This advanced guide provides additional insights for scenarios not covered in our basic guide on handling a hacked WordPress website. We recommend following the basic guide first to avoid unnecessary changes to your site.
If you have a backup of your website, you can replace the hacked version with a secure one. This often works but isn’t always foolproof, as the attack might originate from a remote file or folder located elsewhere in your hosting space.
Let’s explore why recovering a hacked WordPress site can be challenging. If basic troubleshooting steps didn’t resolve the issue, you may have a scan report from our Support Team in the Advanced Panel (powered by Webuzo) or from the Virus Scanner tool.
You might have tried editing the .htaccess file, disabling themes and plugins, or replacing WordPress core files, only to find these steps ineffective. In such cases, there’s likely malware in your account or a specific website directory. The first step is to clean the account or site of this malware.
Dealing with Malware
If the Virus Scanner detects viruses in your account, proceed to the cleanup process in the Virus Scanner menu. You’ll see a table listing infected files and their associated viruses. Below the table, you have three options:
-
Destroy: The file will be completely removed from your hosting panel.
-
Quarantine: The file will be isolated from others, but you can still access and review its contents.
-
Ignore: The infected file remains in its current location with the malware.
If the Virus Scanner doesn’t detect any viruses in your Advanced Panel, our hostbas.com support team can perform an internal scan and provide a detailed report on every file in your hosting panel, including viruses and suspicious matches (if any). Learn more about working with your scan report.
Quick Tip: If the scan report indicates something like [Virus Found]: The_name_of_virus, remove the file immediately.
Since cleaning viruses and removing malicious files or databases can impact your site’s structure, there’s no guarantee that the site will display deleted or quarantined content correctly. Ensure you have a backed-up version of your site files before deleting anything.
Note that Google and other search engines may block websites with malicious content at their discretion to protect user devices. In such cases, your host cannot unblock your site.
In your scan report, a Webshell is a file that allows a malicious actor remote access to your website’s directory or hosting account. A Worldwriteable directory indicates that the file or folder has permissions allowing external users to manipulate it, enabling attackers to run malicious scripts globally. Learn more in our file permissions guide.
Removing Malicious Cron Jobs
Suppose you’ve cleared your site of malicious content and viruses, but the same files reappear shortly after deletion. This happens because viruses sometimes create cron jobs in the Advanced Panel to regenerate themselves or perform other malicious tasks on the server. If files reappear after deletion, check the "Cron Jobs" menu in your Advanced Panel and remove any unfamiliar cron jobs.
Malicious cron jobs often include the wget command, a non-interactive network downloader that sends GET requests to the attacker’s server to continuously update or reinstall malicious files.
Server Processes
If you suspect malicious activity, you can request our hostbas.com support team to reset your lightweight virtual environment (cage) to halt scripts intercepted by viruses. To view active server processes, use one of these commands in Advanced Panel > Terminal:
-
ps axu
-
ps faux or top -c
These commands provide a report of active processes. If you notice anything unfamiliar or suspicious, contact us via Live Chat on hostbas.com.
Permissions and Owners
You may encounter an error when trying to delete a directory, such as: FileOp Failure on: /path/directory/file: Directory not empty
This error indicates insufficient permissions to delete the directory’s contents, as it contains files that cannot be overwritten. Detailed information on file and folder permissions is available in our file permissions guide.
The correct permissions are 0644 for files and 0755 for folders. If you lack the necessary permissions, try changing the directory’s permissions and then attempt deletion again. Follow this guide for details.
Note that a #WorldReadable file or folder in your scan report may indicate that an attacker has elevated permissions. We recommend verifying permissions before making changes or deletions.
Final Steps
After removing viruses, terminating malicious cron jobs and processes, and setting appropriate permissions for safe files and folders, follow these steps to restore your site:
-
Follow our guide on replacing WordPress core files.
-
Clear LiteSpeed Cache and flush caching plugins.
-
Rescan your hosting account to ensure no malicious files remain.
-
Enhance WordPress security based on your scan report. For example, if a PHP exploit was found in a plugin, report the vulnerability to the developers or use an alternative plugin. If a malicious script was found in the site’s database, update the database password in the MySQL Databases menu and wp-config.php file using this guide.
-
If these steps fail, request a backup restoration via Live Chat on hostbas.com.
Note: We cannot monitor or maintain websites to determine when or how they were attacked or how long malicious files were present.
That’s it! Reach out via Live Chat on hostbas.com for further assistance.
