once upgrade completes navigate back to Softaculous All installations and check whether you can see the latest version.
Now the upgrade of Wordpress core has been completed upgrade all your plugins as well. You can do this by login into your Wordpress Admin Panel.
Let's check whether there are malicious users on our database that was created by the malicious script. To do that navigate to phpMyAdmin on your cPanel.
Select the database on the left pane by clicking on it
Once click all the tables of that database will list down. Click on the wordpress users. Prefix might change but it always end with _users
Now delete all the users except for the legitimate user/users by going into page by page and pressing the delete button and Change the Wordpress Password of Legitimate User/Users as well.
Now go and install Wordfence Wordpress Plugin and Scan from that as well.
All done. It is always good to keep scripts upto date to avoid getting your website infected.