How to clean a hacked website with WordFence for free

If your website is running on WordPress and it has been hacked, Wordfence can be used to clean it. How does a website get hacked? Hackers edit website core files and code if they are hacking it. The way that Wordfence helps you clean your hacked website is to let you compare your hacked website files against the original files. You may see our step-by-step guide on what do viruses do to a website.

Without wasting much time, let us start to discuss how to use Wordfence to see the core files that have changed on your website and how to repair or delete those files with one click. If you are busy or prefer our experienced team to take care of cleaning your hacked website for you, please contact us via our contact page.

If you want to take time to clean hacked codes from your website yourself, read on. This article will provide you step-by-step guide to help you clean your site. You may see our guide on how to block visitors from certain locations on your website.

Now, let us get started.

How to clean a hacked website with WordFence for free

Before you get started, it is good to determine whether your website is being hacked or not. Because we see several occassion where people get panicked while thinking their website has been hacked when their site is just misbehaving, an update went awry, or some other problem is happening.

Sometimes site owners might see spammy comments and can’t tell the difference between that and a hack. In this case, we advise you to check whether you are being hacked or not.

Use the following scenarios to know if your website is being hacked:

  • You are seeing spam appearing in your site header or footer that contains adverts for things like pornography, drugs, illegal services, etc.
  • You do a site:example.com (replace example.com with your site) search on Google and you see pages or content that you don’t recognize and that looks malicious.
  • You receive reports from your users that they are being redirected to a malicious or spammy website. Pay special attention to these because many hacks will detect that you are the site administrator and not show you anything spammy but will only show spam to your visitors or to the search engine crawlers. Try using an Incognito window when visiting your site, as well as visiting your site from a search result rather than typing in the URL directly.
  • You receive a report from your hosting provider that your website is doing something malicious or spammy. For example, if your host tells you that they are getting reports of spam email that contains a link to your website, this may mean you have been hacked. What the attackers are doing in this case is sending spam from somewhere and using your website as a link to redirect people to a website they own.

Once you’ve ascertained that you’ve been hacked, back up your site immediately. Use FTP, your hosting provider’s backup system, or a backup plugin to download a copy of your entire website. You may see our expert guide on how to upload website files via cPanel (step-by-step).

Make sure you also back up your website database. Backing up your website files and database helps you to make sure that you have a copy of your hacked site and you won’t lose everything.

But before you clean hacked files in your website cPanel, here are things you should know:

  • Delete anything in the wp-content/plugins/ directory and you won’t lose data or break your site. That directory only contains plugin files that you can reinstall. When you delete these files, WordPress will automatically detect that you have deleted a plugin and will disable it. So it won’t cause your site to crash. Just make sure to delete entire directories in wp-content/plugins and not just individual files. For example, if you want to delete the Wordfence plugin, you must delete wp-content/plugins/woocommerce and everything within that directory including the directory itself. If you only delete a few files from a plugin you can leave your site inoperable.
  • Sometimes, hackers may try to install themes on your website. While you should only have one theme directory that is used for your site in the wp-content/themes directory, you can delete all other themes if you know which one you are presently using. 
  • The wp-admin and wp-includes directories rarely have new files added to them. So if you find anything new in those directories it has a high probability of being malicious.
  • Never leave old WordPress installations lying around

We often see sites infected where you or a developer will back up a copy of all your site files into a subdirectory like /old/ that is accessible from the web. This backup is not maintained and attackers can get into the old site, infect it, and access your main site from the backdoor. Anytime your website gets hacked, check your old WordPress installations first because it’s likely they are full of malware.

To clean your hacked site using Wordfence:

  1. Upgrade your site to the newest version of WordPress. This is important because older versions of WordPress can have vulnerabilities.
  2. Upgrade all your themes and plugins to the newest versions as developers are constantly updating their software.
  3. Change all passwords on the site, especially administrative passwords. It is through password, that the attacker got into your site in the first place, so changing your password is important.
  4. Make another backup and store it separately from the backup we recommended you make above.
  5. Now, it is time to install a WordFence plugin. You may see our guide on how to install plugins on the WordPress website.
  6. Go to the Wordfence “Scan” menu and just click “Start Scan”. This will do an initial scan and may give you a lot of results that you will need to work through. Each result will explain what Wordfence found and guide you into resolving it.
  7. Once the scan is complete and you’ve resolved the issues that Wordfence found, you can do an even deeper scan. Go to the “All Options” menu on the left. Scroll about two-thirds of the way down to the heading that says “Basic Scan Type Options” and check the box to enable “High Sensitivity”. This will do a much deeper scan that will take a bit longer, but this scan will find really stubborn malware that is harder to detect and get rid of.
  8. If you’d like to do additional scans, you can use the “All Options” page to customize your Wordfence scan for your exact needs. Do as many scans as you’d like. There is no limit on how many scans you can do, even for our free customers.
  9. When the results come up you may see a very long list of infected files. Take your time and slowly work through the list.
  10. Examine any suspicious files and either edit those files by hand to clean them or delete the file. Remember that you can’t undo deletions. But as long as you took the backup we recommended above, you can always restore the file if you delete the wrong thing.
  11. Look at any changed core, theme, and plugin files. Use the option Wordfence provides to see what has changed between the original file and your file. If the changes look malicious, use the Wordfence option to repair the file.
  12. Slowly work your way through the list until it is empty.
  13. Run another scan and confirm your site is clean.

How does WordFence scan a website to help you clean hacked files on your website?

  • As a professional web security expert, WordFence knows what all WordPress core files such as open-source themes and plugins look like. They know when your website source files are being infected even if it’s a new infection that no one has ever seen before. They do this by comparing the publicly available original website files with what your website files have, and flag out anything that has changed you, hence hacked files.
  • We search using complex regular expressions which we call “malware signatures” for indicators of compromise. Our malware signatures are continually updated based on our database of known infections and our Premium customers get the newest signatures immediately.

Now that you have cleaned hacked files from your website, it is good to get your site removed from the Google Safe Browsing list. To do that you need to request a review from Google. Please find the detailed steps on this page in the Google documentation on how to do this.

Tips on how to keep your website files from hackers

Hope this article has shown you how to clean hacked files on your website. Now that you have successfully cleaned hacked codes from your website files, you need to make sure your site doesn’t get hacked again. Below are tips on how to do that:

  • Importantly, make sure WordPress and all plugins and themes you are using on your website are kept up to date.
  • Install an updated Wordfence plugin and run regular scans on your site.
  • Make sure you use strong passwords that are hard to guess.
  • Enable two-factor authentication.
  • Get rid of all old WordPress installations on your server.

Conclusion

Wordfence is a security tool that helps website managers and security experts to secure their websites. You may see our guide on top plugins that every website should have. If you know that this article has helped you know how to clean hacked website files using Wordfence, then please subscribe to our YouTube channel for more updates. You may also find me on Facebook for more updates.

15 Comments

  1. Khlem Podayis

    Thank you for authoring this helpful update Sir.

    • Abdul Razaq

      Hi podayis
      Thank you for sharing your feedback

  2. Keneth Okonkwo

    Wordfence is very helpful. They are the top best security plugin I have used. This is the plugin I use to detect when my website code is being altered.

    And thank you Mr Abdulrazaq for talking about it for free instead of allowing people to be with their website problem.

  3. Omnwa Sajdra

    Thanks to the creator of Wordfence and updraft Plus. They are my favorite plugins to manage My website and blogs. As I saw this article that is all about Wordfence, I was very happy to read it.

Leave a Reply

Your email address will not be published. Required fields are marked *