If you’re reading this post then you probably recently had your WordPress site infected via the revslider vulnerability. If, so, read on.
Spoiler Alert: I don’t think that WordPress is inherently insecure nor is this article about why you shouldn’t use WordPress. If anything, this issue should support my case for ongoing WordPress maintenance practices.
Disclaimer: These are steps that I have personally taken to remove the SoakSoak malware from WordPress sites that I help my clients manage. I have over six years of experience working with WordPress regularly and some of the outlined tasks are routine to me. So in other words, be careful! Any steps you take are at your own risk
If you would like professional help cleaning up your WordPress, please contact me.
You’re going to be doing some major chopping, copying, cutting, pasting, deleting, moving, searching, hacking, gluing and all other sorts of things. Even though your site may be a bit wounded right now, you need to make a backup in case you break something further. You might also find the backup useful for examination later.
In aviation, we have a five-step acronym for what to do when we get lost, like in the clouds or a box canyon or just flat out confused.
For good reason, the first “C” in the pilots’ lost procedures is “Confess“.
That means telling your key ally (in that case, the air traffic controller) that you’re lost and you need help. Somebody with a better view of the situation needs to be alerted and to get in touch with you to help you out of your situation.
You need help and calling in the cavalry while you’re getting back on your feet is a good idea. Send them an email, call them, submit a support ticket, whatever you need to do. While you’re at it, ask them to do a full server scan with their nifty tools to identify malicious files.
You may not have a high volume of traffic and so maybe this doesn’t matter to you. But it can at the least embarrassing if your site doesn’t look right and at the worst a risk to your viewers.
There are several ways to do this. If WordPress is still functioning, you could use a plugin to do it, such as JF3 Maintenance Redirect or WP Maintenance Mode. Either of these plugins will allow you to put up a custom message and to let logged-in administrators bypass the redirect, so you can work on the site and browse it live while you do.
Here’s where the incisions begin. It’s time to find out what exactly got into your server and is currently wreaking havoc on your website. An anti-virus, firewall plugin such as Wordfence or iThemes can help you locate issues, detect infections and do some proactive things to help you protect your website.
Knowing where the infection lies is the first step to cutting it out.
If your infection has injected files that shouldn’t be there (in classic Trojan horse fashion), it can be trick to find them all and remove them. As long as any of these files remains within the public directories on your server, you’re likely to get reinfected repeatedly.
Typically, moving infected files to a location not accessible from outside your server will render them harmless. For instance, you could create a folder called “quarantine” at the root of your web hosting account (i.e., one level UP from the ‘public_html’ or ‘www’ directory). If you do this, rather than just delete, you’ll be able to put some things back in case they weren’t poison after all. You’ll also have evidence to show your hosting provider or web developer to help them help you to prevent this from happening again.
Of course you could use SSH (or some other command line method), but if you’re that proficient, you probably don’t need this article!
Alternatively, you could use any one of a myriad of free FTP applications for Mac, Linux or WinDOH!s. They’re easy to configure but you’ll need FTP credentials from your hosting account. In the case of cPanel, the cPanel login itself is usually has top-level FTP credentials.
Personally, I like and use Forklift but it’s not free.
This is where you go from victim to detective. You’re going to start looking around the directory where your WordPress site is installed for files and folders that shouldn’t be there. These are typically the very files that are letting the attackers get in and/or execute malicious processes from your server.
Common clues to look for:
This in itself is a whole set of steps. If I went into detail, this would go from a long post to a really long post. But I’m going to boil it down into these ridiculously broad steps:
Using a free theme from WordPress.org?
Updating a theme is rarely quick and easy unless you’re using an official WordPress theme or any other theme without any modifications. In that case, you may see that there is an update available via Dashboard > Updates. Go ahead and follow the buttons to update. It’s easy, too.
Using a premium WordPress theme?
If you’re using a premium theme from a marketplace like Themeforest, this can be a bit more tricky. First, check the site to see if there has been an update issued later than when you installed your theme. If there is one available, the ridiculously broad version of the steps includes:
Yeah, it sounds crazy but it’s both totally easy and necessary. The reason: there’s probably some files that shouldn’t be there but they’re hiding amongst the good files like a kid hiding in a coat rack.
The best way to make sure they’re gone is to delete the entire folder and replace it with clean, freshly-downloaded files from WordPress.
NOTE: You will not do this with folders that change frequently, only core files that stay unchanged between updates.
IMPORTANT: Do not delete anything I didn’t just tell you to delete. For instance, do not delete /wp-content or anything inside it. NEVER delete wp-config.php because it contains critical information about your unique WordPress configuration.
If you’re like me, you make serious usage of the huge array of plugins available for WordPress. After all, one could argue that plugins are what makes WordPress what it is. Now you’re going to have to delete and replace them all – manually – including and especially RevSlider.
But if you deactivate them and delete them, you’ll lose all your options from your database. That’s a bit of a conundrum.
This method will preserve the settings for each plugin stored in the database. It’s sort of a “sleight of hand” that you’re going to pull on WordPress. You’re going to delete them and replace them before it “knows” they’re even gone.
Anybody who has admin access to your WordPress has the power to corrupt it. Even if they’re trustworthy, somebody or something could be using their username to do nasty stuff.
Go to Dashboard > Users and change the passwords of all admin users to something strong, for example:
Notice the above sample password has capitals, lowercase, numbers and special characters ( @, ! ).
If you want the virus gone, you gotta do it. There’s a good chance your database password got out into the wild and with that an attacker could let themselves back in, just as if they found your hide-a-key under the dead potted cactus by your front door that mom got you before you moved out the first time. (TMI?)
Notify your web hosting provider that you need to change your WordPress database password. Many of them will be happy to do this for you because they want to remove infections like this. They cause servers to run slow and many other customers to get upset and even leave.
I knew you’d ask! Kudos to you, brave soul! If you’re savvy with FTP/SFTP, writing code and your web hosting control panel, proceed. Otherwise, see The Easy Way above.
Now’s the moment of truth… did it work?
Use your security scan plugin you installed earlier on (Wordfence, iThemes Security, etc.) to run a scan again. If it comes up clean, rejoice!
Now do another backup! This time, download a copy to somewhere offsite. If you really have succeeded, you’ll have this backup to keep as a time capsule of your clean site.
They will likely have tools that you don’t to find anything you might have missed.
If you found out about this infection through your website being marked with a security warning, you’ll need to let the powers that be know that you’ve done due diligence to remove the issues.
From now on, I recommend doing the following: