When a website is hacked, malicious software (malware) is placed somewhere on the site, either by editing existing files or by adding new ones. Malware is designed to harm your site and can be difficult to detect.
If you aren't familiar with how website code looks, figuring out what part of the code is malware that needs to be removed, is a challenge. Every hack is different, so it's really a matter of looking through the files of your website and figuring out what's not supposed to be there.
Tip: Make sure you have a backup of your site before you start removing malware. That way you still have all your files in case something goes wrong. You can make a manual backup with File Manager, or use our Backup & Restore function.
Use a paid service to clean your site
If you don't feel up to cleaning your site manually, or don't have the time, it may be worth it to use a paid service and have them clean up your site for you. If you are at a loss on where to start, this is probably the easiest and quickest solution.
When you search the internet you'll find loads of options in several price ranges. We recommend using SiteLock, a paid add-on service that you can subscribe to.
SiteLock monitors your site and regularly scans it for known vulnerabilities. If malware is detected SiteLock Fix can automatically remove it. It's fully integrated with our servers and you can activate it directly from the control panel.
- Check our guide on how to get started: Set up SiteLock security.
Remove malware from a CMS like WordPress or Joomla
If your website is made with a CMS, then a good place to start is with the original installation files, since they are not infected and available for you to download.
- Get a list of all the files that have malware. You can find it in the One.com control panel.
Download the installation files for your CMS. It needs to be the same version as you have installed. You can find the files here:
Open the installation files on your computer and compare them with the list of infected files in File Manager.
- If the infected file doesn't exist in the installation files, and it's not part of an extension or template, then it's probably malware, and can be removed completely.
- If the infected file is part of the installation files, then you can replace it with the corresponding file from the installation, that you just downloaded.
- If the configuration file with your database connection details is infected, (configuration.php, wp-config.php) then you need to make sure that you add the login details for your database.
- If the infected file is part of a plugin, extension, template or another module that you have added to your CMS, then you can remove the file, and reinstall the plugin later.
- After you have gone through all the files, and either replaced or deleted them, you need to make sure that your CMS is updated to the latest version. The same for your templates, themes, extensions and other add-ons.
Clean malware from other files
In some cases, you need to remove the malware code from the file, for example, if your website has been custom made. Unless you are familiar with coding, it will be difficult to recognise what is malware and what isn't. Check the screenshot below for an example.
- In most cases, malware code is added either at the top or the bottom of the file.
- Malware often exists out of long strings of text that appear longer than the rest of the code in the file.
- We recommend editing the file in File Manager, because it shows the syntax in colours which makes it easier to spot what part of the code looks out of place.
- When you have found the malware, remove it from the file and click Save in the top-left corner.
Remove malware from httpd.private or tmp folders
Sometimes malware infected files can end up in folders on the web space that aren't accessible from an FTP connection or from File Manager. In these cases you have to connect to your web space using SFTP or SSH instead, to be able to remove the files.