Hello, I’m Mostafa Salim, a programmer and web designer.
I’d like to share an article about the experience of having a site banned by Google due to malware and the proper way to clean the site and remove the ban from Google.
Firstly, why do hackers inject malware code into plugins or themes?
What do they gain and how? The brief answer:
First: Direct financial profit, by redirecting visitors to another site to increase traffic. I believe many have experienced this issue when their site redirects to another site.
Second: Stealing sensitive data and selling it on the dark web. One way or another, all information like phone numbers, addresses, and even credit card numbers are collected automatically by scripts and sold for large amounts.
Third: Botnet Networks, which consist of a large number of infected websites acting as an electronic army controlled at once to perform tasks like flooding a certain target with spam or DDoS attacks, preventing access to certain servers. You may be participating in this without even knowing it.
Fourth: Using your site to spread malware on the server you’re on. Even if your site isn’t infected, you can still get infected if you’re on the same server with another vulnerable site, contributing to botnet networks.
There are many reasons that make using malware an appealing idea in this world, and billions of dollars are spent on it.
Now let’s talk about how your site got infected and the solution:
First, we need to agree that the first step in solving the problem is identifying the cause. Most WordPress sites get infected due to illegal (null) plugins or themes. It doesn’t necessarily happen right after the site is built, it could happen after a week, a month, or more. Here, we’ll discuss how to avoid the issue and also how to solve it based on previous work experiences.
The Cause of the Problem:
As a programmer, you might install a null plugin or theme, and to ensure your work won’t get ruined, you scan the files on any online tool or use a plugin to scan after installation. If nothing is found, you proceed confidently, and this is where the disaster lies. Let me explain why.
First, we must understand the causes of malware infection:
- Injected Malicious Code
- Security Bug
- Update Services
These are the most common causes of malware infection, especially when you rely on illegal plugins or themes.
The first cause is Injected Malicious Code, which is malicious code injected into the plugin file and often appears during scans.
The second cause is Security Bugs, which are security issues in the plugin or theme that hackers exploit by breaking its protection. This vulnerability allows any malware on your server or any attacker to easily target and infect you.
The third cause is Update Services. Since you cannot receive updates for illegal plugins or themes, you miss out on security patches that can protect you from new methods of attack.
Now that we know what malware is and its causes, if you, as a developer, receive an infected site and want to fix it, what steps can you take to clean the site and request a ban removal to ensure the site is restored?
There are several methods, but I’ll share the method I use, which always works.
There are different levels of infection. Sometimes, the site is infected but you can still access it and the admin panel. But imagine the site is infected to the point where you can’t even access the admin panel.
Steps:
- Access the hosting and rename the plugins folder, forcing the deactivation of all plugins.
- Rename your theme folder from the File Manager, just like the plugins, forcing the site to use a default theme instead of the infected one.
- Download a copy of the .htaccess file to your device. It’s a small but crucial file responsible for redirecting pages, but don’t worry, it can be automatically recreated once you access the site. Simply click “Save” in the permalinks section of the WordPress admin dashboard.
After these steps, you should be able to access your site’s admin panel. At first glance, everything will look messy because no plugins or themes are active. But don’t worry, all your files are still there. The next steps will focus on cleaning your site thoroughly while preserving your files.
The first step is to delete all illegally installed plugins and themes.
Next, install a plugin like All in One Migration to take an external backup. This is crucial to ensure that if something goes wrong during the next steps, you can restore your data.
After deleting the suspicious plugins and themes, use a simple plugin called WP Downgrade, which replaces infected or altered WordPress core files with clean ones by downgrading your WordPress version. For example, if you’re on version 6.2, downgrade to 6.1, which downloads fresh WordPress files without deleting your site. After that, you can update WordPress back to the latest version. This ensures all your WordPress files are fresh and clean.
Next, install a security plugin like Wordfence or All in One Security. This is not for scanning at the moment, but to prevent malware from spreading further.
Then, take another backup, ideally save it to your device or Google Drive.
Now, access the hosting, go to the main folder of your site, usually public_html (or if you have multiple sites, it will be a folder named after your site), and delete everything inside. As I mentioned earlier, malware can create folders and files, so no matter how much you clean, you might get infected again if you don’t delete everything.
After deleting, you can be sure that your hosting is clean from any suspicious files, and now it’s time to install a fresh copy of WordPress and restore the external backup you took earlier.
After restoring your site, you can rename the plugins and theme folders back to their original names or activate them from the admin panel. For the theme, make sure you get a clean copy from a trusted source or purchase it directly from Theme Forest. For premium plugins like Elementor or Rank Math, buy them from official sources to avoid running into the same problem again.
After activating the theme and plugins, your site should work as usual. However, there might still be malicious code in some of the regular plugins, and that’s where the security plugin like Wordfence comes in, performing a full scan to detect any malware. If an infected plugin is found, deactivate and delete it instead of fixing it. Make sure the plugin folder is completely removed from the file manager before reinstalling it.
Now comes the most important part: Requesting Ban Removal.
Once your site is clean, go to Google Search Console, find the notifications explaining the reason for the ban, and submit a request for a review, explaining that you’ve deleted all infected files, used dedicated plugins to remove malware, and verified that your site is free of malicious files or code.
At the same time, go to this link, which is a site for disputing incorrect warnings. Submit your site’s link. Within a day or two, your site will be unblocked by Google.
I hope you found this helpful.
Programmer / Mostafa Salim