Worpress Sites are getting infected

Since some of our customers are getting their Wordpress website defaced we thought we should write this article explaining how to protect your Wordpress website.

First Thing to do is to backup your Malicious Website. Yes you heard it right backup the Infected Website.

To Backup your website headover to your cPanel account & log in & Navigate to Backup

Backup cPanel

Once Navigated click on Download a Full Account Backup


Download a Full Account Backup


Press on Generate Backup, You can select whether to get notifications or not. I have selected 'Do not send an email notification' option.



Let the backup run in the background.


backup cpanel


Once Completed download the generated backup .


Download Backup cPanel


Now let's move to the cleaning part. First we will scan the directory with ClamAV Virus Scanner for malicious content.


Virus Scanner cPanel


Select the Scan Mode I'm choosing Scan Entire Home Directory to scan the whole account. Click Scan Now to proceed.


Scan Mode cPanel


Scan will now start scanning the directory, Once Completed you will get the option to delete or quarantine. You can choose one of the either options.

Sometime the scan results can come as clean since the malware is new and ClamAV virus database signatures are not updated yet with the new one.


Scan cPanel


Let's Clean our Wordpress directory . You can start by looking for:

  • Strange named Files
  • Suspicious files
  • Newly Modified files
  • Plugin Directories

First check for modified date; check whether you see files/directories modified (not by you)


File Check cPanel


Let's make hidden files appear as well. To do that click on Settings


hidden files cpanel


and check the Show Hidden Files (dotfiles) and click Save



Now let's  check these directories as well and look for any unfamiliar files.






I found some malicious files in above mentioned directories. One of them were in the plugin directory called 'xaisyndicate' inside the folder there were some shell scripts that attempted to get access to the whole directory. I deleted the whole folder.


xaisyndicate malware


Check Skip the trash and permanently delete the files option and click confirm.



There were some other files as well on the public_html directory as well. We can identify them by their name the name was random & gibberish. I deleted that file as well. Make sure to check any suspicious directory or files including the above directories as well.



Now let's check our database as well. As the first option we will change our database password. You can change the password by clicking on MySQL Databases



Once navigated scroll down until you find the Current Users section. Click Change Password  on the user you want.



Now  generate a password by clicking on Password Generator copy the password and click Change Password



Now we have to change the password in Wordpress configuration. You can either edit and replace the password field with the above generated password  or continue with the following


Softaculous cPanel

wordpress cPanel


Once clicked you will be navigated to Softaculous Apps Installer. Once navigated press on All installations ( A small box icon on top right side) and click on the pencil icon to edit the installation of the website you want.



Now paste the password that you generated earlier in the Database Password field and to auto update Wordpress now on check the Upgrade to any latest version available (Major as well as Minor) option.



Once done scroll down and click on  Save Installation Details



Okay! Now we have to upgrade our Wordpress version.  You can upgrade it simply by clicking upgrade button in Softaculous


Upgrade cPanel wordpress


Always Select the latest version available to upgrade from the drop down menu and if you want to backup your configuration before the upgrade check on the Create Backup box. It's always recommended to have a backup.



Select the Full Backup option to get a full backup of your wordpress site and you can enable Loginizer to get notifications of logins.Once done click on Upgrade.



Give some time for it to complete the upgrade



Once upgrade completes navigate back to Softaculous All installations and check whether you can see the latest version.



Now the upgrade of Wordpress core has been completed upgrade all your plugins as well. You can do this by login into your Wordpress Admin Panel.


Let's check whether there are malicious users on our database that was created by the malicious script. To do that navigate to phpMyAdmin on your cPanel.



Select the database on the left pane by clicking on it



Once click all the tables of that database will list down. Click on the wordpress users. Prefix might change but it always end with _users



Now delete all the users except for the legitimate user/users by going into page by page and pressing the delete button and Change the Wordpress Password of Legitimate User/Users as well.


Now go and install  Wordfence Wordpress Plugin and Scan from that as well.

All done. It is always good to keep scripts upto date to avoid getting your website infected.

  • wordpress, hacked, infected, defaced, xaisyndicate
  • 4 Users Found This Useful
Was this answer helpful?

Powered by WHMCompleteSolution