DEV Community

MD Pabel
MD Pabel

Posted on

The Manual Protocol: How to Clean a Hacked WordPress Site (Without Plugins)

#wordpress #hacked #security #virus

If you manage WordPress sites long enough, you will deal with a compromised instance.

The standard advice on the web is usually "install a security plugin and hit scan." While plugins like Wordfence are excellent for detection and firewalls, relying on them to clean a fully compromised site is risky. They often miss obfuscated backdoors hidden in valid PHP files, or they fail to detect malware that reinfects via Cron jobs.

As developers, we need a more surgical approach. I call this the Manual Core Refresh Protocol. It ensures file integrity by replacing compromised core files with sterile sources.

Here is the step-by-step workflow I use to clean infected sites.

Step 1: The Safety Net (Backup)

Before running rm -rf on anything, you need a snapshot. If the malware has infected wp-config.php or your database, a clumsy cleanup can brick the site.

Step 2: Verification & Diffing

Don't start deleting files based on a hunch. Verify the infection vectors.

  • External Scan: Use Sucuri SiteCheck to see if the payload is client-side (JS redirects, spam links).
  • Internal Diff: Use Wordfence (Free) to scan the filesystem. It creates a diff between your core files and the official WordPress repository checksums. This highlights exactly which system files have been tampered with.

Step 3: The Core Refresh (The Fix)

This is the most effective way to handle file-based malware (Backdoors, Shells, Trojans). Instead of patching files, we replace them.

The Protocol:

  1. Download the latest WordPress .zip from the official source.
  2. Connect via FTP/SFTP or SSH.
  3. Delete these directories entirely:
    • /wp-admin/
    • /wp-includes/
    • (Also delete root .php files like index.php, but **KEEP* wp-config.php)*
  4. Preserve these assets:
    • /wp-content/ (This contains your uploads, themes, and plugins).
    • wp-config.php (Database credentials).
    • .htaccess (Check this manually before keeping it).
  5. Upload the clean /wp-admin and /wp-includes from the official zip.

This ensures 100% integrity for the WordPress core.

Step 4: Debugging Specific Vectors

The core is clean, but malware often persists in /wp-content/ or the database. Here is how to handle specific infection signatures:

1. The "Drive-By" & Registrar Suspensions

If you are managing .ch or .li domains, or if your registrar (like SWITCH) suspends the domain, it's usually due to "Drive-By" downloads targeting visitors.

2. JavaScript Redirects

If the site redirects to getfix.win or similar spam domains, the injection is likely in the database (targeting the siteurl option) or appended to every .js file.

3. PHP Backdoors & Shells

Look for files named logically but behaving maliciously (e.g., wp-compat.php or class-loader.php inside the uploads folder).
Signatures to look for: eval(), base64_decode(), gzinflate().

4. SEO Spam (Cloaking)

Commonly known as the "Japanese Keyword Hack." The attacker injects thousands of pages into your database to rank for spam keywords. These are often invisible to admins but visible to Googlebot.

Step 5: Persistence (Why it comes back)

If you rm the malware and it returns 10 minutes later, check your Cron Jobs.

Attackers often schedule a task (via WP-Cron or system Cron) to wget the malicious payload from a remote server if it goes missing.

Conclusion

Cleaning a WordPress site is less about magic and more about being thorough with file integrity. Once cleaned, update all salts, rotate database passwords, and ensure your plugins are patched.

Don't want to deal with the terminal?
If you are a dev focused on frontend and don't want to mess with the backend cleanup, I offer a fixed-price service to handle the manual protocol for you.

👉 Hire Me for Manual Malware Removal

Have you encountered any new obfuscation techniques lately? Drop them in the comments, I’d love to take a look.

Top comments (0)