Tag Archives: Malware

How to Fix a Hacked WordPress Website


When you visit your WordPress website you are randomly redirected to unwanted websites.

  • Log in your website as an Administrator.
  • Go to Appearance >> Theme Editor.
  • Click on the Theme Functions link on the right side.
  • Verify if malicious code was injected into the functions.php file.

Example of malicious code:

@ini_set('display_errors', '0');
global $zeeta;
if (!$npDcheckClassBgp && !isset($zeeta)) {
  • If yes, then download the functions.php file to your machine via FTP, remove the malicious code, then upload it to your server.
  • If you have several themes in your website then activate them one by one and repeat the procedure for all of them.
  • Open the wp-config.php file.
  • Verify if malicious code was injected into the wp-config.php file.

Example of malicious code:

include_once(ABSPATH . WPINC . '/header.php');
  • If yes, then verify content of the wp-includes/header.php file, and possibly remove the wp-includes/header.php file, then remove the malicious code in the wp-config.php file.
  • Copy a small string of malicious code, for example npDcheckClassBgp, and search for it in the content of all the files using the commands (in Windows) below.
cd C:\inetpub\wwwroot
findstr /s "npDcheckClassBgp" *.*

where C:\inetpub\wwwroot is the path of the parent of your WordPress website.

  • If you find the string in any file then review the content of the file and remove the malicious code.
  • In Windows, stop the website using the command below.
net stop w3svc
  • Delete all the files and folders except the wp-content folder, the wp-config.php, .htaccess, and web.config file.
  • Review and remove all the suspicious contents in your wp-content directory.
  • Go to the wp-content\plugins folder.
  • Delete all the plugins, especially the plugins closed due to Guideline Violation.
  • Manually re-download and unzip all the necessary plugins.
  • Download the latest version of WordPress.
  • Unzip and copy the the latest version of WordPress to the root of your website.
  • In Windows, start the website using the command below.
net start w3svc
  • Log in your website as an Administrator.
  • Remove all the unused plug-ins or themes.
  • Install, activate and configure a CAPTCHA plug-in to protect Login Form, Registration Form, Lost Password Form, Reset Password Form and Comment Form if there is no one.
  • Disable insecure FTP access if there is one.
  • Install and activate the Simple History plugin to review access to your website. After 1 or 2 days, review the access information, and possibly block the malicious IP addresses using the Windows Firewall.
  • Install, activate and configureĀ Cerber Security plug-in to automatically detect and block the malicious IP addresses.