Malware Removal
Customers can benefit from Kinsta’s Security Pledge. If your WordPress site is hacked while hosted at Kinsta, we’ll work with you for free to try and undo the damage. This only applies to WordPress sites hosted at Kinsta and does not apply to Application, Database, or Static Site Hosting.
Malware security pledge limitations
Our security pledge includes:
- An inspection of the site and a deep scan of the site’s files to identify malware.
- Repair of the WordPress core by installing a clean copy of the core files.
- Identification and removal of infected plugins and themes.
If an active plugin or theme is removed as part of the malware removal process, you will be responsible for installing and configuring a new copy of the plugin or theme after the malware removal process has been completed.
Our security pledge does not cover non-WordPress software or custom scripts.
We will do our best to fully remove malware from your site. However, by design, malware can be difficult to detect and remove. This is particularly true for infections injected into the site database. As a result, in some rare cases, a single round of malware remediation may not be sufficient. If you detect unexpected or malicious behavior after we have completed our work on your site, please get back in touch with our team and provide as many details as possible so that our malware removal specialists can make a further attempt at fully removing the infection.
Our security pledge is subject to our Terms of Service. While we cannot prevent or remediate all security incidents, we will assist you in repairing damage caused by malware to your websites as long as those websites are hosted by Kinsta.
How WordPress sites are hacked
Due to the secure design of our infrastructure, server-level compromises are extremely unlikely. Rather, sites hacked while hosted at Kinsta are infected in one of three ways:
- Exploits targeting WordPress: using outdated or poorly coded plugins and themes or using outdated versions of the WordPress core.
- Compromised credentials: an attacker captures your WordPress admin, MyKinsta, database, SSH, or SFTP credentials.
- Nulled plugins and themes: using “free” nulled versions of premium themes and plugins that contain malicious code.
Malware removal process
The process of inspecting a site, scanning it for issues, and removing infections may take up to one full business day to complete. Particularly pervasive infections may require multiple rounds of inspection. In some rare cases, where a site has been corrupted beyond repair, it may be necessary to restore the site using a backup.
Removing malware often produces site-breaking results as infected plugins and themes are removed. As a result, we recommend using a plugin to place the site into maintenance mode during the malware removal process.
If you encounter evidence of malicious code or site behavior, contact our team.
Steps taken by Kinsta
There are a few mandatory steps in our malware removal process which will be completed by our Support team for every repaired site:
- The WordPress core will be reinstalled.
- SFTP, SSH, and database passwords will all be changed.
- If we discover infections in your site’s plugins or themes, we will remove the infected components from the site.
Steps you need to take
Following the completion of malware removal, we will ask you to take several additional steps to secure your site:
- Update all plugins, themes, and the WordPress core to the latest version.
- If our Support team identified and removed any compromised themes or plugins, do not attempt to manually clean and reuse the compromised files. Download fresh copies of these components from the developer and install them on the site.
- Review all WordPress admin users and delete any that are unused or that you don’t recognize.
- Update all WordPress admin user passwords.
- Update all MyKinsta user passwords.
- Additional site-specific instructions based on the nature of the infection.
These steps should be taken within one business day after we request that they be taken. Failure to take these additional steps will mean that our Support team will be unable to remove future infections for free.
Scanning additional sites
Having one of your sites infected with malware can lead to concerns about possible infection of your other sites. However, because Kinsta uses a container-based hosting infrastructure, cross-contamination between sites at the server level is not possible.
This means that if there is no specific evidence that additional sites have been compromised, then there’s no reason to think they have been infected.
Inspection of sites to identify possible infections is limited to sites that exhibit specific evidence of infection. In the absence of specific evidence, we would recommend that you use a site-scanning service or plugin such as Sucuri Security to confirm that the rest of your sites have not been infected.
Infections discovered during migration
A deep scan of all site files is a standard step in our migration process. If we determine that your site is infected during a migration, we will pause the migration and report the issue to you. At that time, you will be provided with two options:
- Proceed with the migration and have Kinsta remove the infection.
- Cancel the migration, work with a third party to repair the hacked site in the prior hosting environment or repair it yourself, and then reschedule the migration.