Malware Removal Process
The process of inspecting a site, scanning it for issues, and removing infections may take up to one full business day to complete. Particularly pervasive infections may require multiple rounds of inspection. In some rare cases, where a site has been corrupted beyond repair, it may be necessary to restore the site using a backup.
Removing malware often produces site-breaking results as infected plugins and themes are removed. As a result, we recommend using a plugin to place the site into maintenance mode during the malware removal process.
If you encounter evidence of malicious code or site behavior, contact or open up a support ticket with our Malware & Abuse team in MyKinsta.
Steps Taken By Kinsta
There are a few mandatory steps in our malware removal process which will be completed by our Malware & Abuse team for every repaired site:
- The WordPress core will be reinstalled.
- SFTP, SSH, and database passwords will all be changed.
- If we discover infections in your site’s plugins or themes, we will remove the infected components from the site.
Steps You Will Need to Take
Following the completion of malware removal, we will ask you to take several additional steps to secure your site:
- Update all plugins, themes, and the WordPress core to the latest version.
- If our Malware & Abuse team identified and removed any compromised themes or plugins, do not attempt to manually clean and reuse the compromised files. Download fresh copies of these components from the developer and install them on the site.
- Review all WordPress admin users and delete any that are unused or that you don’t recognize.
- Update all WordPress admin user passwords.
- Update all MyKinsta user passwords.
- Additional site-specific instructions based on the nature of the infection.
These steps should be taken within one business day after we request that they be taken. Failure to take these additional steps will mean that our Malware & Abuse team will be unable to remove future infections for free.
Scanning Additional Sites
Having one of your sites infected with malware can lead to concerns about a possible infection of your other sites. However, because Kinsta uses a container-based hosting infrastructure, cross-contamination between sites at the server level is not possible.
This means that if there is no specific evidence that additional sites have been compromised, then there’s no reason to think they have been infected.
Inspection of sites to identify possible infections is limited to sites that exhibit specific evidence of infection. In the absence of specific evidence, we would recommend that you use a site-scanning service or plugin such as Sucuri Security to confirm that the rest of your sites have not been infected.
Infections Discovered During Migration
A deep scan of all site files is a standard step in our migration process. If we determine that your site is infected during a migration, we will pause the migration and report the issue to you. At that time, you will be provided two options:
- Proceed with the migration, have Kinsta remove the infection, and a $100 malware removal fee will apply.
- Cancel the migration, work with a third party to repair the hacked site in the prior hosting environment or repair it yourself, and then reschedule the migration.