How I Removed Malware on my Hacked WordPress blog

I have read ShoutMeLoud post on WordPress sites using Timthumb.php is Prone to Hacking couple of days back, and after 2-3 days

back I encountered a very strange problem on Chrome browser. When ever I opened my WordPress blog on Chrome browser, it shows following message:

“ contains content from, a site known to distribute malware. Your computer might catch a virus if you visit this site.”

I also check my site at different browsers (Mozilla, IE & Opera) but this weird message was appearing only on Chrome browser. I was certain that my site is hacked and like any other guy, I searched about this issue on Google and found tons of useful information which helped me to recover my Hacked WordPress blog.

Since timthumb.php hack is going to last for some time as many people haven’t updated their themes, plugin or unknowingly some plugin might be using this script. So here I’m going to note down steps which I have taken and other steps which you can take to recover your hacked site.

Update everything:

Most of the plugins and themes which were using bugged timthumb.php script have updated and you can easily find updates by going to your dashboard and click on updates. If it’s a premium theme which you are using, you should check with your theme provider and see if they rolled out an update. For example, templatic and Thesis theme are free from timthumb hack but many other premium WordPress theme club were using old timthumb and now they have rolled out an update to fix the timthumb hack issue.

Scan your site for hacked content:

Once these hackers get access to your WordPress, they will be adding malicious code at different places and deep down. So finding all the malicious code won’t be that easy. Though you can look at time stamp and see which file has been updated recently and check that file for any instance of malicious code.

I also used to check my site and it revealed that there are malicious code  in my java file located at wp-includes/js/l10n.js . I accessed my hosting using FTP software and replaced this file with the original file from the latest version of wordpress 3.2.1 zip folder.

Change Passwords:

Though for better online security we always suggest to keep changing your password,  but as soon as you fix your site, you should change all your passwords like FTP, wp-admin and cPanel. Make sure there is no hidden admin user or no extra FTP account is added.

Reinstall WordPress:

This is one of the easy method, you can click on updates in your Wp dashboard and reinstall WordPress. So if Hacker has added malicious code in any of core file, it will be gone. And since you already followed above steps, your site will be clean.

Based on my research on Google for timthumb hack issue, you might find some of the infected file at these locations:

  • wp-settings.php
  • wp-includes/js/jquery/jquery.js

Replace these files with the original files like step 2

Step 5 : Delete the following files if you found :

  • /wp-content/upd.php
  • /wp-content/data.php
  • /wp-admin/upd.php
  • /wp-admin/js/config.php
  • /wp-admin/common.php
  • /wp-content/uploads/feed-file.php
  • /wp-content/uploads/feed-files.php
  • /wp-content/themes/*[your themes names]*/cache/.htaccess
  • /wp-content/themes/*[your themes names]*/temp/[eab9c5e9815adc4c40a6557495eed6d3.php]

Step 6 : Open “wp-config.php” and check for  empty code contains of huge  empty lines. Clear it all.

Step 7 : Replace timthumb with the latest version

Step 8: Log into your Google webmasters tool and check in Diagnostics if it is showing any malware warning, if it so then after cleaning up send it for review otherwise no need as it will gone automatically (as in my case )

Here are some more WordPress security tips which you should read right away:

I hope these above steps will be useful to remove the malware or warning from your site. If you find this article informative, do consider sharing it on Google plus and Facebook.

Subscribe on Youtube

Article By
My name is Arun Garg and i love to write on seo, social media & internet maketing related topics. I also provides training and services related to online marketing.


COMMENTs ( 7 )

  1. Hamza Tariq says

    lol, you can skip all of the above mentioned steps. Simple open your web, and press CTRL + U (for Source Code) and then CTRL + F to find ( that’s it! it will directly shows you the effected plugin, file…etc!

  2. Vijay says

    make sure you update thumb.php to latest version as well.. some themes are using the timthumb.php by name thumb.php

  3. Rakesh Narang says

    Thanks a lot for this enlightening article, i think my theme is using timthumb, i am going to update it right away.

  4. Kunal says

    hey nice work ..!! seems these will work for the all the bloggers…!! if they are attacked by the by the hackers..!! hoping everything is fine with your blog now..!!:)