Had your wordpress website hacked? We have been helping a lot of businesses overcome this problem, so we thought we would set out the steps we take to remove malware warnings and viruses. If you have had your website branded on Google with the dreaded "This site may harm your computer" dont panic. The first thing you always do is was rage and deny that there is anything wrong. Use the Unmask Parasites tool, to find the problem and where it is, this will give you a few clues as to what you are looking for in your problem. Often you will find a hidden iframe link to a ".to" website or some other malicious domain.
We are no security experts, but we do understand how basic hackers work. This advice is meant as a guide, don't sue us if you get it wrong. There are two things to keep in mind when working with this sort of problem.
The hacker has a malicious intent, so whatever they are doing it will leave traces and links to files or websites. The hacked will also try to cover their tracks, and in the end sometimes the only thing you can do is set fire to your server.
The hacker will have created, or forced, a way into your system that will be different to the traces they leave. You have to address this problem before your virus/malware problem will really go away. This can sometimes mean your host is infected or it might just mean your password is insecure.
Don't Panic
Create a fresh backup of your WHOLE website and database, marked "infected". Also, search for iframes, and basecode64(). Sometimes it will be hard to find all the files that will be infected, but the best places to start are the header, footer, load-template and admin files.
Right now you are looking for confirmation that this code is part of your problem. You can delete these references, but there may be more you have missed. Ultimately you will have to install a fresh version of your template, but we will get to that in a minute.
Get to the Cause
Search around on the web. There are common security problems associated with Tim Thumb, like WooThemes framework and an old version of TimThumb, which was originally compromised. This will also give you an idea of the problem you have, and how to solve it. The cause of your problems could be anything, it could be your theme, someone might have guessed your password, anything.
From us sending in the request to the Malware warning being removed took less than 8 hours. In all we lost almost a full day of traffic from Google, which is about 50% of the total.
If your issue is a compatibility problem, then you need to download a recent copy of your theme. Upload a copy of your theme to your server and go into the admin section and reactivate your theme. Make sure both your theme and the system are up to date, and you can see that it is activated in the back end. If this still gives you a white screen of death, then you will need to look in the www section of your host.
When looking at your website in a file manager or FTP you should only see the files on this page.
The fastest way to reset your installation is to delete all the files, excluding your wp-config file, and the folders, from the root. Then upload the files from a fresh download of the system. This way you will remove any random index.html files or something that is blocking the index.php file from executing.
