It can be really painful if your website is infected with malware and your web host blocks it; denying you even the access to fix it via WordPress admin panel. Insult over injury! This post addresses the precise situation and how you can remove malware if your web host blocks your site. Some things to consider:
- Every web host worth their salt will provide you ssh access. If not, you are with the wrong host or you don’t take your website seriously.
- Most (a majority of) web hosts will have WP CLI installed and available. If not, your host isn’t serious about WordPress hosting.
Table of Contents
How to Connect via SSH
You can connect to your account over ssh using putty or the terminal in case of linux or macOS.
ssh UserName@Host -i PrivateKey.pem -p OptionalPortNumber
Once you are connected you are good to get started with the malware cleanup process.
Installing Malcure Advanced Edition
The first thing you need to do is install Malcure Malware Scanner WordPress Plugin. Enter the following command to install and activate the plugin.
Command:
wp plugin install wp-malware-removal --activate
Output:
Installing Malcure Malware Scanner & Firewall (5.2) Downloading installation package from https://downloads.wordpress.org/plugin/wp-malware-removal.5.2.zip... Unpacking the package... Installing the plugin... Plugin installed successfully. Activating 'wp-malware-removal'... Plugin 'wp-malware-removal' activated. Success: Installed 1 of 1 plugins.
The next step is to activate it. Activation will automatically register the installation and update the definitions. Use the following command to activate it. You can get your license keys from here or here.
Command:
wp malcure activate InsertYourLicenseKeyHere
Output:
||**********************************************************************|| ███╗ ███╗ █████╗ ██╗ ██████╗██╗ ██╗██████╗ ███████╗ ████╗ ████║██╔══██╗██║ ██╔════╝██║ ██║██╔══██╗██╔════╝ ██╔████╔██║███████║██║ ██║ ██║ ██║██████╔╝█████╗ ██║╚██╔╝██║██╔══██║██║ ██║ ██║ ██║██╔══██╗██╔══╝ ██║ ╚═╝ ██║██║ ██║███████╗╚██████╗╚██████╔╝██║ ██║███████╗ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝ ||*********************** © Copyright 2019 MalCure ********************|| ||*********************** Author — ********************|| ||*********************** Shiv / shiv@malcure.com ********************|| Success: Activated! We are setting up everything... Success: Registration complete. Please use shivanand@malcure.com as your USER ID. Success: Updated Malcure definitions to version: B6G1K. Count: 3209 definitions. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ******************************************************************************** voilà! You are a proud owner of the professional plan. Thank you Rachael! We've set up everything for you! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ******************************************************************************** USAGE: wp malcure help This help screen / information. wp malcure info Displays WP info. wp malcure hidden List hidden files and directories. wp malcure register --mc-email=myemail@example.com --mc-fname="Firstname" --mc-lname="Lastname" Register (free) to get definition updates. wp malcure sync Update definitions. Works only if you are registered. wp malcure status Displays license status. wp malcure activate licensekeyhere Activates license key and sets up the install (including registration, definition update). wp malcure deactivate Deactivate license key. wp malcure scan Initiate malware scan. The following options are supported with scan: --mcbatchsize="10" Sets number of files to scan per loop / iteration to 10. Default is 50. --mcsuspicious="false" Don't show suspicious files. Default "true" --mcskipdirs="wp-admin,wp-includes" Skip wp-admin and wp-includes directories. Expects directory name(s); comma-separated. --mcdebug="true" Show debug output. --mcregex="/find_.*_me/is" Match custom regular expression (in addition to the existing malware definitions). --mcdbquery="%script%" --mcdbregex="/href=\/malware/" Scan database with custom query and regular expression (in addition to the existing malware definitions).
As you can see above, activation does some pretty comprehensive bootstrapping and sets everything up for you easy-peasy.
The next command initiates the scan and outputs the infection(s) along with the progress bar.
Command:
wp malcure scan
Output:
||**********************************************************************|| ███╗ ███╗ █████╗ ██╗ ██████╗██╗ ██╗██████╗ ███████╗ ████╗ ████║██╔══██╗██║ ██╔════╝██║ ██║██╔══██╗██╔════╝ ██╔████╔██║███████║██║ ██║ ██║ ██║██████╔╝█████╗ ██║╚██╔╝██║██╔══██║██║ ██║ ██║ ██║██╔══██╗██╔══╝ ██║ ╚═╝ ██║██║ ██║███████╗╚██████╗╚██████╔╝██║ ██║███████╗ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝ ||*********************** © Copyright 2019 MalCure ********************|| ||*********************** Author — ********************|| ||*********************** Shiv / shiv@malcure.com ********************|| Success: Updated Malcure definitions to version: B6G1K. Count: 3209 definitions. Updated to the latest definitions. You had version B6G1K Updated version is LCIBJ Files To Scan: 5526 Batch-Size: 50 File Scan Results: Progress: 72 % [=============================================================================================================================> ] 0:16 / 0:21 SEVERE /home/…/public_html/…/index.php Progress: 100% [==============================================================================================================================================================================] 0:57 / 0:21 Success: Malcure Scan Complete!
The task now is to execute the cleanup for which you can use your cPanel file manager or ftp client and PHPMyAdmin (in case of database infections). All you need to make sure is not to delete the core WordPress, theme or plugin files. You’ll need to clean them up manually or via WP CLI:
Reinstalling infected WordPress Core using WP CLI
Step-by-Step guide to efficiently reinstalling infected WordPress Core using WP CLI
Reinstalling infected WordPress Plugins using WP CLI
Step-by-Step guide to efficiently reinstalling infected WordPress Plugins using WP CLI
For other non-WordPress files you can just delete the infected ones.
Once all is well, run the scan again to see if all is clean:
wp malcure scan
At that point in case you missed out something, you can go back and cleanup the remnants. Once the site is clean, change your WordPress salt keys and email your web host to unblock the website.
In case you feel “Jeez you make it look so easy. I need help!” take a look at our WordPress malware removal service.
See Also:
- Malcure — Pioneers in Proactive Web Security
- Understanding and Resolving the Vuln.php Recurring Malware Issue
- 10-Step Guide to Removing Malware from Your WordPress Site
- Elon Musk, Apple, Bill Gates and Other High Profile Twitter Accounts Hacked in Cryptocurrency Scam
- How to Fix a Blank WP-Admin Page in WordPress — A Comprehensive Guide