How to clean-up a website blocked by the web-host?

WordPress Security Release

It can be really painful if your site catches malware and your web host blocks it denying you even access to fix it from wp-admin. Insult over injury! This post addresses the precise situation and how you can remove malware if your web host blocks your site. Some things to consider:

  1. Every web host worth their salt will provide you ssh access. If not, you are with the wrong host or you don’t take your website seriously.
  2. Most (a majority of) web hosts will have wp-cli installed and available. If not, your host isn’t serious about WordPress hosting.

You can connect to your account over ssh using putty or the terminal in case of linux or macOS.

ssh UserName@Host -i PrivateKey.pem -p OptionalPortNumber

Once you are connected you are good to get started with the malware cleanup process.

The first thing you need to do is install malCure WordPress malware scanner. Enter the following command to install and activate the plugin.

Command:

wp plugin install wp-malware-removal --activate

Output:

Installing malCure Malware Scanner & Firewall (5.2)
Downloading installation package from https://downloads.wordpress.org/plugin/wp-malware-removal.5.2.zip...
Unpacking the package...
Installing the plugin...
Plugin installed successfully.
Activating 'wp-malware-removal'...
Plugin 'wp-malware-removal' activated.
Success: Installed 1 of 1 plugins.

The next step is to activate it. Activation will automatically register the installation and update the definitions. Use the following command to activate it. You can get your license keys from here or here.

Command:

wp malcure activate InsertYourLicenseKeyHere

Output:

 ||**********************************************************************||

███╗ ███╗ █████╗ ██╗ ██████╗██╗ ██╗██████╗ ███████╗
████╗ ████║██╔══██╗██║ ██╔════╝██║ ██║██╔══██╗██╔════╝
██╔████╔██║███████║██║ ██║ ██║ ██║██████╔╝█████╗ 
██║╚██╔╝██║██╔══██║██║ ██║ ██║ ██║██╔══██╗██╔══╝ 
██║ ╚═╝ ██║██║ ██║███████╗╚██████╗╚██████╔╝██║ ██║███████╗
╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝

||*********************** © Copyright 2019 MalCure ********************||
||*********************** Author — ********************||
||*********************** Shiv / shiv@malcure.com ********************||


Success: Activated! We are setting up everything...
Success: Registration complete. Please use shivanand@malcure.com as your USER ID.
Success: Updated malCure definitions to version: B6G1K. Count: 3209 definitions.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
********************************************************************************

voilà! You are a proud owner of the professional plan. 
Thank you Rachael! We've set up everything for you!

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
********************************************************************************


USAGE: 

wp malcure help
This help screen / information.

wp malcure info
Displays WP info.


wp malcure hidden
List hidden files and directories.

wp malcure register --mc-email=myemail@example.com --mc-fname="Firstname" --mc-lname="Lastname"
Register (free) to get definition updates.

wp malcure sync
Update definitions. Works only if you are registered.

wp malcure status
Displays license status.

wp malcure activate licensekeyhere
Activates license key and sets up the install (including registration, definition update).

wp malcure deactivate
Deactivate license key.

wp malcure scan
Initiate malware scan.

The following options are supported with scan:
--mcbatchsize="10"
Sets number of files to scan per loop / iteration to 10. Default is 50.
--mcsuspicious="false"
Don't show suspicious files. Default "true"
--mcskipdirs="wp-admin,wp-includes"
Skip wp-admin and wp-includes directories. Expects directory name(s); comma-separated.
--mcdebug="true"
Show debug output.
--mcregex="/find_.*_me/is"
Match custom regular expression (in addition to the existing malware definitions).
--mcdbquery="%script%" --mcdbregex="/href=\/malware/"
Scan database with custom query and regular expression (in addition to the existing malware definitions).

As you can see above, activation does some pretty comprehensive bootstrapping and sets everything up for you easy-peasy.

The next command initiates the scan and outputs the infection(s) along with the progress bar.

Command:

wp malcure scan

Output:

||**********************************************************************||

███╗ ███╗ █████╗ ██╗ ██████╗██╗ ██╗██████╗ ███████╗
████╗ ████║██╔══██╗██║ ██╔════╝██║ ██║██╔══██╗██╔════╝
██╔████╔██║███████║██║ ██║ ██║ ██║██████╔╝█████╗
██║╚██╔╝██║██╔══██║██║ ██║ ██║ ██║██╔══██╗██╔══╝
██║ ╚═╝ ██║██║ ██║███████╗╚██████╗╚██████╔╝██║ ██║███████╗
╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝

||*********************** © Copyright 2019 MalCure ********************||
||*********************** Author — ********************||
||*********************** Shiv / shiv@malcure.com ********************||


Success: Updated malCure definitions to version: B6G1K. Count: 3209 definitions.
Updated to the latest definitions.
You had version B6G1K
Updated version is LCIBJ

Files To Scan: 5526
Batch-Size: 50

File Scan Results:
Progress: 72 % [=============================================================================================================================> ] 0:16 / 0:21 SEVERE /home/…/public_html/…/index.php
Progress: 100% [==============================================================================================================================================================================] 0:57 / 0:21

Success: malCure Scan Complete!

The task now is to execute the cleanup for which you can use your CPanel file manager or ftp client and PHPMyAdmin (in case of database infections). All you need to make sure is not to delete the core WordPress, theme or plugin files. You’ll need to clean them up manually.

For other non-WordPress files you can just delete the infected ones.

Once all is well, run the scan again to see if all is clean:

wp malcure scan

At that point in case you missed out something, you can go back and cleanup the remnants. Once the site is clean, just email your web host to unblock the website.

In case you feel “Jeez you make it look so easy. I need help!” take a look at our WordPress malware removal service.