One of the worst feelings in the world can be getting a notification or seeing for yourself that your site has been compromised. It could be that you received a notification from Google, or a report from one of your users that your site is behaving strangely. It may even be a notification from WP Engine that we’ve detected malware on your site. By following these steps you can ensure your site is cleaned, warnings are removed, and that your site stays clean too.
Step one: Review the flag
The first step is to take stock of what has been compromised. Make sure you know what page(s) Google or your user has noticed contain malware, and get specifics if possible: is there a redirect to a bad site? Popup spam? Malicious scripts? Warnings from Google or your own security software on your computer? Make a note of these, as these details will come in handy in the following steps.
Step two: Make a backup
Next you should make a backup of your site in its current condition. If your site is hosted on WP Engine you can do this easily through your User Portal. Log into my.wpengine.com and click the affected install from the Dashboard. Then click “Backup points” and create a new backup labeled: “Backup (date) – INFECTED VERSION”.
This not only enables you to keep track of the time and date your site was infected, but also to know this version should not be restored to. You can take this backup if needed, and pull specific parts out to restore just in case anything goes wrong in the cleanup process.
Step three: Assess the damage
The next step involves running a free site check with Sucuri, a security authority. First, enter your domain or the URL that Google flagged as containing malware. Sucuri will scan the site and let you know if they detect malware or any other warning signs. This will unmask any potential areas that need to be cleaned up, for you to address.
Step four: Fix the damage
Now that you know what’s compromised, it’s time to fix the damage. If you host your site with WP Engine simply Contact Support through your User Portal and our team will help get a security scan and cleaning set up for you. Be sure to provide our Support team with the details surrounding the infection and the symptoms your site is experiencing as a result. If you don’t host your site with WP Engine, you can see if you are able to find the malicious code or database entries yourself, or seek professional help. For example, Sucuri offers an option to scan and clean hacked sites if you need professional help with code or database cleaning.
Step five: Prevent reinfection
After the scan, site owners should run through some quick checks to ensure the site is secured from any further reinfection:
- Update WordPress, plugins, and themes. Most malware infections by far are from outdated software. While WP Engine keeps your WordPress files up to date, security is also a partnership. Since we allow you to use the plugins and themes you want, this means these updates are in your hands. If you manage many sites and updating them individually is difficult, consider an option like MainWP or ManageWP to help manage these updates all in a single dashboard.
- Secure your forms. Ensure your login pages, comments, and forms all have a Captcha or other security measures to both prevent spam and increase security.
- Audit admin users. Take a critical look at the administrator-level users in your WordPress Admin Dashboard. Make sure only the users who truly need Administrator access have this level of access. You should also ensure that none of your Administrators are simply named “admin,” – this is the most common username and is easy for bad-actors to guess.
- Ensure strong passwords. Make sure all Administrator users are using a secure, randomly-generated password.
- Audit SFTP users. Log into the User Portal and click the affected install on the Dashboard page. Select “SFTP users” from the list and look through the users on file. If you do not recognize or need any users here, simply remove them so these users no longer have access to add or change files on your site.
- Add additional security. You can further protect your site by using systems like CloudFlare to mask your server’s IP address, Sucuri CloudProxy to block bad actors, or by just adding plugins like iThemes Security or All-in-One WP Security to add a number of security enhancements.
Step six: Submit clean site to Google
Since your site is now clean, you can submit your site to Google for review so they can remove any malware warnings on your site’s search results. To have Google review your site, log into your Google Search Console and click Messages to view the warnings and request review. Please allow up to 72 hours for Google to review and remove the warning.