It sounds scary, right?
Imagine finding out your website is redirecting to malware or bad software. Before you know it, you’re getting emails from regular readers about spammy and virus problems. That’s not a good way to stay trustworthy with your audience. It also kills your credibility with new visitors. What would you do? Where would you even start?
I haven’t had that experience on any of my personal sites, but I did have it on a client website. I was redesigning their current website, which was built with WordPress. I found out that their mobile site was redirecting to malware and 3rd party websites, which is unacceptable.
Detect & Remove Malware from WordPress
So how do you get started in even detecting malware on WordPress? As I told you before, I was testing it on mobile, and found that it was redirecting.
The problem is that I couldn’t figure out where it was coming from. Was it the WordPress install itself? Did some hacker inject code or add something to a directory inside of WordPress? If so, there are tons of files in a WordPress site.
Take a Systematic Approach
To start, its a good idea to run a scan of your website. Sucuri provides a free malware scan for WordPress sites. It can provide a window into a possible infected theme or plugin. That’s where I’d recommend anyone to start.
If the scan doesn’t produce any clues, you should move on to phase 2…
Change WordPress Themes
Go to Appearance, then Themes, and install a default theme from the WordPress repository. After installation, test your site out again. If the redirect or odd behavior stops, then the theme you were using was infected. If it persists, continue to part 2 of the diagnosis stage.
Deactivate and Uninstall Plugins
There’s a smart way to do this, where you take a practical approach. You can usually rule out staple plugins, like Yoast, Jetpack, Akismet, etc., that are found on most WordPress sites. Where I would start is less common third party plugins.
First thing’s first. A quick way to narrow it down to a plugin to begin with is to go into your file manager, through your hosting provider, or via FTP connection. Find your plugins folder and add an underscore to the front of the plugins folder, found inside of wp-content. This will deactivate all plugins in 1 shot. Test your site, and if the problem is gone, you know that the problem is a rogue plugin.
This is where I found my client’s malware problem. They were using an older gallery plugin that hadn’t been updated in 2 years. The code was outdated, and the plugin was no longer supported. It wouldn’t let me delete the plugin, which is a big red flag.
When a plugin won’t let you uninstall it from the WordPress admin area, you can get around that easily. Log into your hosting and go into the file manager, or access your site via ftp. Then, navigate to your website, find the plugins folder, which is in the wp-content folder, and find the plugin. The folder should be named the same as the plugin you want to delete. Delete that folder completely. WordPress will automatically update your site, because the plugin folder will no longer be found. Test the site again, and you should be good to go.
Preventing Future Malware Problems
Now that you have eliminated the malware issue, you can do some things to protect yourself in the future. Here are a few tips to keep things neat and tidy.
- Keep WordPress updated to the latest version.
- Keep plugins & themes updated to the latest version.
- Don’t install old plugins that haven’t been updated in months or years.
- Don’t install questionable plugins.
- Install WordPress themes that are regularly updated, like Divi from Elegant Themes.
- Install a security plugin, like WordFence. It scans for problems and keeps people out.
- Check your website regularly on all platforms for early detection of issues.
- Use good hosting companies, like Bluehost, A2 hosting, etc. You get what you pay for.
- Use Akismet to detect spam comments. Sometimes they links to malware.
If you stick to good practices and reputable plugins, you can usually avoid malware issues. A little bit of maintenance and good housekeeping goes a long way. If you run multiple sites, schedule a time once per week to go in and update plugins and themes.
Do you have any tips to detect & remove malware from WordPress? Have you had issues with malware before? How did you handle it? I’d love to hear your stories and tips for dealing with these issues.