So it happened….the worst thing possible: you were hacked, and now your WordPress site is dead, and you’re in serious trouble.
Depending on the infection — be it a virus, a hack or something else — and the severity of the malware, you may be thinking of trying to solve the problem yourself, with a plugin or malware scanner, or you may want to go with a malware removal service.
But when choosing a tool or service, you have to beware. Not only is it possible that the tool/service won’t fix your problem — it’s also possible that you could end up in a much worse situation — losing your data, content, or even more.
So in an effort to help you decide how to solve your WordPress malware problems, we decided to review several options — both tools/plugins and services — and list the best and worst.
What to do after a WordPress malware infection
Before we review the different options, let’s start with how to deal with a malware infection. Chances are, you’re only looking this up after you have some sense that you may be infected, so we’ll skip the “could your WordPress installation be infected with malware?” section.
Instead, let’s take a look at what to do after you’ve had your first freak-out, and are ready to do something.
What should you do when you suspect that you’re infected? First, keep calm. Don’t start messing around with your configuration or login information before you’re sure you understand what’s going on.
Next, check your backups. If you’re lucky (and you’ve been careful) your latest backup will be recent and complete. Don’t install it yet — just make sure it’s there; you’ll feel a lot better if it is.
Now, let’s get to the solutions.
The best WordPress malware removal plugin
Anti-Malware Security and Brute-Force Firewall
- Rating: 8/10
- The good: found all of the malware on our server
- The bad: didn’t remove the malware
Anti-Malware Security is probably the most commonly used solution that is actually designed to fix your WordPress malware.
To test, we first infected our WordPress installation with a standard exploit in one of the templates. We then installed and ran Anti-Malware Security. On the first scan, nothing was found. So we registered the plugin and requested an API key (which is free, although you are asked to donate $30).
We were then able to download the latest definitions. After downloading the latest definitions, we ran the scan again, and Anti-Malware Security was able to identify the exploit.
The great thing about Anti-Malware Security is that it is supposed to be able to remove the malware. Unfortunately, in the case of our test server, AMS was unable to remove the malware because it was unable to fix the hacked files. A knowledgeable admin would be able to use the clues to remove the malware, but it can get complicated.
In another test, we varied the exploit vector, to see if Anti-Malware Security could detect a slightly different version of the exploit code. And it worked properly. It was able to detect the exploit. However, we found that the method of identifying exploits resulted in a lot of false positives in our custom code.
If you want to try to remove the malware yourself, you should try Anti-Malware Security first — but for only a few bucks you may be better off getting it done professionally (See below).More Info/Download
Other WordPress malware removal plugins and tools
Sucuri WP Plugin (Free)
- Rating: 5/10
- The good: found some potential issues on our server
- The bad: didn’t find or remove the main malware
The free Sucuri WP Plugin is also extremely popular. However, we didn’t have as much success with it. We tried the same malware as we used for Anti-Malware Security.
With the Sucuri plugin installed, we ran the scan. It found some potential issues, but it was not able to find the malware that we infected our site with. Even with a completely known malware signature, Sucuri didn’t find the problem. Of course, when we modified the malware, it also didn’t find it.
Again, we only tested the free Sucuri plugin. We have heard great things about the Sucuri professional software, but at $300, it’s not a great options for most website owners.More Info/Download
Quttera Web Malware Scanner
- Rating: 2/10
- The good: easy to install
- The bad: didn’t find or remove remove our malware
Quttera Web Malware Scanner is another WordPress malware plugin that is commonly used. We tested Quttera with the same malware that we used on the other two scanners.
The first time we tried Quttera, it crashed our server, and we had to go to the terminal and restart the web server in order to get WordPress back. The second time, we let it run (even though it froze our server while running), and eventually it completed.
However, the output was 0 suspicious files, 0 potentially suspicious files, and 0 malicious files. It didn’t find the malware code, and it didn’t find other potential issues we had set up on our test site (like a readable configuration file, which both other tools found).More Info/Download
The best WordPress malware removal service
Since none of the plugins we used fully repaired our server, we decided to try some malware removal services.
There are many available online, if you do a Google search you will find dozens of options. We decided to try a few of the services, and see what happened.
In our testing, we used the same WordPress image that we used above, with the same infection. We used the slightly modified malware code that Anti-Malware Security was able to successfully identify but didn’t remove.
After contacting the services and giving them access to our infected test site, we waited to see if they could fix it. It turns out that every service we contacted was able to identify and remove the malware.
The only differences, it seems, between the services was the price and time to complete. One of the services fixed our server within an hour, while others took significantly longer. And of course, prices range all the way up to $500+.
So which is the best?
Fiverr / Premium WordPress Malware Cleaning & Security
- Rating: 10/10
- The good: found and repaired all malware; easy, quick
- The bad: it’s not free
As we wrote in the previous section, you’re generally going to be fine with most of the professional malware removal services you’ll find online. In selecting one to go with, it really comes down to price and time.
And there was one service that stood out above all of the others in terms of both of those: Premium WordPress Malware Cleaning & Security on Fiverr. The service only costs $5 to clean your malware, and it normally takes only a couple of hours.
According to Fiverr’s statistics, Premium WordPress Malware Cleaning & Security has removed malware for over 5000 clients, and has a 5 star rating. After all of the services we tried, this definitely seems like your best bet.
If you want additional protection, the provider also offers to patch and protect your server from future problems for $10-$20 more.More Info/Download
So what should you choose if you get infected?
After trying all of the options, we strongly suggest just skipping the plugins and going straight to a service. Once your site is infected, everything you do (if you’re not careful) can make things worse. Installing a plugin and messing around with WordPress admin could potentially result in additional problems and (in the worst case) data loss.
In our opinion, you’re much better off making the $5 investment in the Premium WordPress Malware Cleaning & Security service and getting the problem solved instead of spending time fiddling around with plugins.
How to avoid getting hacked in the future
Once you’ve fixed your WordPress install, you will want to ensure that nobody ever hacks your server again. How do you do that? We have a great article on this coming up, but our recommendation is to get iThemes Security Pro, a complete solution to protecting your WordPress installation.
In addition to multi factor authentication, automatic backups, and hack protection, iThemes Security Pro has auditing and malware scanning built in. It’s definitely worth a look!More Info/Download