How To Remove Malware From A Website

Uh oh, the dreaded “This site may harm your computer”.

Welcome to hacks, malware, phishing and a total pain in the ass.

I did done gone and got hacked innit!

Not this site, but another Bluehost hosting account that had coming up for 50 sites on it. A few goodies, a lot of baddies, and many that have not been touched for many a year. I do like to keep ’em though, just in case πŸ˜‰

This post will hopefully not be something that you need now, but bookmark it, you may well need it at some point in the future. When I woke up yesterday morning by the Wife screaming “We have been hacked”, I knew I was not in for a fun day.

I have zero technical knowledge about the back end of how hosting works, coding, and anything that involves any degree of tech savvy whatsoever, so I was not looking forward to the rest of yesterday. SEO Tips, fine, technical know-how, not so fine.

So, let’s begin.

For those with no tech savvy or even if you do then I found a few cool things that ease you along with the process. I had malware infections on nearly every single install of WordPress and each of then had to be deleted.

Remove Malware From Hosting Account

First thing is to log in to your hosting account and change the password.

Next, you want to protect your Interwebs by going to http://sitecheck.sucuri.net/scanner/# and oh what a dream find this was for me. I had already spent hours yesterday morning looking at wordpress installs on my hosting, going in to untold files and to be honest not really even knowing what the hell I was looking for.

Some piece of code that was making a hidden iframe that was infecting users computers if they went to my site apparently. Not that anyone did with a great honking “This site may harm your computer” showing up under nearly all sites in the serps.

So, paste your domain url in to sucuri and wait for the results.

For me it was a lifesaver.

Not only does it tell you exactly what the malware code is it tells you exactly what file it is in in your hosting.

Navigate to that file in your hosting and then press ctrl f and paste in the malware code that you have been given by sucuri. It will then be highlighted in the file and you just have to delete it. If the file contains only the malware code then just delete the file. I had a mix of both.

Once you have gone through all of your sites then you need to ensure that all your sites are totally up to date. Log in to each one as normal and change the password to the site. Then update every plugin, theme and WP install to the latest version.

And remember to do it regularly. As soon as these things get new versions there are apparently tons of backdoors for hackers to manipulate to make your life a total misery.

How To Get This Site May Harm Your Computer Removed By Google


Do You Have To Verify A Site In Google Webmaster Central To Get Malware Warning Removed

For whatever reason you may not wish to add a ton of sites in to Google Webmaster central, verify them and then ask them to remove the note about your site harming or infecting other peoples computers.

I searched around for an age yesterday seeing if you had to do this or not. Basically everyone I could find said that to remove this warning from your site listing in the the serps you had to apply for it to be removed by Google by having a G Webmaster account.

So, just for you guys me and Wifey did a little experiment. She carried out the procedure everyone said you had to do in Google. I submitted one to another great find, http://www.stopbadware.org/home/reportsearch which tells you if your site is in their bad books, and Googles and others too. They then check out your site and will inform the big G to remove the warning from the serps if it is now clean.

For the rest of our sites we did nothing but clean them up.

So, today, the sites that were put in to Google Webmaster and stopbadware were back to normal. Same position in the serps, no warning and all good. About half of the sites that we did nothing to apart from clean up also have the warning removed. The rest we submitted to stopbadware this morning so they should be good by tomorrow.

So, just a quick run through of what I did and those two links are invaluable, no affiliation to me in any way, just good stuff. I am sure there is a ton of stuff that many of you guys know about when it comes to this sort of thing but for us thickies I hope this helped, or helps in the future.


Stick to just a few sites per hosting account. If one gets hacked then the rest may too. For the sake of a few extra dollars a month I would get more hosting and stick to 10 or so sites per account. Something I hadn’t done. It just means that if you are remiss about updating WP or plugins, or anything else that can go wrong, and your account gets hacked you have fewer sites to sort out.

UPDATE: I recommend wp twin to backup and clone your sites once they are clear of infection. See Wifey’s WP Twin review for more details.

My recommendations are on the Tools page.

Ensure that you update WP and plugins asap and never leave old versions up, it is how the buggers can get you.

And lastly don’t believe everything that you read. Everything I could find said you had to ask for the malware notice to be lifted by verifying aΒ site in Google Webmaster, and this is absolutely not the case.

Coming up next I have a post that is going to tell you how I jumped from bottom of page 4 to middle of page two for a tough term that is keyword targeted on a single page of a general niche site in under a week. It is old skool in the extreme but it still amazes me how many people fail to use this simple technique to boost their rankings. If all else has failed for you then this is going to be golden. You should pretty much see guaranteed upwards serps movement for any term you may wish to rank for, unless it is for something ridiculously tough, even then you may be surprised.

And it was all done with 10 links pointing to the page too.

Hasta pronto.

67 Responses to “Hacked”

Read below or add a comment...

  1. Carrie says:

    How did you know you were hacked? Get an email?

    Good thing you caught it and cleaned it up early. I am guilty of not updating WP enough – lazy.

    • Dave says:


      Yeah, got an email. It really did bring it home that stuff really does need to be kept up to date. Also check in your hosting account, we had a few weird anomalies with old wp backups etc that were hanging around and could be a security breach. I know it is hassle to go through all sites and update asap but it is certainly better than getting hacked.

  2. Tara says:

    What vitamins are you taking Dave? I want some of those too…you got back from hols a few weeks ago, published a book on Kindle, nearly died from a wasp sting, and now you’ve recovered from a nasty hacking attempt and told us all how to clean up too. Not bad for 2 weeks!

    Glad to hear you’ve recovered from the hacking and thanks for the tips, I will be applying this to my sites too.

    • Dave says:


      Marajuana and copious amounts of Cava πŸ˜‰ Is that how you spell it? I call it “my special cigarettes” πŸ˜‰

  3. Joel says:

    Thanks for sharing.

  4. JanisG says:

    I got the same sh!t on one of my sites yesterday.

    In short, there is a script that deals with image management that is part of some themes and plugins. Hackers found hole in this script and installed their bad stuff on sites using these themes or plugins.

    My problematic site (thanks God only this site!) had a related posts plugin which uses this script. Looks like I managed to clean it all up. Securi.net scan says site is OK, Google says visitors to run for hills. I will follow your suggestions to clean it as well.

    How I found the problem? I was just checking my keywords in serps and noticed the warning under my site name.

    Cheeers πŸ™‚

  5. Carlo says:

    Hey, Dave!

    Glad you got rid of the problem πŸ˜‰

    There are also some plugins that can help prevent to some extent such things. Two of them are Secure WordPress and Bulletproof Security….


  6. Nick says:

    Hey Dave,

    Seems like you got a few accounts hit. Be interesting to know if they were reseller accounts you were using or shared accounts (like bluehost) – because I’m pretty sure that if you have different domains on different accounts it should be harder for hackers to attack them all.

    Also, using fantastico means your foundation starts with security flaws. Had a few blogs hacked in the past – with the ‘this may harm your computer’ message popping up everywhere – so sought out numerous ways to ‘protect’ my wordpress installs.

    Check out http://www.wpsecuritylock.com/blog/ and http://blogbuildingu.com/wordpress/install-wordpress-securely

    Also, main things to bear in mind are removing version of wordpress and replacing the default admin. And, whilst a manual install may take a while at first, using backup buddy is sweet as.

    (You know what they say, prevention is better than the cure ;-))

  7. Darrell says:

    Hey Dave

    That is a good reminder. I also keep my stuff updated, but I also include limit login attempts plugin for all my sites. After 3 attempts, they get punted. Plus long kick ass encrypted passwords to make it even harder. I do change my passwords periodically on all hosting accounts and sites. I create them randomly using a random password generator of 18 to 24 various characters.

    The one other suggestion I do have for sites that got hacked it to use something like backup buddy from ithemes or wptwin. Those can back up a copy of all your sites information, including design, plugins, perma link structures etc – everything. So, all you would need to do is delete all of your sites information and re-install it using 1 of those software programs as if your site never changed.

    Cheers and have a great day

    • Dave says:


      I use login lockdown on this site but don’t have it on all others, laziness is the only excuse. Thanks for the tips Darrell, I will look in to them and try to keep everything right up to date from now on too.

  8. Terry says:

    That just reinforces my belief that the number of WP sites in my stable are best kept to the barest minimum and the bulk are best set up as static.

    I have fewer and fewer hacking attempts on mine because I’m systematically backwards engineering smaller WP blogs to html static. Static sites have way fewer “ins” for hackers and as long as the account password is strong and the file/folder permissions are correct, they are kept out.

    WP as you mention is full of backdoors and if they upgrade and you don’t you’re left wide open. This is crap with a capital C. It makes work for you that you don’t need, going round updating all your WP installs every time they put out a new release, which is often and then doing it again every time a plugin gets updated.

    Too much time wasted that can be better spent on… learning html/basic php and rebuilding the sites as static. Just think of all the benefits:

    – No backups to have to worry about
    – No database to get corrupted
    – No plugins to get updated
    – Lower server load (your host likes this)
    – Faster site load time (Google likes this)
    – No freakin’ constant checking if the thing has an update (you will like this)

    Only my biggest sites are WP now and they’re too big to change to static, so I have to keep up with them. WP Firewall II plugin (urgh) is a must have. But out of hundreds of domains, there are only a couple of dozen to worry about now. Its liberating!!!

    BTW, were your sites all on a shared hosting account at Bluehost or a reseller?

    • Dave says:


      I really wish I had just built static sites, I know you have talked about it a lot. It is a total pain in the bum doing all this updating, you are right, and I wish WP would stop updating so often. It was shared hosting, should have not had so many sites on one account. It was just most were oldies so I never bothered splitting them between more accounts like I do now and have done for quite a while.

    • Bruno says:

      Hey Terry,

      how many pages do you believe we can go with static, general websites? I know, ‘as many as you want’, but for us poor webmasters that will have to design and control it all by ourselves (at least for the moment), how many do you think it would be ok?

      I was planning to start a new general website, but I’m afraid that for a general website which will get tons of posts, I might lose control of it after a certain time πŸ™

      Most of my static sites have 10-20 pages, so they are quite ok to control. But would you still go with static sites for a 100+ pages site?

      Maybe it would definitely give you more work now, but then it might save a LOT of time in the long run … There’s more manual stuff to do (for example, you can’t use the YARPP plugin, you would have to type it it manually)

      Dave, glad you are recovering fast from this problem. Do you think your wasp incident is anything related to this? πŸ˜‰ Some government new device to track our taxes?


      • Dave says:


        I think it is all a total conspiracy. Carrie has been de-indexed http://www.workingtowardshome.com/when-the-rug-is-pulled-in-im.html and I know a few others have too. I think the Internet is simply broken!!!

      • Terry says:

        Bruno, I wouldn’t convert a 100+ page site to static, just too much work. But for building from the ground up or on a converted static site, yeah, I would just keep going with adding static pages.

        On my bigger static sites (30-50 pages), I keep pages in sub-folders (equating to categories on a WP site) so managing them is easy enough. I created a set of my own templates a while ago, so each new site uses one of the basic templates and I just tinker with in css to make it unique for the site.

        Posting a new article to a static site is a little more work. I write it first in Word to get it spell checked and looking ok, then copy/paste it into a template page using PsPad. There I add any basic html (mainly br tags in between paragraphs – everything else is set to go). Some articles call for bullet points, so I have to copy/paste each line into a ul/li tag (also already there in the template) but that’s about as much extra work as it takes. If I use an image, I simply ftp it to the server, then include the filename in the template’s img tag. If I don’t use an image or bullet points or anything else I don’t need in the template, its simply a case of deleting the unused lines of code.

        I routinely update the sitemal.xml file manually as I add each new page and add an entry into a nav.php file that stores all the pages locations. That file gets included in the visual sitemap as well as the sidebar for easy site navigation.

        I have it all down to a routine that I do every time, so its really easy for me. It only takes an few minutes more than posting to WP, but the long term gain in saved time for not having to check and apply all the updates makes it totally worth it!

        • Bruno says:


          Sorry for the mix up, I actually meant to start from scratch a site which, in the future, would have 100+ pages. I also agree that converting a site that big would definitely be a pain …

          Thanks for the the tips. I can imagine having a routine like that myself, it would definitely save much time in the future. I’ll take a look at that sometime soon …

          Dave, do you see any patterns on sites that you know that got deindexed? Lando mentioned that he had problems as well πŸ™

          • Dave says:


            No patterns that I can see, which is the worrying thing about it. Gotta have those backup sites on different hosting accounts so you can recover quickly if need be.

      • teatree says:

        I’ve got a couple of static sites, that I built using notepad. It’s only hard work the first time you do it. After that you just copy and paste your html files and then amend as necessary. The only irritating thing is that you have to check your first template in every single browser, as some don’t render stuff properly e.g. firefox insisted on putting borders around my images, and I had to explicitly say not to to get it to look right.

        You do feel like a proper superherogeek once you’ve done your first site though. Also, I seem to rank them easier, perhaps because G doesn’t have a whole bunch of rubbish to get through when they spider your site.

  9. ben says:

    Hi Dave,

    Sounds like the new(ish) attack via timthumb.php, used by many themes and plugins for image management. Make sure you are using the latest version as the author has updated it to fix the security problems (elegant themes have removed it altogether from their templates).

    On a totally unrelated note, can you add a link to comments at the bottom of each post as it is a PITA getting to the end of a post and having to scroll up to the top to click the link (e.g. http://zenduck.me/hacked#comments) to see comments πŸ™‚

    Another unrelated note, can you let me have the link to the “manbag” site where Wifey bought your’s from for last Christmas, I’ve had a look (and search) through your old site but can’t find it πŸ™


  10. ben says:


    WP-ADMIN loks ok to me, you may want to clear your browser cash before you start editing .php files incase it is a client issue not a server one

  11. Michelle says:

    Hey Dave – Thanks for this very useful post. I have to admit I’m guilty of not updating WP themes and plugins regularly, even though I was hacked once in the past (although over a year a go, something to do with “permission setting”). I’m certain I’m going to need to use this information at some point, since I don’t seem to have learned from my past experiences. πŸ™‚

    Where’s the “donate” button…?

    • Dave says:


      Bugger, forgot to add one to this site πŸ˜‰

      I really should have actually, I used to get a little donation most days on the old site.

      Getting hacked is an absolute total nightmare so I do hope everyone keeps everything up to date from now on. Going through my various hosting accounts today I was a little overwhelmed at just how many sites I actually have. A lot more than I thought. I think I may need to begin selling some off.

  12. Jimmy says:

    Another tip for you Dave is to try recoursing your hosting nameservers to http://www.cloudflare.com to add protection to your hosting too. Best of all its also free!

    No im not an affiliate of that site man. its just that their service are awesome that I would really recommend them. I dont work for them because I got my blogs working for me thanks to your tips and tricks ever since before you transferred here in zenduck.me from the .info blog.

    Hope that helps you bro and to everyone too. Cheers!

    • Dave says:


      Thanks for the tip Dude, will look in to it as well. And glad that you are doing so well, it is great to hear.

  13. Kevin Douglas says:

    I fell victim to this just this too, Dave. I’m working with Sucuri support as I’m typing this. I ran the scanner, but it turned up nothing negative. Getting your website hacked is definitely no fun and it makes you pretty paranoid for awhile.

    Not to mention having your site look really stupid in Google SERPs with a big “This site may harm your computer”.

    Malicious hackers are the worst form of human being!

    • Dave says:


      It is a total pain in the bum. Although we got all the malware off we still have a few issues on a couple of sites, annoying to say the least. The problem is the bloody timthumb files. Some themes use them even if it is not installed as a plugin. Got to patch them to make the last few sites work. It has been a rubbish week to say the least.

      Hopefully you will get yours sorted out quickly, the notice should go soon, it’s about the worst thing to see in the serps.

      • Kevin Douglas says:

        I would suggest, if people can afford it, to sign up through Sucuri. I broke down and just bought their service for 1 year.

        They have a been great to work with and they are the tops of the website security industry.

        • Dave says:


          Glad you had a good experience with them, their free checker certainly saved us to a large degree. I am still deciding exactly what route to take, the site cloning tool seems worth having for a one off payment of under $100 but hopefully we will take it a step further too.

          Thanks for the hands on experience recommendation, their free checker is certainly a bookmark I recommend to everyone (just in case).

    • I’m dealing with this myself. I’m wondering WHY people have nothing better to do than hack others’ sites and do them harm.

  14. Gerald says:

    I really hate updating my blogs, it time-consuming but if it’s for the sake of the safety of my sites then okay. Anyway, I’m looking forward for the new tips you’ve mentioned here.

  15. JanisG says:

    Is anybody tried publishing product reviews on Facebook notes pages?

    Example here – http://www.facebook.com/pages/Bast-Buy-Tools/113673662067705

    Looks like these pages are ranking on first page of G in days. Or even hours?

    • Dave says:


      I have seen a few of those type of pages. I mentioned before about getting your fan page ranking for your keyword but that takes it to a whole other level. Not sure about Amazon’s position on such things though. Although they provide Twitter direct product links so I am guessing it is not against their terms.

      • JanisG says:

        I will ask Amazon about it.

        I have seen reports about Amazon approving Amazon Stores built on Facebook Fan pages. So there might be something innit πŸ˜‰

        • JanisG says:

          LOL. Got some sort of automated reply from A.:

          “Thank you for contacting us regarding your concern for creating links to products for display on the Facebook site. We appreciate your interest in expanding sources and exposure of the Amazon site to a wider audience.

          You can link directly to an item’s detail page using a text link.” and so on.

          Let’s do some more emailing with them πŸ™‚

          • Dave says:


            You could be on to a whole new revenue stream there πŸ˜‰ Be interesting to see how it goes. I just checked a FB page I did a few months back for a site of mine, it is position 8 for a tough keyword and a PR 4!

          • JanisG says:

            Here is second reply from Amazon:

            “The Amazon Associates Program does pay advertising fees for qualifying sales generated from social networking sites like Facebook and Twitter.”


            “As with all other means of driving traffic, Associates have to be sure that the method they are using to drive traffic to Amazon and earn advertising fees is permitted by the terms of the Associates Operating Agreement and, if applicable, the Product Advertising API License Agreement, as well as the terms of use for the specific site on which their links are posted. For example, Associates may not use a user name or ID on a social networking site which includes Amazon’s Proprietary Terms, like “amazon” or “kindle,” or use our logos and other trademarked content on their profiles.”

            So I am going to test if works πŸ˜‰

            • Dave says:


              Sounds good. Let me know when you have made a million πŸ˜‰

              Seriously though, FB ranks like a dream with a couple of links so you could be on to a real winner.

              She who dares wins!

  16. sean says:

    hello dave, good to see you are out of the warp bite. i have a question for you.

    i have some long product titles eg Lodge logic L10sk3 12 Inch Pre-Seasoned Skillet and when i post this as an article on my blog it gives me error 404 what could be the problem any solution for this. if i shorten the title the post show up on the blog but if i dont it brings error 404.

    i dont want to shorten the title.

    • Dave says:


      It may be a corrupted WP install, it has certainly been flaky of late. Apart from that you will have to wait for the tech crowd to reply here (hopefully πŸ˜‰ )

  17. Darren says:

    Hey Dave,

    Stung by a wasp and then stung by a hacker! You have a sharp few weeks! Have you considered using codegarage.com run by Peter over at TKA. It keeps your sites monitored for hacking and then cleans it up for you should you get hacked, he also backs up a complete database of your wordpress sites once a day in the same service. As I am not the most tech savvy, a rest assured he has got my “online back”

    • Dave says:


      Thanks for that, those are some very good price he offers. I may well take him up on it. After finally getting hacker free yesterday after deleting any themes with timthumb in them (fingers crossed) I am well paranoid now. Talk about a crap week.

      Thanks for the heads up.

      • Darren says:

        Yep – a good price and Peter is super helpful. 2 weeks ago my main earner experienced a database crash and all my posts and pages disappeared – all I was left with was my nice theme and the sidebars! I had over 200 posts!

        I shot an email to Peter because I didn’t know what was going on (he informed me it was a database crash), he simply went into cpanel for me corrected the problem and sent me a screencast of him fixing it, so I got a little education too! Piece of mind man – In the words of broke English of an Asian friend of mine – “my happy was big”.

  18. Nic says:

    My sites have been hacked relentlessly lately. Even when you think you have them all cleaned up the hackers have often hidden a backdoor so they can just get in again. I have got rid of one of my hosting accounts altogether as it could not be made secure.

    One thing to note is that you don’t have to use webmaster tools to notify Google that your site is clean after a hack. If you are happy to leave it for a while the bots pick it up themselves.

    Be very wary of using WP Security Scan plugin – a site I used it on is now completely inaccessible via wp-admin and reading the forum several peoples sites vanished altogether after using this plugin.

    With all the hassle this has caused me over the past few weeks if I could turn the clock back 3 or 4 years I would not build any of my own sites at all but would just stick to Squidoo & Hubpages. Just as profitable and zero cost.

    • Dave says:


      I feel for you Man, this has been one of my most stressful weeks online. Cleaning up jquery.js files, searching for timthumb, dealing with half missing wp-settings files and the list goes on and on. I am amazed I got through any of it to be honest.

      The http://wptwin.net/ looks like one of the absolute best options. At least then if you can’t stop the hackers coming back you could just put the sites up on a different hosting account and be done with them a lot quicker. I am going to buy it and move some of my sites from the shared hosting to accounts that hold one site only and minimize the risk to some of the better performing ones.

      • Terry says:

        Haha after all I said earlier, one of my few remaining blogs got hacked today LMAO!!!

        It was a 20 page blog hosted on hostnine (they’re not the most secure of hosts). So rather than trying to pissball around trying to fix it, I spent the afternoon creating a static version of the site. I just uploaded it all, checked it out for errors, got none, went into cpanel and deleted the mysql database, all the WP files and all the hacker’s hard work.

        So “Hacked by dr.timor..an army of one man” can go f**k hisself royally hahahaha……

  19. Blackthorne says:

    Anybody else experience a major drop in traffic due to the earthquake / hurricane situation in the US at the moment?

    I’ve gone from 1000 uniques to 600 uniques and I’m keeping my fingers crossed it’s temporarily because of the US situation.

  20. Pete says:

    That stinks Dave. I’ve had two sites hacked recently – no malware, but the hacker leaving his ‘signature’ on one and another the guy inserted links to various pill websites. Took forever to fix – and I stupidly didn’t have any backups.

    I also noticed they both sites used the same paid for theme. It concerns me cause I have a big 3rd site running it as well, hope it is just a coincidence…but I’m planning on changing it none the less.

    I noticed one of Grizz’s sites got hacked with malware as well. I just happen to click on his sites bookmark and It sent my virus protection into a tizzy.

    • Dave says:


      Sorry to hear about that, it really does suck and is a total headache.

      Wifey has been using wp twin all week and honestly you should look in to buying it. A review will be coming soon but basically you can make an exact copy of your whole site with just a few clicks. Theme, plugins, all settings, comments etc, the whole site. You can then simply delete a wp install if you get hacked and upload the clone. We have now done it to a load of sites. We also used it to move some to new hosting so there are not as many sites on one hosting account if it gets hacked again.

      Grizz’s site is down at the moment so I assume it was that one that got hacked. The hackers are definitely busy at the moment.

  21. Thank you for this clear and comprehensive set of tips and tricks. I’ve been under malware attack for quite some time and the more I clean, the more I end up scrubbing from scratch. It’s such a pain to deal with but I’m not giving up and I’m just going to secure my sites even further than I have before, even if I have to go slower and restore them one by one!

    Sucuri is great, I just haven’t budgeted their services in yet.

    • Dave says:

      L, it’s a real pain alright. And totally pointless as far as I can tell too, just peeps with nothing better to spend their time on.