How to Clean Your Hacked Website

You need to keep your WordPress dashboard, plugins and themes always updated! If you don’t, chances are that your website is vulnerable right now!

There was a security breach in MailPoet on versions lower than 2.6.8 (July 2014). This issue made your website very vulnerable. It is fairly easy to know if your website got hacked through an outdated version of MailPoet installed on your website.
Open your FTP program or the File Manager from your host’s control panel and navigate to this path: wp-content/uploads/wysija/ 
If you see any .PHP files inside this folder (or any sub-folders), then it means your website was hacked.

Some hosting companies have automatic daily backups. Check to see if yours has this feature before proceeding with the steps below. That way, it will be easier to restore your website to a safer version.
Steps to Clean Your Website

Make sure you know what you’re doing. If you’re not familiar with these tools, get help from an expert.

Most of the malware infections that we have seen at MailPoet’s support infect each .PHP file on your website. As such, the main strategy is to replace the infected .PHP files for cleaner versions, wherever it is possible. When this is not possible, manually open the infected file and remove the malware string at the top of the file. Our method below consists of replacing some WordPress native folders (wp-admin and wp-includes) entirely for clean versions, in order to narrow our work in the wp-content folder.

Inside this folder, we need to look for infected files in your theme’s files (wp-content/themes/your-theme-folder/) and inside the wp-content/uploads/ folder (especially the wp-content/uploads/wysija/, where most of the malware often resides).

The procedure below doesn’t require touching the database. The following process will keep the database untouched. When you finish all the steps below, your website will stay exactly as it was before.
  1. Access your website files through a FTP program (or the File Manager from your host’s control panel) and download all files to your local computer on a folder named “Working Folder”.
  2. Make a copy of the local files you have just downloaded to another folder. Name this folder “Website Infected Backup” so that you can have a backup of all your files before the following procedure.
  3. Go to your folder “Working Folder” and delete the folders wp-admin and wp-includes.
  4. Download the latest version of WordPress: https://wordpress.org/
  5. Extract the .zip file from the WordPress download and copy the folders wp-admin and wp-includes to your folder “Working Folder”. Now, of the 3 WordPress folders, 2 are already malware free.
  6. Now comes the boring part: Go to your root directory (root means the folder that contains the subfolders wp-admin, wp-content and wp-includes, on our case the “Working Folder”) and check all the .php files inside (index.php, wp-config.php, wp-cron.php, etc). Open these files on a text editor and check for the first line of code on all of them. Some types of malware infect every .php file, while others don’t. We want you to check the first lines of those files and look for strange code patterns. Here’s as an example:
  7. malware-example
  8. You’ll need to remove this line. Beware to not remove any needed code from your files.
  9. After you have cleaned all the .php files on your root directory (“Working Folder”), you will need to do the same to all the files inside all the folders and subfolders within the wp-content folder.
  10. Inside the wp-content/plugins/ folder, it is quicker for us to just write down the names of the plugins in use, delete all the folders inside (this means removing all plugins) and then re-install them again, one by one, on your WordPress Dashboard.
  11. Check the wp-content/uploads/wysija/ folder for any .php files. If you find one, delete it immediately. There should not be any .php files inside the wysija folder.
    Check all your other files for strange .php files.
  12. As soon as everything is cleaned your local “Working Folder”, access your website from your FTP program. Delete everything on your site and then re-upload your cleaned web site, which is the “Working Folder“.
  13. Access your WordPress Dashboard and check your Users menu. Make sure you don’t have any strange Users with Administrator access to your website.
  14. Change your Administrator password. If possible, also change all of your other passwords (FTP, MySQL Database, and the ones located at wp-config.php).
  15. Now, you will probably have  to re-install all your plugins if you have removed them in Step 10.
  16. That’s it, everything should be back to normal!

Three important steps to keep your site safe in the future:

  1. Always keep your WordPress and plugins updated to the latest version. Check your plugins regularly for updates.
  2. Create a backup of your site’s files and database on a regular basis.
  3. Subscribe to our newsletter or follow @mail_poet on Twitter to get important updates.
Additionally, read the WordPress.org FAQ on having your site hacked.

We’re deeply sorry about the whole situation. The last thing in the world we wish to our users is to have their sites hacked.