WordPress users suffer from the issue of malware that infects their sites and prevents them from being able to protect and secure their WordPress site. The majority of these users feel helpless when they encounter such a problem if the problem is clear and they are aware of what happened to them.
I will first talk about my experience in cleaning and repairing a site that was infected with malware to help you restore your site as it was in the event that it was infected with any problems related to protection and security by applying the same steps of the experiment. Then I will explain how to protect a WordPress site from being hacked or infected with malware in the future, depending on A set of important tips.
Experience repairing and re-securing a WordPress site
I will now explain how to repair, re-secure and protect a WordPress site that has been hacked or malfunctioned as a result of malicious viruses, and we will explain based on a practical example (experiment) to clarify the steps further and make it easier for you to apply them.
Reasoning about the problem
When the security of a WordPress site is compromised, a message may appear ( There was a serious error on this site ), as we saw when trying to access the site that was damaged in our experience.


This error can be caused by several factors including that the security of your WordPress site has been compromised. If it was, the hacker or intruder would be able to access your site’s files and do almost anything they want with it, such as diverting your site’s traffic to other sites, etc.
Scan site files
When a WordPress site is hacked, the hacker adds his own files and malicious code that helps him control your site. So in our example, I took a look at the WordPress site files through the hosting control panel through the File Manager tool.


When I looked into the files a little, I found folders and files that have nothing to do with the installation of WordPress, and since I do not have access to the WordPress control panel, I will not be able to identify all the malicious files through which the security of the WordPress site was compromised from the healthy files that represent WordPress and its dependencies.


So I will remove all folders and files in the main site folder path (public_html) except the wp-content folder and the wp-config.php file. Here, there is no need to take a backup copy of the site, because the folders and files that I will delete are specific to WordPress and you can obtain them from the official WordPress website .
Remove WordPress files and malicious files
To remove these files, I will click on the Select All button , which will select all the folders and files in the path, then I will deselect the wp-content folder and the wp-config.php file that I do not want to delete by pressing the Ctrl key on the keyboard. Then click with the left mouse button on the folder and file one by one while keeping the Ctrl key pressed, and then I will click on the ( Delete ) button.


View the wp-config.php file and remove the malicious code
After removing the files, I must review the contents of the wp-config.php file because this file includes database connection information, which any hacker tries to exploit by placing malicious code to break WordPress security and gain full access to the site.
To view the contents of the file, I will click on the file with the right mouse button and choose ( Edit ) from the drop-down menu. If there is malicious code in the file, I will remove it.


There was code at the beginning of the file that is not part of the WordPress code, so I will remove it from it so as not to hinder the process of repairing, securing, and protecting WordPress that we are doing.


I recognized the malicious code because I know very well the contents of the wp-config.php file, in addition to the fact that the way this code is written is different from the rest of the contents of this file.
In general, you can find out whether the contents of the wp-confige.php file are valid or contain malicious code by viewing a sample of a virtual model of the wp-confige.php file and comparing its contents with the contents of your file. If there is a difference in the general appearance of the two files, the difference will be It is malicious code.
You can view a virtual sample of the wp-confige.php file by visiting this link , and you can also learn more about the wp-confige.php file by reviewing our comprehensive article about it ( a comprehensive explanation of the WP-config file in terms of its functions and uses ).
After I identified the malicious code that was one of the reasons for errors in the security of the WordPress site, I will remove it and save the changes by clicking the ( Save Changes ) button.


The site will not work even after deleting the malicious code because I deleted a large section of the files necessary for its operation (wp-includes and wp-admin folders and other files) in a previous step in order to remove all the malicious files, all of which are difficult to distinguish from healthy files.
Upload WordPress to hosting
The files that I deleted previously constitute the WordPress files and the malicious files together, and in order to make the site work again safely, I have to put the WordPress files back in their place without the malicious files that caused problems and broke the WordPress security.
To do this, I will download the latest version of WordPress from the official website by clicking on the (Download WordPress) button. WordPress will download as a ZIP file to my computer.


After downloading the WordPress program file, I will return to the File Manager in the hosting control panel and enter the public_html folder, which I deleted most of its contents, then I will click on the ( Upload ) option to upload the secure WordPress files that were downloaded from the official website.


After clicking ( Upload ), a page will appear for me that provides the ability to upload files from the computer to the public_html folder in the hosting’s file manager. To select the file I will upload, I will click the Select File button and choose the WordPress ZIP file.


The uploading process will begin, and when it is complete, the bar will turn green. We can click on the link below to return to the file manager. Note that I have uploaded a ZIP file that includes all the WordPress files so that I can use in the next steps only what I deleted previously.


Decompress the WordPress file to recover the site files
When you return to your file manager, you will notice that there is a WordPress file that was just uploaded. I have to click on this file with the right mouse button to bring up a menu of options, then I will choose ( Extract ) to unzip the file.


A new window will appear to set the location to save the files after decompressing them, and I will directly click on the ( Extract files ) option, because the specified path is the same as the path I want (public_html folder).


After decompressing, we will have a new folder called WordPress that includes all WordPress files under the public_html folder.


I will go into the WordPress folder in order to move the files and folders that I deleted in a previous step. After entering the folder, I will select all the files and folders in it except the wp-content folder, then I will click ( Move ).


Next, I will choose the public_html folder path and click the Move Files button to move the files.


Now the site’s files will be back to normal, and we’ll have two possibilities: either it’s back up and running or it still has issues that I need to address.


Find out why the fatal error message persists
When I tried to access the site for the first time, a message appeared telling me that there was a serious error, and now, even after applying the previous steps, the same message still appears. There were indeed malicious files and malicious codes, but removing these files and codes did not completely solve the problem.
Most likely, the security breach of the WordPress site that occurred in this case affected other files related to the site, and therefore we must find out the reason for the appearance of a critical error message to address the errors caused by breaking the WordPress security during the hacking process.
To find out why, I will add several lines that enable error handling and store them within a file to the wp-config.php file. The lines I will add are:
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );


When activating saving errors in a log without specifying its location, it will be saved directly within the wp-content folder. Now I will visit the site again to encourage WordPress to create a log of errors so that I can view them in order to repair, protect, and secure the WordPress site.
After visiting the site again, the fatal error message appeared again, so I went directly to the wp-content folder through the file manager, in which WordPress was supposed to have created a log of the errors that had occurred, and indeed there was a file related to the errors named ( debug.log) . ).
I right-clicked on the file, then chose ( View ) from the drop-down menu to show the contents of the file in order to review it to see what is causing the error or fatal errors.


The error log file shows not only critical errors, but also other errors, but what concerns us now are critical errors, because they are what prevent the site from working. With their presence, the process of protecting the WordPress site cannot be completed from within the control panel .


When reviewing the error file, I noticed a group of fatal errors (PHP Fetal error) that were caused by the same add-on, namely Gravity Form User Registration, as the previous image shows.
Therefore, I will go to the plugins folder to delete the files of this plugin, then I will re-upload it exactly as I did with the WordPress files. If the problem continues to appear, I will be forced to dispense with this plugin, as in this case its files must be removed without re-uploading it.
After deleting the add-on files and re-uploading them again, the site returned to work, and it is now possible to access the WordPress control panel to continue the process of cleaning the site from harmful files, in addition to protecting and securing it from them to prevent damage due to them in the future.


Note: If you are experiencing a problem accessing the WordPress control panel, you can review the article ( What to do if you cannot access the WordPress control panel? ) to find out the causes of the problem and how to solve it.
Install the WordPress Security plugin and scan the site
I will now go to the Add a New Plugin page by clicking on the Add New tab in the Plugins section in the WordPress control panel in order to install the WordFence plugin , which activates a firewall for the site and scans all the site’s files and identifies the harmful ones in order to delete them or Fix it, thus completely protecting and securing your WordPress site.
To install and activate the add-on, I will enter its name in the search box, then I will click on its Install Now button, then I will click on the Activate button that appears after its installation is completed, that is, a few seconds after clicking on the Install button.


Immediately after activating the add-on, two messages will appear at the top of the control panel, one to activate automatic updates for the add-on and the second to make modifications to the site’s .htaccess file .


Note: When you click on the ( Click Here To Configure ) option, the site will ask you to take a backup copy of the .htaccess file so that the add-on can safely make modifications to this file.
We will now go to the All Options tab located within the WordFence submenu to make some adjustments to the add-on options before starting the comprehensive site scan process.
In the General WordFence Options section, I will place two ticks next to the Hide WordPress version option and the Disable code execution for uploads directory option.


In the General Options section, I will put a check mark next to the Scan theme files against repository versions for changes option, and the Scan plugin files against repository versions for changes option.


After activating the previous options, I will click on the ( Save Changes ) button to save the changes.


I will now go to the ( Scan ) tab within the WordFence menu, and I will click on the ( Start New Scan ) button to start a new scanning process, then I will wait until the scanning process is finished, the length of time depends on the size of the site and the number of its files.


Note that after starting the scan process, the Start New Scan button will change to ( Stop Scan ), and after the scan is finished, it will return to what it was.


After the scan is finished, malicious files and modified files will appear. I will click on the Delete All Deletable Files option to delete them.


A pop-up window will appear asking me to confirm the deletion, and I will click on the ( Delete Files ) button to confirm the deletion. Before confirming the deletion process, it is recommended that you make a complete backup of the website so that you can restore any data you may lose.


After confirming the deletion, a new pop-up window will appear informing you that the deletion was successful. I will click ( Close ).


After removing the files that can be removed, there will be some WordPress related files, plugins and theme files that contain malicious code but cannot be deleted. I will repair these files by adding protection to the WordPress site by clicking on the ( Repair All Repairable Files ) button.


After clicking on the Repair All Repairable Files button, a pop-up window will appear asking for confirmation that the files have been repaired. I will click on the Repair Files button to confirm the process of repairing the various WordPress files.


After completing the file repair process, I ran a new scan of the site to ensure that there were no malicious files or codes remaining. After the new scan was completed, the add-on showed that the site was free of malicious files and codes.
However, the plugin showed security warnings for many reasons, including a weak password for a user with a subscriber rank, and a delay in updating one of the plugins. In order to fully protect the WordPress site, you must work on applying tips to remove these warnings, as you must change the password and update the plugin with the old version.


Thus, I have restored and secured the WordPress site again, but there are still some procedures that must be applied to further protect WordPress, such as changing the password for the administrator accounts within the site, changing the password for the cPanel control panel, and deleting the FTP accounts, if they exist.
I will shed light on how to implement these procedures in the following tips section, which talks about how to secure a WordPress site and prevent hackers and malware from accessing it and disabling it.
Steps to secure a WordPress website to prevent it from being hacked
After applying the steps listed above, the process of protecting and securing the WordPress site will have been completed, but only partially, as there is still a set of measures that must be applied or refrained from applying in order to protect the site further.
1. Activate automatic updates for WordPress
In order to protect your WordPress site, you must activate automatic updates for your WordPress version, at least its security updates, as they include filling the vulnerabilities discovered in previous versions that a hacker can exploit to infect your site with malicious files.
You can activate automatic updates for WordPress by going to the ( Updates ) tab within the ( Home ) section of the WordPress control panel, then clicking on the option ( Activate automatic updates for all new versions of WordPress ).


2. Activate automatic updates for add-ons
You should also enable automatic updates for plugins, because these updates include new features for the plugin, greater compatibility with successive WordPress versions, and most importantly, fixing discovered security vulnerabilities.
You can activate automatic updates for any add-on by going to the ( Installed add-ons ) tab within the ( Add-ons ) section, then clicking on the ( Activate automatic updates ) option next to each add-on, or to activate automatic updates for all add-ons, you can select all add-ons and then choose ( Activate automatic updates Then click on the ( Apply ) option.


3. Delete add-ons that are not needed
WordPress plugins installed on the site and not being used increase the chances of it being hacked because they increase the possibility of vulnerabilities in it, so it is preferable to remove all plugins that you are not using from your site.
You can learn how to remove WordPress plugins by reviewing our article ( Steps to remove templates and plugins from WordPress correctly ).
4. Update the active template and delete inactive templates
It is also necessary to update the active WordPress template used on your site because the latest version will include new features, and will be better in terms of security, as recently discovered security vulnerabilities in the template files are closed.
It is also preferable to remove templates that you do not use because they also increase the chances of your site being hacked and crashing, but you should be careful not to remove the parent template of the child template that you are using if you are using a child template, as this will lead to problems with your website.
Read also: What is a child template? What are its uses for WordPress website owners?
5. Check by adding security when you make changes
You must install a security add-on, such as the WordFence add-on, which works to enhance the security of your site, and perform a comprehensive scan of its files using it if you perform any action that includes a modification to the site related to a third party, as security add-ons help you detect and remove malicious files and codes.
6. Use plugins and templates from trusted sources only
You should not use plugins or templates from unreliable sources, and it is always preferable to rely on the official WordPress website to obtain free plugins and templates, and the Themeforest and Codecanyone websites to obtain paid templates and plugins.
Read also: Why not use pirated themes and plugins?
7. Remove FTP accounts after you are done using them
To prevent misuse of FTP accounts if someone obtains their data, you should delete them after you finish using them. You can do this from the cPanel hosting control panel, by clicking on ( FTP Accounts ) to go to the accounts page.


Then remove it by clicking on the ( Delete ) button next to the account.


8. Update PHP language version
You must use modern versions of the PHP language to ensure that your WordPress site is completely secure and protected. To update your PHP language version, you must click on ( MultiPHP Manager ) in the hosting control panel.


After that, you must choose the domain whose PHP version you want to change, then choose the version you want to change to, and click the ( Apply ) button.


We have explained in detail how to update the PHP language version and find out the current version, and we have explained in detail what must be done before updating in a separate and comprehensive article entitled ( How to update PHP for your WordPress site and the importance of that ), which you can view for more information on this topic.
This concludes the detailed presentation of my experience with repairing and re-securing a WordPress site that had been infected with viruses, and a review of important tips that are very useful in protecting WordPress and keeping it safe from hacking or virus infection. If your site has been hacked and you do not know what to do, or if you want to know whether your site has been hacked, I advise you to review the article ( What to do if your site has been hacked? Practical tips and steps ) which includes a detailed explanation of these topics.
In conclusion, I would like to point out that the steps that I applied and reviewed are related to the problem that existed on the site, and the steps that you must apply to your site may differ if you suffer from a problem with it, as you may not need to remove the WordPress files, for example, but with It is very likely that a large part of your site’s problems will be solved after applying all the steps that I have listed in this article.
Leave a Reply