Active Web Hosting Logo

 

  1. Introduction
  2. Installation
    1. What You'll Need
    2. Where To Put WordPress
    3. Configuration
    4. Lock Down Your Writable Directories
    5. Uploading Your Installation
    6. Installing WordPress
    7. Finishing
    8. Plugin: Security
    9. Plugin: JetPack
  3. Security
    1. Prevention
    2. Detection
    3. Removal
  4. Updating Wordpress
  5. Removing WordPress
  6. Back Up Your Site
  7. Troubleshooting
  8. Resources

Removal

If your site has been infected, you will want to take these steps to attempt to remove the infection. In addition to removing files and folders that are suspect (as mentioned in the Detection part of this tutorial), here are a few more ways you can use to try to clean your site.

First Time Infection

If this is the very first time your site has been infected, you will want to take the following steps:

1. Use the steps in the Detection part of this tutorial to identify any files and/or folders that are suspect. Move them to a quarantine directory.

2. If you have found an unauthorized hidden user, log into phpMyAdmin and click on your database name on the left. Be sure the Structure tab is selected. Click on the *_users table (the * represents the table prefix you defined in the Cofiguration). Put a check next to any user that you know for certain is not your login or one that you authorized and click Delete. For more information on database tables used in WordPress, see the Official WordPress Database Description page.

3. Double check the Installation part of this tutorial and make any changes you need to further lock down your site. Do not change your database table prefix or wordpress installation directory! This would cause your installation to not work since you'd have to change this in your database via phpMyAdmin and that could be a very tedious task!

4. Log into your CGI Server via FTP and remove all files and folders you identified as suspect. Re-upload any cleaned files and folders you may have edited.

5. If you are using the All In One WP Security plugin, there is an option in the Database Security area that lets you change the database table prefix. Use this to create a new database prefix (much like you did during the Cofiguration). After making this change, be sure to download and view your wp-config.php file in a text editor so that you can verify that the prefix was changed.

NOTE: If you get an error saying it cannot make the change or that it won't change your configuration file, then right click on the file and select to change the file's permissions or attributes. Write down the number and settings so you can restore them later. Now change the permissions of your wp-config.php file so that owner and group can write to the file (ie. CHMOD 664). After changing the table prefix, go back in and restore the permissions of the wp-config.php file. Do not leave it writable as this can also allow malware to adjust your configuration file and cause your site to be compromised.

Infected Again!

If you have taken the above steps and find your site is infected yet again. Repeat the above steps. This time you may want to change your MySQL password as well as your CGI Server FTP password. Be sure to never provide your CGI Server FTP password in any page or form from within WordPress. Please wait up to 2 hours for the changes to take effect. Do this after you have cleaned your site files.

Another option is to ask for your site to be reinstalled from a previous backup. If you do not keep your own backups manually, you may still be able to request installation of your site from a previous backup from us. We back up sites nightly. However, we cannot gaurantee that any backup will not be infected, depending on how long it has been before the infection was detected. Also some data loss may occur as this reinstalls database files as well. This is why it's very important that you manually back up your site and database periodically and keep backups safe.

Clean Reinstall

The best way to ensure a safe removal is a clean reinstall. There are two types. One is to reinstall only the files on your CGI FTP server and let WordPress auto-detect and use your current database, or to remove everything including your database tables and reinstall WordPress. Data loss more than likely can occur (especially if you did not back up the database when your site wasn't infected and/or posted since the infection). However, sometimes this may be the only way to remove an infection.

If you do a clean install, be sure to follow all steps in this tutorial to lock down your WordPress site securely so that your new installation will have less chance of re-infection.

Saving Your Posts Before Clean Reinstall

Log into your WordPress Dashboard and go to Tools - Export. Choose All Content to export. This will export everything. If you want to just save one type (such as posts) click just that radio button instead. Click Download Export File. Save this to your hard drive. You can use this file from Tools - Import when you have reinstalled WordPress.

Another way is to export your database from within phpMyAdmin, then importing it back in after you have reinstalled WordPress. However, this will overwrite the new untouched data and also large databases may not import due to size. In addition, you could be re-importing infected information that could expose your site to the same problems again.

A more tedius way is to save your posts via copy/paste to your hard drive and then re-post these (be sure to note the dates and download any images, files, etc. accompanying the posts) once you have a new WordPress site set up. Sometimes this might be your only option.

See Removing WordPress for how to completely remove your WordPress installation.

If your site keeps getting infected over and over

There may be some sites that keep getting infected even after clean installs and removals of all database tables. In these cases, remote bots that are not on your domain have been programmed with your domain name and wordpress directory links so that they can go in and re-infect your site regardless of whether or not you start fresh.

Here are some tips to help stop repeat infections:

• If you use the same database data or some of the same plugins/themes (even if you download the plugins/themes fresh from the plugin/theme site), you may be re-infecting your site with bad or untrusted plugins and/or themes, or pre-infected data or files.

• Be sure to use fresh files from the official WordPress site. Do not use plugins or themes that may be suspect. Do some research on the web to see if others are having problems with those plugins or themes.

• Follow all the configuration and security information in this tutorial to help reduce the chance of reinfection.

In extreme cases of reinfection, you might opt to move your blog to a new domain name. Since our hosting is only $10 per month, you could put up your new domain one month and then remove the files and cancel your infected domain the following month. This would probably be your last alternative if all other efforts fail to stop your site from being re-infected.

However, in most cases, following the configurations, setups and other security information in this tutorial can help stop repeat infections, possibly saving your domain.

 


Home - Support - Management - About Us
... Active Web Hosting, 1445 American Pacific Dr. Ste 110-318, Henderson, NV 89074 ...
Phone 702-449-2337