Remove Malware from WordPress Site (The Definitive Guide)
Do you know that there are 30,000 websites are hacked in a day. To understand how Google fight spam websites, we need to which type of websites are considered as spam.
A fine morning, Google Search Console sent me a message on one of websites. The website has been hacked and Google has found “Hacked content” on the site
I was shocked to see this Alert – Hacked content found message. Immediately I logged in to Google Search Console and checked the whole message. It was like this; “Google has detected that some of your web pages have been hacked….hacked content detected on…implementing industry best practices.” i think i ve been hacked.
It is a shocking to find out the site contains malware and this site may be hacked wordpress by japanese hackers. The site may be infected with seo spam, phishing links and non quality back links. Google will start showing unsafe website warning below the website title in search results resulting in lesser views and organic traffic.
I am sure many of you have faced this sudden onset of troubles of spam attack on your website. Here is how you can fix Hacked Content Found error in Google Search Console. Google finds hacked content in the website and alert users in Google Webmaster tools. Here are the best ways to identify and fix Hacked content detected in Google Search Console message.
What is hacked content?
As per Google Google Webmaster tools Support page, hacked content is any content that is posted in your website without your knowledge or permission. Hacked content can be in the form of links, java script files, encryoted php files etc.
Spammers place certain files and php scripts containing virus or malware inside your website files. This gives access to spammers to see flows of your website, attack website, shut it down, block your access, add links to your sitemap, use fishing to get details from your visitors and more.
Spammers add new pages, posts and attachments in the website. This will boost the spam website ranking in Google and reduce your ranking.
Hidden content accessed by bots
They may add hidden content inside the website files which can only be seen by bots especially Google bots, MSN bots and other search engine bots. Bots are used to crawl your website links and list them in search engines as per the ranking factors.
You and the visitors may not notice these links or pages but bots will identify them and list them. This will reduce your website ranking and increase their ranking.
This is the most common hacked content issue in websites. Spammers put their links inside the website. When a visitor clicks a link in Google to your website, they will be automatically redirected to the spammer website. Your website lose ranking eventually and get penalized for redirects.
Cloaking and/or 301 redirects
These web pages shows one type of content for human visitors and other content for Google bots. So that when bots crawl the web page, it look like a valid page with good content. For a human visitor it may look like a websites with some not so good content. Sometimes these sites use 301 redirects to redirect human visitors to other pages and that way lead to bad web pages.
Pure spam websites
Content that copied from other websites, stuffing keywords in web pages, automatically generated content using software etc. These are easy to find out. “Unnatural links from a site” is shown twice at the web page which is scraping content and according to Google, this is policy violation.
Websites with thin content are added for removal after pure spam websites. Websites unnatural links are added for removal are in the third place leading to hacked sites at the fourth place.
Unnatural or deceptive links from site
Website administrators should be careful about this. While link building, website administrators may add links from other websites in abundance. However, this may lead banning the web page and website.
You could check whether your website is hacked by visiting. Sucuri checks the website in Google safe browsing, Norton safe web, Phish tank, Opera browser, SiteAdvisor, Sucuri Malware Labs blacklist, Yandex and ESET.
checked by sucuri
Why Google showing “Alert – Hacked content found”
There are many issues pertaining to the website security including theme vulnerabilities, passwords that can be easily compromised, insecure external plugins, low quality back links that you have purchased and security leaks.
It is not that easy to identify what has led to the hacking of your website. You may have to go through a step by step approach to identify each issue and fix them individually. A developer can help you in this though they will ask huge sum to fix it.
Outdated web application, weak admin, cpanel passwords, infected local computer are common vulnerabilities for a spam attack. Google has identified some hacked content in the website and started showing malware warning in search results. Google is showing “Alert – Hacked content found” to notify the spam issue.
Find Hacked Content in Website
It is important to identify what type of hacked content is injected to your website. Then only you can fix them.
1. Scan for Malware in the website
Use Sucuri SiteCheck Free website malware and security scanner to scan for hacked content, malware, blacklisting status and website errors. Enter your website URL and select Scan website.
2. Contact Host for Deep Scan of Hacked Content
Contact the host for a deep scan of the hacked content. Mention to the hosting company support team that you have received a message on Hacked Content Found in Google Search Console. They will run a deep scan and let you details. This is important as they will check for internal server errors.
You can say “Hi, we received message from Google Webmaster that the site is infected. Can you please run a scan to the account for any malicious content. Thank you.”
Once scan is done, they will send you the list of affected files. The list would be something like this if you are using wordpress website.
These files contain the hacked content. Spammers do something called “Obfuscation” to hide the malicious code inside another code. Cloki Malware is used to slow and crash WordPress websites. There may be many other type of infections on the website.
Restore Backup to Fix Hacked Content Found
Some hosting providers like Siteground offers backup services. They may have backup of your website available from old days before the website was attacked. Check if your hosting provider offer Website Restore option. Then Check when was the hacked content was injected. Restore the website to previous time. This will fix hacked content found in Google Search Console.
You may lose some latest attachments and posts while restoring the website. Download WordPress eXtended RSS file by going to wordpress dashboard > Tools > Export > All content and press download. This will have your posts, pages, comments, custom fields, categories, and tags.
Once that is downloaded, go to media and download all latest attachments. You can use the “Dates” filter option to download images that is added later than the restore date.
Now you can restore the backup and do steps 1 and 2 to find for any other hacked content. If not, you have successfully Fixed Hacked Content Found in Google Search Console.
Download Database for backup
You can download old database from cpanel of your host. Regarding the database post extraction, you can access the old database via:
cPanel > phpMyAdmin
And export only the needed table and then import it in the new website. Please note that this is a complex task and if you are not sure how to perform this, you should best contact your website developer as he will have the necessary knowledge and experience to perform this.
Remove Hacked Content Found on WordPress Website
Now that you have identified Hacked Content, it is time to remove each of those files. It is important to take a back up of the website before starting the clean up.
You can go to Site Manager of your hosting account or using FTP to see all files and folders of website. For Siteground, Login to My Accounts, Access control panel by selecting Go to Cpanel, select file manager and select Go.
Find each selected file using the path. If you want to find a file such as /home/public_html/forum/cgi-bin/index.php, Go to public HTML folder, then double click it to open the folder, double click on forum folder and then cgi-bin folder. You will find the index.php file. Select the file and press delete.
You have to delete each file like this. Make sure you have identified the correct file. If you are unable to do so, find a freelancer from Upwork or Codeable and providing them administrator login details. Once you have deleted all the files, do step 1 and 2 check for any other virus. If not, you have fixed Hacked Content Found error in Google Search Console.
Unable to Load WordPress Website After Deleting Hacked Content
Some users are unable to load wordpress site once they delete all these files. This happens because the virus attacked the core files needed for wordpress to run. Few errors that are going to show, Warning: include(): Failed opening, failed to open stream: No such file or directory and Fatal error: Uncaught Error.
The error might be because some of the WordPress core files were missing and that was causing the website to not load properly. In this care you may have to fix the issue by downloading all missing files or reinstall wordpress.
Manual Actions to Fix Hacked Content Found in Google Search Console
You have to check the website thoroughly for the presence of Hacked content. Once you are sure that all hacked content are removed. Go to Google Webmaster tools, then Google Search Console and select the property and check the message “Alert – Hacked content found”. Scroll down below where you will be able to see an option “Submit a reconsideration request”.
The reconsideration request is a manual action by website owner, in this case you, stating that you have removed all hacked content from website and the website is clean now. Select the Reconsideration Request option.
You can read more about it in the support page. To submit a reconsideration request, go to Google Webmaster tools > Search Traffic > Manual Actions, type that you have removed all Hacked Content from website and scanned it multiple times to confirm and submit the request.
Once you have successfully submitted the Reconsideration Request using Manual action, you will receive a message from Google. Google has received the request and it may take few weeks to review the action. Don’t worry; it wont take that long. It will take 2-3 days only as these are done automatically.
Keep checking Google Search Console for messages related to the Reconsideration request. You will get a message stating Reconsideration request processed and some of the manual actions on your site have been adjusted or revoked. Select the Manual Action Viewer to view the changes.
You should be getting the above message. This means you have successfully fixed the Hacked Content Found error in Google Search Console.
Wordfence Options To Block Spam IP Address
You may have seen a rise of 404 errors in Google Search console while fixing the hacked content. Here are best practices on How to Fix Crawl Errors 404 Not Found in Google Search Console.