How to Remove a Website Hack

Having malicious code or spammy redirects on your WordPress website can cause Google to display “This site may be hacked” alert when someone searches for your website in Google.

According to Forbes, 30,000 websites get hacked per day! To avoid losing traffic and being blacklisted, here is a step-by-step guide to help you remove the malware yourself.

Update WordPress and Plugins

WordPress is open-source which means that every update is published so if an update was released to fix a security issue, a hacker might create malicious code to target websites that have not been updated. First, backup your WordPress website and database so if there are incompatibilities, you can revert back. If you have customized a pre-made theme or plugins, be sure to separate out your custom code so you can copy it back in once you have updated. Be sure to also remove any plugins you are not using.

Perform a Malware Scan

There are many affordable website protection solutions like SiteLock or Sucuri that will scan your website daily and automatically quarantine malware. There are many security solutions out there but these are just the ones we have used.

Check Website Files

If you are familiar with WordPress, you can also login to your FTP to check for suspicious PHP files or redirects in your .htaccess file. However, this step should only be done by a WordPress developer if your malware scan does not turn up with anything.

Reinstall WordPress

Another step to clean your WordPress website is to download a fresh installation from Backup and upload a fresh installation to your FTP excluding the “wp-content” directory and wp-config.php. This will help you isolate the malicious code.

Change Passwords & Check Users

You should always change your FTP, Cpanel and WordPress passwords every few months and make sure you use capitals, special characters and numbers to make them more secure. Check all of your users in your Cpanel and WordPress dashboard to ensure that everyone is legitimate. Your hosting company can help you with these things if you are unsure.

Add Website to Google Console

After you have thoroughly cleaned your website, you need to register and add your site to Google Console so that it can reconsidered for search results. You will need to verify your website by uploading an HTML file to your FTP. Check that you have removed all of the suspicious snippets indexed by Google under the “security issues” section. Afterward, there is an option to “request a review” to remove “This site may be hacked” alert. This can take several weeks so you need to be absolutely sure that your website is, in fact, sparkling clean.

Removing a hack can be a long complicated process especially if you are not a WordPress web developer. It definitely pays to keep your software up-to-date, doing frequent backups and purchasing a malware scanning service to protect your website. If all of this is too daunting for you, please contact our San Francisco web development team.

Ready to discuss your project?