If you would like to check, if your website is hacked, please check this article. Also, we have an article regarding website security, you can check it here. This article is dedicated to virus detection, curing and removal.
My website was hacked. What do I need to do?
1. Change passwords
Change all possible passwords. First of all, change the hosting and/or domain control panel password, hosting account password, FTP and email password, MySQL and MySQL user’s passwords.
2. Locate the vulnerability
Log-files can help you to locate the vulnerability used to hack your website. If you are not sure how to use the log-files, we recommend to ask an experienced webmaster to check them or just skip to the next point. Alternatively, you can check which files were edited recently via FTP-client. Most likely, the virus is located in those files.
3. Detect virus location
In most cases, the hackers goal is to access your website but not to infect your PC. That’s why hackers tend to insert malicious code into one of the website’s files instead of uploading a new .exe file (executable file; the virus itself can be an executable file of "hide" inside an executable file).
You can try to download your website files and scan them with your PC antivirus, however, your antivirus will not be able to detect website viruses as they differ from PC viruses.
Hosting companies usually provide an antivirus that is already installed in your control panel. Try scanning your website with it. Also, there are lots of various online virus scanners that you can use to detect viruses. Just be careful while choosing an online scanner because it can be a phishing website that looks completely legitimate. You can find the list of trusted antiviruses below.
- ClamAV - one of the best free antiviruses. It’s virus database is updated every 4 hours. It can be installed on your PC or your control panel. It’s main advantage is its versatility - it’s available for any OS: Linux, BSD or Windows.
- Comodo Web Inspector - an online antivirus and malware scanner. You can check the symptoms of malware "infection" and, if any of them is applicable for your site, fix it for free. Full protection is paid, at $10/mo, but it’s worth it because the protection includes lots of useful features such as blacklist repair and removal, fully managed web application firewall, secure content delivery network (CDN), protection from DDoS-attacks, SQL injections and XSS (cross-site scripting) etc.
- Sucuri - a quite popular, accurate and free online virus and malware scanner. It is also possible to purchase full protection at an additional cost. Similar to the previous one, full protection has lots of features that include 24/7 monitoring and a firewall.
- CXS (ConfigServer eXploit Scanner) - a very nice solution for Linux OS distributives, especially if it is used together with ClamAV. It scans scripts and files, particularly the ones that were edited recently, proactively monitors the system and removes or fixes infected files. You can check the whole feature list on the official website (the link is located above). The price of the tool is at $60, though, it is a lifetime license (you pay only once and use it as long as you wish).
4. Remove/delete viruses
You need to delete all of the "infected" files. The easiest and safest way is to replace them with files from your backup. In case you do not have a backup, you can either remove those files or try using a tool (antivirus, scanner etc) that fixes and cures "infected" files.
What kind of files do I need to remove?
In case your antivirus is merely a scanner (it does not fix or cure files), you can remove the "infected" files. Another option is to compare the "infected" file with the file from backup. Alternatively, you can lurk through your files and locate the following:
- Words such as "exploit", "shell", "javascript", "iframe", "unescape", "eval", "String.fromCharCode" and "document.write";
- "Behavior" attribute in CSS files;
- Infected pictures. It is quite card to cure them, so you need to either delete them or replace them;
- "Iframe" in databases should be deleted (You need to save the database to your PC and open it with a text editor, such as NotePad++);
- Files such as wzxp.php that have unlikely for CMS file names should be removed;
- Malicious code or redirects to an unknown site in .htaccess files;
- Base64 code such as
"TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0
aGlzIHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhb"
- Eval () or preg_replace() functions.
Viruses detected and removed. What next?
If you used an antivirus (scanner) installed in your control panel to scan your website and fix all of the issues, then all you need to do is test it to check if everything works correctly.
In case you did download your website files and scanned them with a PC antivirus (which we don’t recommend to do), you need to delete all files from the website and upload the already scanned ones. Then you need to check if everything works correctly on your website. If not, you will need to reinstall the CMS and upload files from a backup, for instance. Most likely, the virus either removed important code from your files or the antivirus removed parts of code that it considered to be malicious (and they weren’t). That’s why we recommend to use trustworthy antiviruses or online scanners (you can find them above) rather than using a PC antivirus.
Once more
We recommend to scan your website one more time and change all of the passwords (hosting and/or domain control panel password, hosting account password, FTP and email password, MySQL and MySQL user’s passwords) once again.
Enhance website security
If you merely remove viruses, it’s very likely that your website will be "infected" with them quite soon. To prevent this from happening, we recommend to enhance your website security following this guide.
Sometimes the issue can be with the hosting provider. For instance, hackers found a vulnerability in the software that was installed on the server to access your server "neighbour" website. In this case your site can get infected as well. You need to inform the support team about this issue or just find a more reliable hosting provider.
Please note that if your site is "infected", you need to fix it as soon as possible because search engines may unlist your site ( as it can contain malicious content that can potentially harm visitors) and it will be quite hard to return your ranking positions afterwards.
My website was not hacked. Do I need to do something to prevent such situations?
1. Website and database backup
Lots of companies offer free daily backups. Still, we recommend to do them on your own. Firstly, even the most reliable hosting providers may have temporary issues with their servers. This is absolutely normal, however, your backups can be erased or not saved. Secondly, only files that were changed recently will be backed up by the hosting provider. They do not make full database and website backup every day. That’s why we recommend to save backups on your own on a remote server (more secure that your PC).
2. PC virus scan
Scan your PC every day. Use a reliable antivirus that updates its virus database at least every 24 hours (each 6 hours would be even better). You can also schedule an automatic virus scan, however, please make sure that you don’t give the antivirus permissions to automatically remove suspicious files.
3. Website scan
We recommend to scan your website at least three times a week. Also, it’s very important to scan the site before and after your installed a new plugin/theme/module even if the were downloaded from the official website.
If you would like to share your experience regarding various methods that help to detect or remove malicious software, feel free to leave your thoughts in the comments section. We will gladly add them to our article. If you have any questions, you are welcome to leave a comment as well and our experts will answer them as soon as possible.
