This advanced guide provides additional information for cases that are not addressed in our basic guide, how to deal with a hacked WordPress website. We recommend you follow this basic guide first, to avoid making changes to your website that are not needed.
If you have a backup copy of your website, you have the option of replacing the hacked version with a safe one. This usually works but is not always a perfect solution, as the attack could be executed remotely from another file or folder that exists in another location of your hosting web space.
Let's start with what exactly makes the recovery of hacked WordPress websites so challenging. If you have already tried to solve the issue with basic steps, you might have a scan report from our Support Team in your cPanel, or from Virus Scanner.
Perhaps you have already tried editing the .htaccess file, disabling themes and plugins, replacing the WordPress core files, and found that all this was not effective.
In this case, there is malware either in your account or in a particular website directory. So the first step will be clearing the account or the website from the malware.
If Virus Scanner found viruses in your account, move on to the clean-up process in the Virus Scanner menu. You will see a table with the list of the infected files and the names of the corresponding viruses. Below the table, there are three options:
Quick Tip: if the scan report shows something like [Virus Found]: The_name_of_virus, then you should immediately remove the file.
Since clearing the viruses and removing malicious files and databases can affect your website structure, it is not certain that the website will display deleted or quarantined content. Make sure you have a backed-up version of your website files before removing them.
Keep in mind that Google and other search engines can block websites for malicious content at their sole discretion to avoid potential damage to user devices. In this case, your website cannot be unblocked by your host.
In your scan report, Webshell is a file that provides remote access for a malicious actor in your website's directory or hosting account. The Worldwriteable directory means that the file or directory has special permissions for external users. In other words, the attacker can manipulate malicious scripts from such a directory because it’s open globally. You can learn more in this guide to file permissions.
Let's imagine you clear your website from malicious content and viruses. But the same files are somehow recreated right after their removal. This is because the viruses sometimes create cron jobs in cPanel to be able to recreate themselves or execute other malicious tasks on the server. Once you notice the files are being recreated after their removal, check the "Cron Jobs" menu in your cPanel account. You can remove any cron jobs that you did not set up.
It is often the case that the cron jobs that recreate malicious files have the wget command in the cron command. The wget command is a non-interactive network downloader that allows the sending of GET requests to the attacker's server (or computer) to constantly update or reinstall malicious files.
When it comes to server processes, you can ask our support team to reset your light virtual environment (cage) to stop the scripts intercepted by viruses. To see the list of active processes on the server, use the following command in cPanel > Terminal:
ps axu (read more on this in the ps manual)
This will give you a report of the current processes active on the server. In case you notice something unfamiliar or a suspicious-looking process that has to be stopped, get in touch through our Help Center.
You may find a directory cannot be removed and returns the following error message:
FileOp Failure on: /path/directory/file: Directory not empty:
This error means you don't have permission to remove the content in the directory because it contains files that cannot be rewritten. Detailed information about the permissions for files and folders can be found in this file permissions guide.
Note that the correct permission for website files is 0644 and 0755 for folders. You may not have the required permissions to change these, but you can try changing the permissions of the whole directory and then try deleting the folder/file again. Please follow this guide.
Remember that the #WorldReadable file or folder in your scan report may also mean that an attacker has more permissions on the file or a folder, so we suggest checking before changing permissions and removing them.
The reason why we do not suggest removing all files/folders matched as #WorldReadable is that the file can be safe but for various reasons, the script developer decided to keep easy access for the user. In such situations, we recommend reinstalling files from trusted sources and comparing the content in the directory against the original.
After removing viruses, killing malicious cron jobs and processes, and configuring the appropriate permissions for the safe files and folders, follow these steps to return your website to working condition:
You can request the backup restoration if these steps are not successful. Please note that we are unable to monitor or maintain websites to know when or how they are attacked, and how long the malicious files were stored in the website directories.