Steps to cleaning malware
Unfortunately fixing a malware infection can be a complicated issue, in some cases it might be best to seek advise from a developer so they can resolve the issue and stop it from happening again.
- Remove infected files or if the files are required replace them with clean copies of the files. You can obtain these from any available JetBackups - although we strongly recommend you maintain your own independent off-site backups too.
- Update any passwords such as cPanel and website admin logins.
- Make sure any Content Management System (CMS) you are using, including any plug-ins are up to date - it's often better to completely remove and replace any plugins/extensions with a freshly downloaded clean version.
- Use the highest version of PHP possible.
You can change the version of PHP you're using yourself within cPanel.
These basic steps are the same whether you have a static site, or are using a CMS like WordPress, Drupal, Joomla or Magento.
More sophisticated attacks can also cause damage to your sites database. And in these cases your options, depending on your site type would be to either have the database cleaned or restore the database from a backup - as well as making all the changes above to ensure your site doesn't get re-infected.
You may also need to notify the Information Commissioners Office - details of what constitutes a notifiable breach are detailed on the ICO website - external link opens in a new window.
WordPress specific malware cleaning
- Update WordPress to the latest version.
- Change all passwords, including cPanel and database.
- Check WordPress for any additional users that might have been created.
- Change all WordPress user passwords.
- Change your WordPress access hashes in
wp-config.php. You can obtain new salts from from wordpress.org (external link opens in a new window).
- Update all plug-ins (remove and replace with fresh copies from the source or WordPress repository)
- Update all themes (and remove any unused ones).
Review the site for evidence of any malicious files (with the assistance of your developer who should be able to identify malicious or unrecognised files).
You may be able to see the attack vector via your cPanel Raw Access logs and looking for 'POST' requests to PHP files that would ordinarily not be posted to or more POSTs than you would expect.
External assistance / cleaning services for WordPress
If you are not confident cleaning your site yourself there are a number of services available, that will not only clean your site, but also then offer continued protection via a WordPress Application Firewall (WAF).
Whilst we have firewalls and security scanning in place, no single solution will ever be 100% effective - so it is important that you take steps to secure and protect your site.
Both Wordfence and Sucuri offer free and paid version of their WAF plug-ins. They also both offer site cleaning services.