Advanced guide for the hacked WordPress troubleshooting

This advanced guide provides additional information for cases that are not addressed in our basic guide, how to deal with a hacked WordPress website. We recommend you follow this basic guide first, to avoid making changes to your website that are not needed.

If you have a backup copy of your website, you have the option of replacing the hacked version with a safe one. This usually works but is not always a perfect solution, as the attack could be executed remotely from another file or folder that exists in another location of your hosting web space.

Let's start with what exactly makes the recovery of hacked WordPress websites so challenging. If you have already tried to solve the issue with basic steps, you might have a scan report from our Support Team in your cPanel, or from Virus Scanner.

Perhaps you have already tried editing the .htaccess file, disabling themes and plugins, replacing the WordPress core files, and found that all this was not effective.

In this case, there is malware either in your account or in a particular website directory. So the first step will be clearing the account or the website from the malware.

Dealing with malware
Removing malicious cron jobs
Permissions and owners
Final steps

Dealing with malware

If Virus Scanner found viruses in your account, move on to the clean-up process in the Virus Scanner menu. You will see a table with the list of the infected files and the names of the corresponding viruses. Below the table, there are three options:

  • Destroy: the whole file will be removed from your hosting panel completely.
  • Quarantine: the file will be isolated from other files, but you can find it in your account and check its content.
  • Ignore: the infected file will stay in its current location with malware.

But what can you do if Virus Scanner is not effective and viruses were not found in your hosting cPanel? Then our support team can run an internal scan and provide you with a report that contains comprehensive information about each file in your hosting panel, the viruses, and suspicious matches (if some are present). For more on this, please check how to work with your scan report.

Quick Tip: if the scan report shows something like [Virus Found]: The_name_of_virus, then you should immediately remove the file.

Since clearing the viruses and removing malicious files and databases can affect your website structure, it is not certain that the website will display deleted or quarantined content. Make sure you have a backed-up version of your website files before removing them.
Keep in mind that Google and other search engines can block websites for malicious content at their sole discretion to avoid potential damage to user devices. In this case, your website cannot be unblocked by your host.

In your scan report, Webshell is a file that provides remote access for a malicious actor in your website's directory or hosting account. The Worldwriteable directory means that the file or directory has special permissions for external users. In other words, the attacker can manipulate malicious scripts from such a directory because it’s open globally. You can learn more in this guide to file permissions.

Removing malicious cron jobs

Let's imagine you clear your website from malicious content and viruses. But the same files are somehow recreated right after their removal. This is because the viruses sometimes create cron jobs in cPanel to be able to recreate themselves or execute other malicious tasks on the server. Once you notice the files are being recreated after their removal, check the "Cron Jobs" menu in your cPanel account. You can remove any cron jobs that you did not set up.

It is often the case that the cron jobs that recreate malicious files have the wget command in the cron command. The wget command is a non-interactive network downloader that allows the sending of GET requests to the attacker's server (or computer) to constantly update or reinstall malicious files.

When it comes to server processes, you can ask our support team to reset your light virtual environment (cage) to stop the scripts intercepted by viruses. To see the list of active processes on the server, use one of the following command in cPanel > Terminal:

ps axu (read more on this in the ps manual)
ps faux or top -c

This will give you a report of the current processes active on the server. In case you notice something unfamiliar or a suspicious-looking process that has to be stopped, get in touch through our Help Center.

Also, you can find more information on how to manage active processes on Shared and Reseller server here.

Permissions and owners

You may find a directory cannot be removed and returns the following error message:

FileOp Failure on: /path/directory/file: Directory not empty:

This error means you don't have permission to remove the content in the directory because it contains files that cannot be rewritten. Detailed information about the permissions for files and folders can be found in this file permissions guide.

Note that the correct permission for website files is 0644 and 0755 for folders. You may not have the required permissions to change these, but you can try changing the permissions of the whole directory and then try deleting the folder/file again. Please follow this guide.

Remember that the #WorldReadable file or folder in your scan report may also mean that an attacker has more permissions on the file or a folder, so we suggest checking before changing permissions and removing them.
The reason why we do not suggest removing all files/folders matched as #WorldReadable is that the file can be safe but for various reasons, the script developer decided to keep easy access for the user. In such situations, we recommend reinstalling files from trusted sources and comparing the content in the directory against the original.

Final steps

After removing viruses, killing malicious cron jobs and processes, and configuring the appropriate permissions for the safe files and folders, follow these steps to return your website to working condition:

  1. Follow our guide on replacing core WordPress files.
  2. Clear LiteSpeed Cache and flush your caching plugins.
  3. Scan your hosting account again to make sure there are no malicious files left.
  4. Follow steps to improving WordPress security in respect to your scan report. For example, if the PHP Exploit was intercepted through a plugin, explain this vulnerability to the developers or use another plugin with a similar function. If the malicious script was found in a website database, change the database password in the MySQL Databases menu and in the wp-config.php file using this guide.

You can request the backup restoration if these steps are not successful. Please note that we are unable to monitor or maintain websites to know when or how they are attacked, and how long the malicious files were stored in the website directories.

That's it!

5670 times

Need help? We're always here for you.