At this point, your site should be free of malware and suspicious code. If necessary, repeat the process as outlined here: Website Malware Removal Guide, Part 2: The Cleanup Process.
Once your website is free of malware, it's time to perform proactive steps to harden the website configuration and set up periodic checks to make sure the site stays clean. If your site has been blacklisted, you might find this post handy. If you're a ThreatSign customer, you don't have to worry about it. We will make sure your site is delisted.
Upgrade all Existing Software to the Latest Version
Outdated software poses a critical risk to website security. An unpatched vulnerability in a CMS could lead to massive reinfections and website outages. We strongly recommend upgrading all the software used on the site, so that no known unpatched vulnerabilities remain on it. This includes plugins, themes, and extensions.
Reset all Passwords
The site's account usernames and passwords open all the locks protecting your website from external attacks. If there are any passwords you didn't change in the pre-remediation phase, do it now. This includes not only accounts for human users but internal accounts. In WordPress, the file wp-config.php contains the username and password which WordPress uses to access the backend MySQL database. If your site is compromised, there's a strong chance that someone acquired that information. Update the password in MySQL, then look for the following lines in wp-config.php and edit them to match:
define( ‘DB_USER’, ‘username_here’ );
define( ‘DB_PASSWORD’, ‘password_here’ );
If intruders were able to inject PHP malware into your website, they had full access to this file, so they had full access to the site's backend database. From there, hackers can inject malicious content into the database, and your site might present it to users without any signs of reinfection. Changing the database password helps to make sure they're locked out.
Harden Your Website Using .htaccess
Many sites have directory browsing enabled by default. There's no good reason for it and can give a visitor the information about what files to attack. Turning it off in .htaccess closes off that approach.
If you always run administrative functions from the same place, you can restrict administrative login and the admin dashboard to one IP address or a small range of addresses. This will prevent anyone from breaking into the admin functions from an outside location.
There are many refinements you can add to .htaccess to restrict the opportunities for unauthorized access. This article provides some valuable tips for hardening your .htaccess file.
Set up Daily Backups
Daily backups could be the magic that will help you to restore your website and get back to business in just a few minutes. Being able to restore from a fresh backup will help you to avoid downtime and serve at least some website visitors. Remember, though, that the backup may also be infected. Almost every web hosting service offers daily backups. The initial effort of setup will pay for itself if there is ever a reinfection.
Enable External Security Monitoring
Not all infections and malware are visible to external monitoring. Malware which reports to a command-and-control server but doesn't affect the website's presentation won't be caught. We strongly recommend enabling internal (server-side) monitoring to verify that the CMS sources are free of infection.
Enable Internal Security Monitoring
Internal malware scanning identifies infections in CMS source files. It's similar to the anti-virus or anti-malware software which protects your desktop and mobile devices, only directed toward protecting a website. We strongly recommend running a periodic server-side scan on the website's source files to verify that there is no malware infection on the PHP level. We provide a free WordPress scanner plugin for downloading; no subscription required. ThreatSign users can activate internal monitoring from the dashboard.
By using both internal and external monitoring, you can check your WordPress site for most forms of malware and detect blacklisting.
Use the Web Application Firewall
Quttera's Web Application Firewall (WAF) is an application firewall which operates on HTTP traffic and connections. WAF examines all HTTP requests, identifying and blocking malicious requests while passing clean, legal traffic through. WAF blocks common attacks such a cross-site scripting (XSS) and SQL injection. It performs virtual patching of security vulnerabilities and prevents the uploading of malicious files.
WAF continually updates its rules to guard against the latest threats. Having it active adds another security level, helping to keep your website protected.
This set of articles is an all-in-one overview of all the places to investigate to fix your website after it has been hacked. Manually removing malware infections from a website isn't an easy task. It requires a lot of knowledge and expertise.
Once again, be sure to back up your website before starting any remediation procedures. After the site is clean, harden the .htaccess and PHP configuration files, set up WAF to protect your site, and periodically run external and internal scans so you can quickly detect and remove any new infections.
If you aren't sure how to proceed, our malware research team is here to clean up malware for you and get your site off all blacklists. Just sign up for ThreatSign, the all-in-one website protection platform. Having ThreatSign working for you will increase cybersecurity and reduce IT costs. Everything you need to manage the security risks — a website firewall, an incident response team to fix hacked sites, advanced malware scanning techniques, DNS/IP checkups, malware and blacklist removal, and advanced features to boost your business security online — is provided in one place.