How to remove malware code from your website in easy steps

From my experience, malware is the most dangerous thing to happen on your website as it does not take down your website like hackers do when they deface your website to prove their point. Malware is code placed on your website which may do any of the following:

1. Send out massive amount of spam emails from your website.
2. Send out phishing emails to unsuspecting customers and plant their code on your website to get any important financial details.
3. Download scripts/files to unsuspecting customers via their browsers.

As you can see from above malware code is used to get access to a large number of visitors so they can then propagate their infestation to other computers.

This can also affect your website rankings on search engines as they block such websites and warn visitors on their search listing results page as well. See example below of one such website which got infected with malware and how Google alerts visitors about this.

Malware Alert on Google Search Results
Malware Alert on Google Search Results

If you try to click on the link of the website and try to browse to it you may get this message on your browser if you are using Firefox/Chrome.

Reported Attack Page as shown on Firefox
Reported Attack Page as shown on Firefox

Now how do you clean your website from malware code?

Please follow the steps below to remove malware from your website. I followed these steps while cleaning malware on some websites and 80%-90% of infected websites can be cleaned by using them. However, there could be some difference on some websites and if there is please do let me know so I can update them here.

1. First thing you should do is to contact your hosting provider and check for the last backup of your website. There may be a chance that the backup copy is clean and not affected by the malware. If the backup copy is clean then you can restore the backup and get the website up and running in the shortest time possible. If not then you will need to go through the following steps and gear yourself to put in the next couple of hours on cleaning your website.

2. Next step is to download the website to your local development server. This is a necessary but time consuming step as you don’t know the extent of the malware on your website. Some times it could only be in one file and some times the whole website may have been infected.

3. After downloading the files try and open them. If you are unable to open them or you get a “Access Denied” popup then change the extension of your script to (.txt).

4. Open the file and search for anything that is out of the ordinary in the file. If you see some type of jibberish code in the file then you can be assured that the file has been infected with malware. If your website has been developed in PHP then you should start by checking for “base64_decode”, “eval” and “iframe”.

5. After removing the malware from the file continue this process in other files as well. Be sure to remove it from all files as the malware replicates itself very quickly. You can write a simple script which can scan all files and then remove the code from all files in all directories.

6. When you have finally completed removing the malware from all the files you now need to look for the actual script which may have caused the injection in the first place. Start looking for it in your images, css, javascript folders. You will be sure to find very oddly named scripts in those folders and you need to delete them. You should remember to restrict execution of server side scripts in these folders. If you are on a Linux based hosting then you can just copy an .htaccess file to that folder with the necessary restrictions.

7. After doing all the above you can request Google to do a review of your website in your Google Webmaster panel. You should also submit your website for review at Stop Badware.

Check this link out on Google to see how you can prevent malware in the first place

Hope the above helped!

Leave a Reply

Your email address will not be published. Required fields are marked *