WordPress Malware Removal and How to Secure WordPress

How to secure your WordPress site against hacks and WordPress Malware Removal to recover from existing exploits. These are the tools and methods I use.

You wake up to find that your WordPress website or server is sending out spam email. You desperately try to stop it but it’s sending more spam faster than you can plug the leaks! Or, you want to protect your WordPress site from spam, Malware, DDOS, or other exploits. What do you do?

If you’re looking for help with viruses and malware on your PC, look here: Virus and Malware Removal Tools and Utilities.

Sending out spam from your website/server will make your Search Engine Rankings suffer and also get your domain’s and server’s email blacklisted. This needs to be cleaned up as soon as possible and protected against.

Below I’ll outline what tools I use and how to proceed to clean up your site, or to protect it if it’s not currently compromised. This assumes you can still get to the WordPress admin back end, if you can’t, you’ll have to try to use FTP or cPanel to get it back to that point by restoring a backup or editing / replacing files.

A lot of what you’re able to do in these situation depends on what type of hosting account you have. Some lower end accounts your hands are tied and your hosting provider will probably step in and either suspend your account, delete the offending plugin(s), or do nothing (even after repeated requests).

If you have a higher-end hosting account and access to cPanel, you can do a little more with logs, etc.. If you have a dedicated server you can look at services, processes, and logs and determine more about exactly what is going on and what is causing the havoc and kill those processes.

Once you get the bleeding stopped, if the exploit was sending out spam email from your website, you will want to have support at your hosting facility delete the outbound mail queue.

Refer to my blog post 27 Essential WordPress Plugins for a list of plugins that I use and recommend (I try to keep this plugin post regularly updated), and one that is currently compromised! In this case we’re going to talk about two of them in particular.

Anti-Malware Security and Brute-Force Firewall by Eli Scheetz at www.GotMLS.net. AWESOME plugin that can save your tail! Scan for exploits, hacks, and malware with and will remove what it finds with the click of a button! If you use with iThemes Security plugin below, disable the options under it’s Firewall settings so that you’re not duplicating efforts.
iThemes Security by iThemes. In my opinion, the best WordPress security plugin available. Protects your site from the majority of threats. To use correctly you will need to spend some time understanding and configuring all the options. There are free and paid versions.

Triage:

If your site is currently hacked, and if you have any control left over your site at all, then do the following:

Try to make a good backup (see my list of recommended plugins mentioned above)
Install Anti-Malware Security and Brute-Force Firewall (screenshots below on using this plugin)
1. register it (important)
2. download new definitions (important)
3. scan.
4. Once scan is finished use the auto clean up button to do just that.
Install iThemes Security and set it’s options as specified below
Turn off Anti-Malware Security and Brute-Force Firewall’s firewall features since they’re being performed by iThemes Security plugin
Rescan with Anti-Malware Security and Brute-Force Firewall

Non-Triage:

If your site is not currently hacked, do the following to protect your site:

Install iThemes Security and set it’s options as specified below
Install Anti-Malware Security and Brute-Force Firewall (screenshots below on using this plugin)
1. register it (important)
2. download new definitions (important)
3. Turn off Anti-Malware Security and Brute-Force Firewall’s firewall features since they’re being performed by iThemes Security plugin
4. scan.
5. Once scan is finished use the auto clean up button to do just that if issues were found.

Configuration

iThemes Security Configuration
Anti-Malware Security and Brute-Force Firewall Configuration

Configuring iThemes Security by iThemes to Protect Your WordPress Site

Below are a series of screen shots showing the settings I usually use and set in iThemes Security to secure a WordPress sites. Once you install and activate the plugin you can run a Security Check that will set the base settings and get you started.

In the following screenshots, I will make comments in the captions about some settings, but look at the settings in the screen-caps and especially where I’ve drawn arrows, etc.

iThemes Security Global Settings Configuration

Global Settings 1/2: Note the IP ranges added to the Lockout White List, these are Google Robot IPs, See below for my full list as of 3/2019: Also Click the Add my current IP to the White List button.

Search Engine Robot Spider IP Addresses:
Google
64.233.160.0/19
66.102.0.0/20
66.249.64.0/19
72.14.192.0/18
74.125.0.0/16
209.85.128.0/17
216.239.32.0/19
Bing
104.146.0.0/18
104.146.100.0/22
104.146.104.0/21
104.146.112.0/24
104.146.113.0/24
MSNBot
64.4.0.0/18
65.52.0.0/13
131.253.21.0/24
157.54.0.0/24
207.46.0.0/16
207.68.128.0
Baidu
103.6.76.0/22
104.193.88.0/22
106.12.0.0/15
115.231.36.136/29
115.231.36.144/28
Yahoo
8.12.144.0/24
66.196.64.0/18
66.228.160.0/19
67.195.0.0/16
68.142.192.0/18
72.30.0.0/16
74.6.0.0/16
98.136.0.0/14
202.160.176.0/20
209.191.64.0/18
Yandex
100.43.64.0/20
100.43.80.0/24
100.43.81.0/24
100.43.82.0/24
100.43.83.0/24

Global Settings 2/2: InfiniteWP is a dashboard system for managing multiple WordPress websites. See my plug post.

iThemes Security 404 Detection Settings

404 Detection: I prefer 10 vs. the default 20 in the Error Threshold. This triggers faster. The plugin will email alerts when it bans an IP, with a link to click to see info about the IP address

iThemes Security Banned Users Settings

Banned Users

iThemes Security Hide Backend Settings

Hide Backend:

iThemes Security Local Brute Force Protection Settings

Local Brute Force Protection: I prefer setting the Minutes to Remember to 45. Be sure to check the “Automatically ban “admin” user login option too.

iThemes Security Network Brute Force Protection Settings

Network Brute Force Protection:

iThemes Security Strong Password Enforcement Configuration

Strong Password Enforcement: At a minimum select Administrator… you may want to select Editor if you have lots of editors.

iThemes Security System Tweaks Configuration

System Tweaks: Click for full-size. You may select to enable the Remove File Writing Permissions option. If you have issues with some plugins failing to perform after installing and configuring iThemes Security, this is the section I would go to first and uncheck one thing at a time and test, then re-enable it and test the next thing. I’ve had to uncheck Filter Suspicious Query Strings in the URL on a few sites.

iThemes Security WordPress Tweaks Settings

WordPress Tweaks: Click for full-size image.

back to top

Configuring Anti-Malware Security and Brute-Force Firewall to Protect Your WordPress Site

IF and ONLY IF you have iThemes Security plugin configured as above, Turn off this plugin’s Firewall/Bruteforce settings by clicking the above 4 buttons.

Click to request a free key to enable downloading new definitions.

AFTER Updating the definations start a complete scan for malware/hacks by clicking the Run Complete Scan button

Scan in progress…

This shows that Malware / Hacks have been found in some of the files. After the scan finishes, click the “Automatically Fix SELECTED Files Now” button to repair.