Cleaning Up a Virus infected / malicious WordPress Website files/folders

1. Introduction Clean a WordPress website: Greetings everyone. I am Susan for Dan and I will be your instructor for this course. I have been working with Wordpress for quite a long time now. Thus would like to share how you can clean all the files and folders of a virus infected Wordpress website. According to sue query, out of it, thousand infected websites, 74% were built on WordPress. If you run a quick scan at site j dot Tsukiji dotnet, you will see the stats of your website and gives you an idea if your site is infected or not. Thus, the objective of this course is to clean all the therapists, websites, files, and folders. Please note, we will not be working on the database. What will we learn in this course? In this course, you will learn the basic knowledge about WordPress. That is, how WordPress website work and what files and folders can be easily replaced. And of course, you will learn a different approach to clean the WordPress files and folders. We will first clean the website manually and then run a scan using a free plugin. Here's a brief, what's included? We will scan the website online to check for viruses, then backup the whole Wordpress website. Understanding brief about what makes up a WordPress website. Clean the corpus files and folders manually. Again, risk and the website using a free plug-in. What are the requirements for distillation? First, you will need to have all the credentials to access your WordPress website. After having all the access 3D, we will use a simple yet effective approach to clean the site. Anyone having a basic knowledge of WordPress can clean the infected website and you do not need to have any coding skills. Everything has been clearly explained. Conclusion, by the end of this course, you should understand how WordPress websites are composed and how you can clean the sites files and folders. Let's get started. 2. Scan, Backup & Understand about WordPress: Greetings everyone. In today's video, we will quickly learn how you can remove viruses or malware from WordPress websites. We will be working with WordPress files and folders and not the database. Let's get started. This is the website we are trying to clean. As you can see, the site is not accessible, the access is denied. And even if I try to log into WP admin, I cannot access the WordPress dashboard. There could be many reasons for not being able to access the website. However, in this case, we know this slide is infected and it's all because of some malicious code. To reconfirm this, Let's go to the site, site check subquery dotnet. This website basically tells you if the site is infected or not. The information given may not be a 100% correct, but will surely identify the obvious cases. As you can see, this slide is infected. It has been infected by the Japanese STU spam virus. So now we need to clean this website. After cleaning it, it should come out clean anyway. Now before working on cleaning up the website, let's first take gets backup. Now that we have confirmed that the site is infected, and since we cannot access the dashboard, we will need to login to side C panel where there are all the files and folders. Let me quickly access the C panel. If you are not sure about the C panel, please actually hosting provider anyway, let me log in into the credentials. Since I have the Two Factor Authentication, let me add the code. Now we are on the C panel. You'll see panel might look a little different depending on your hosting provider or packages you are using. But anyway, the files and names will be something similar. Find the File Manager and click on it. Here you can find all your website files, usually under public underscore S TML. If you are using a shared hosting, then look at where your website files are. Here are all our website files. These files are infected with the virus, but we're not sure which files are infected. So before proceeding with anything, we highly recommend backing up your site files. So let's backup the website since there might be hidden files and folders to go to settings. So hidden files and save. Now here are all the files, select all, and then right-click on any folder compressed to GP archive and compress files. All the files have been chipped. Let me reload to see the zip file. So here is the GIF file, since it took a little longer. So I had a GIF file made ready. Anyway, this GIF file contains all website files and folders. So let's download it, Right-click and download. While this is downloading, again, go back to your cPanel and find PHP, my admin, and click on it. Since this is a shared hosting, there are lots of database. If you have only one site, you will only see one database. You can find the database name in WP desk config dot PSB file. Anyway, here's the database of the website. Click on Export and click on Go. We are basically backing up the whole website files and the database. While these files might be infected, but still can be very useful just in case anything happens. All the files have been downloaded, show in folder. So here are all the files. Let me keep it to the desktop. I will keep it inside a new folder. Here are our website files and folders, and here is the database. I will delete the GIF file from the file manager. Let me close this all. Now we have all the back-off of our Wordpress website. So earlier we backed up all the website files, though all files aren't actually necessary. The, before removing the virus. Let's briefly understand what actually makes up a WordPress website. Basically, all WordPress website includes WordPress installation files and folders which can be downloaded from wordpress.org RZ, a database WP Content folder which includes all themes, plugins, photos, etc. And the excess file plus WP config file. This all mixed up a WordPress website. Now here are our backup files, which include everything. If I open it and open the zip file, you can see loads of files and folders there, but most of them are actually default purpose installation files. So to make our work faster and easier, let's extract the WP Content folder, which contains all themes, plugins, photos, etc. Dot SCSS file and WP desk config dot PSD file. With these files, database and Wordpress installation, we can duplicate any website anyway, let's extract them. I will create a folder here, clean website, and extract all files. All the required files have been extracted. Let me close this. Now we have all the required files and folders, so we need to clean them all. 3. Clean the infected WordPress website manually: So now let's begin to clean our website. Before going to the WP Content folder, let's check if there are any suspicious codes on the WP config file. Let me right-click on it and open with Notepad Plus, Plus. If it did not have Notepad Plus, Plus, open the browser and Google Notepad Plus, Plus. Click on this one and download the latest version. Download the installer and simply install it. Notepad Plus Plus is also available for 32-bit PCI. Anyway, after installing Notepad Plus Plus, open the WP config file with Notepad Plus, Plus. Now scroll and see if there are any suspicious codes. This is what the config file should look like. It looks all good. This section is always there and it's not a virus. No fancy code has been added at the top, so it's all good. Likewise, also check the dot as the Access file. Let me open with Notepad Plus, Plus. The SDSS file also looks all good. If you see lots of things here, it could have been added by the plugins. If you're not sure, you can skip this file to pan a new dot SCSS file will be automatically created, but do keep the cost as a backup. So it seems both the SD access file and WP config files are clean. To reconfirm if these files are clean or not. You can also go to Virus Total.com and choose a file. Confirm file. This file looks all fine. Likewise, let's scan the other file to both of them. Looks all good. Now let's go to the WP Content folder. You will see lots of files and folders in the WP Content folder. Some of them will be automatically generated later. Plus we have the whole back-up off the website. We are in a way safe from losing any files. I will delete the sketch, log, PHP and other files. These files will be auto-generated if they are required. This backup is from a plugin. Just keep the index.php file. I'll delete this cache folder. You can delete this too. You can delete languages as well, delete the logs. So we had these folders. Let's check the upgrade. It's empty. We can delete this too. Basically, we are trying to eliminate more files and folders so that the scan will be quicker. Now we have the plugins, themes and uploads. Plugins folder has all the plugins your site is using. Likewise, theme folder has themes. Your site is using an uploads contained photos, videos, PDF, text, etc, which has been uploaded by you. Upload contains year and software demands. Anything else is actually from the plugins will be regenerated so you can delete them to. If I check a folder, it will have some monthly folders with photos, videos, etc. Now that we have deleted most of the unnecessary files, Let's start with cleaning the plugins. If your website has only few plug-ins, then we suggest replacing it manually. That is, downloading from the original source and replacing in it simply because plugins have loads of files and folders, it will be very difficult to clean them one-by-one. If we download and replace from the original source, it will definitely be cleaned. However, if you have too many plug-ins, it might be a little more time-consuming. Still, it will be a better option to clean it manually or else in the later part of the video, we will also learn to clean it using another plugin. Anyway, let's download these plugins. I prefer rename and copy it as it assures the exact name. You can Google the name, something like this. This is the plug-in. But if in case you are not sure if this is the plug-in, simply open the plug-in folder and click on Read Me. Then you can see the plugin details, contributors, and other details. And see if the description perfectly matches or not. After conformation, simply download it. Likewise, download all the plugins. For free plugins, you can directly search over here and click on it. Download for bid plug-ins, please go to the respective site and download it. Anyway. So now we have downloaded all the plug-ins. Here are all the downloaded plugins. Let me put all of these inside the plug-in folder. Just to reconfirm, if you have downloaded all the plugins, you can delete all those plug-ins. All the plugins have been deleted. Now extract each plugin. All the plugins have been extracted. You can now delete all the GIF files too. Now since we downloaded these plugins from an authentic website, these plugins should be clean with no viruses. We have actually cleaned all the plugins. Now just in case there are some custom plugins, are custom codes on them. Please do not replace them. But even if you did by mistake, we have a backup to clean the custom plugins will use a WordPress plug-ins later anyway, so the plugins have been cleaned. Let's also open the index.php file with Notepad Plus, Plus. This is how it should be almost empty. Hence it's clean. Let me go back. So we have cleaned these plugins folder. Also, Let's quickly check the index.php file here. This is also clean. Now let's clean the themes. Every WordPress website uses a theme. It can be a free theme, costume, create a theme or a purchase theme. We achieve a team you are using. Please download it and replace it in this folder to find out about the theme, open the folder. You can also look at the screenshot and get an idea about the theme. It's using. Our open style.css file, right-click and again open with Notepad Plus Plus, you will find the theme name, descriptions sector, and says the theme accordingly. However, if you cannot find the theme details and cannot replace it, then we will use another method to clean it using a plug-in later in this video. But if you know with steam the site is using, we suggest downloading the exact theme. So since this is an n-fold theme, let me quickly go to theme forest. Go to downloads. And here's the impulse theme. I will download the install level workers filed only. The theme has been downloaded. Let me keep it in the folder and let me extract it and delete this GIF file. Let me put it in the theme folder. Replacing a theme might be tricky. For instance, for this site, the theme name has been changed, so we have to follow some procedures. However, most of the website themes name our default regardless, please check the functions.php file is there might be some custom codes. And if you're using a child theme, also replace or manually check functions.php and style.css file on both the child theme and the main theme. Anyway, for this site, I will simply copy this screenshot. The screenshot is basically an e-mail. I will also copy the style.css from ALL theme. This looks alright two, and replace it in the new theme. Now, I'll go to the functions.php on an old theme to see if there are any custom codes. Here are some custom codes on the site. I know it because I have been using involved for quite a long time. But if you are unsure if there are any custom codes that NADH simply open the functions.php on the new theme and check the last line there and compare it to the old theme. Anyway, let me copy this custom codes to the new theme at the bottom as it was. Just make sure if there are any weird codes. So recapping, we copy the costume codes to functions.php. Replace this screenshot. We also copy the style.css. These are the basic things you need to do while replacing the theme. Now let me copy the exact theme name as they might be case sensitive. And delete the theme. Then rename this theme. So as we replace the whole theme, our theme folder is also clean. If there are more themes, please replace them or delete them all. Wordpress site uses only one theme at a time. Anyway, also check if this index.php is clean or not. Now if I go to WPS contained, we have a clean plugins folder. We have a clean theme. This is also clean. Now let's check the upload folder. The upload folder. So it looks something like this. This folder contains images, videos, PDF, and student have the files like dot PHP. So the fastest way to check will be searching by clicking asterisk dot PHP. If there are no dot PSB file, that's great. Also look for asterisk dot SDC access. None of these files are here, which is pretty good. It seems on our folders are clean. Wp content folders and files and as well the dot SCSS file and the WP config dot PHP file is also cleaned. We have clean all these files and folders since we downloaded a fish copy and replace them, all, the chances of having a virus on them are very minimum. Also, at the end, we will rescan all the files and folders to see if there are any malicious codes are not. Anyway, after cleaning these folders, Let's upload them to our server. Let me quickly login to my cPanel. We are on the C panel. Let me go to the File Manager and locate where all our website files are, usually under public underscore HTML. So here are all our website files, as we are not sure which files are infected. So let's delete them all. We have kept a backup earlier. So in case anything happens, we always have a backup. Anyway, select all and delete it. Do make sure all hidden files are also deleted. Conform. Now we have completely emptied everything on our website. 4. Make the website online and re-scan site with a Plugin: Now that everything has been deleted, let's make the website live. So to make a site work, we need to install a fresh WordPress. As you have noticed earlier, there were lots of files and folders. All of these are actually from the WordPress installation to download fresh WordPress, go to wordpress.org slash downloads and download the latest WordPress version. Out download is done. Show in folder. Let me put it to the desktop. Now let's upload it to our server. Upload select files. It's uploaded, extract the zip file here. Reload. We don't need this GIF file. Open this folder, select all, and move it to the main folder. You can see all the WordPress files are here. These are all WordPress default installation. Let me delete this warp is for the two. If we go to our site, it will try to install a new Wordpress site, which of course we don't want to do as we want the old website back. So let's close this. Now let's upload the clean files to the server. Wp Content dot SD excess and the WP desk config dot PSB file. Let's give this file, which chipped. Now let's upload the WP desk and then Folder, upload and select files. While the uploading is in progress. If you realize we have a clean Wordpress installation which cannot have a virus, we replace all the plugins from the original source, so it also may not have a virus. We also replace the theme files, so it should also be cleaned. And as well, we looked for dot SDC access and PSP files inside the upload folders. So possibly it has also been cleaned. We should have deleted and clean the malware. Now all the files have been uploaded. So let's go back. I can see the WP does contain the GIP, So you can simply delete the WP Content folder and extract the zip files we uploaded. Close this and reload. Let me delete this zip file as well. These files are actually very clean and has very rare chances of being infected. Now let's check if the site is working on. The website seems to work all good. Now let's go to slash WP admin. Let me close this. You will be using the same login details as the database has not been changed. So the dashboard and everything seems to work all good. Now let's quickly scan the website using a plugin. Now to further check if there is any viruses are not on the website, let's use a plugin to scan the whole website. For that, go to Plugins and Add New and sets for word fence. This is the plugin. Install it and activate. Simply click No. And continue. You should write the email address there. Continue. No thanks. Go to where fans enable auto updates. Now on warfarin. Click on Scan, then click on Manage scan, then click on performance options. I will choose low resources so that the server 1-bit heat so much, and that's about it. Save changes. Then again, click on Scan and start a new scan. This will take some time depending on your website files and folders. You can see everything has been cleaned. If there are suspicious file shown, you can go to that file and delete the code manually. By the way, you can also set up a firewall inward friends click on the firewall. It's basically in the learning mode. Man is firewall. It will be automatically enabled on this date. This is how you can clean your WordPress website and everything is clean. Please keep a backup of your clean website. Also, let me quickly scan the website on site, check dot security, dotnet. You can see the website is clean. You will need to add website monitoring. To get these two minimal. Anyway, we hope this video is useful. Thank you very much.