How to Find & Remove Coinhive Malware from Your WordPress Site?
Finding out that your website is compromised is indeed a devastating experience. After spending years helping users clean their hacked websites, we have a first-hand experience of how costly a compromise can be. Hackers often use your website to execute malicious activities like redirecting your visitors to their website, sending WordPress spam emails (read – phishing hack), inserting backdoors, etc.
That way, you could end up losing your search engine ranks, the trust of your customers, and your revenue. Don’t worry, though! All these may happen only if you don’t clean your website and plug the hole that caused the compromise in the first place.
In this malware removal guide, we will guide you through the process of cleaning a CoinHive malware WordPress hack and taking steps to protect your website from such a hack attack in the future.
TL;DR: If you want to get rid of CoinHive malware for good, then use our WordPress malware removal plugin. Our automated cleaner will remove all malware from your site instantly. That said, cleaning your website is not enough, you’ll also have to protect it from future hack attacks. Therefore, make sure you return and read the entire article to learn more about it.
What is CoinHive Malware?
CoinHive is a service that allows website owners to generate revenue by placing a code on their website.
The code is designed to utilize your visitor’s computer to generate revenue.
It’s important to note that the revenue in question is cryptocurrency – a type of digital currency rising in popularity in the last few years.
Since more and more people are starting to use ad blockers, CoinHive was quickly adopted by site owners as an alternative revenue generator. The only problem was hackers too were interested in the service because it enabled them to make easy money. All coinhive miner have to do is install CoinHive codes in hack sites.
If you have detected CoinHive code in the header or footer of your site, your visitors (or rather the computer of your visitors) are being used to generate digital money.
The good news is that you can clean your website, i.e. remove the CoinHive malware and not be taken advantage of. You’ll also be saving your visitors a lot of headaches because the mining process affects their CPU. It shortens the lifespan of their computers.
In the next section, we’ll show you the exact steps you need to take to clean a CoinHive malware WordPress hack.If you have detected CoinHive code in the header or footer of your site, your site is being used to generate cryptocurrency or digital money without your consent. Click To Tweet
How to Remove CoinHive Malware?
To completely remove CoinHive malware from your website, you will need to first clean the site and fix the vulnerability that caused the hack in the first place.
Step 1: Cleaning CoinHive Malware From Your Site
To remove CoinHive malware, you first need to find it. You can find the malware manually or by using a security plugin.
Finding malware on your own is difficult. Back in the days, when websites were not a complex web of files and folders, hackers had only a few places to hide malware. Back then, manually finding malware was easy. Not anymore though. Websites today are complicated with dozens and dozens of files and folders. The CoinHive malware could be hidden anywhere. Looking for it manually is going to be a very time-consuming task and on top of that, you can’t be sure that you’ll find all the hidden malware on the website.
But if you were to use a security plugin, it’ll ensure that it finds all the malware on your website and in less time. That said, there are shortcomings that many security plugins suffer which makes it difficult to choose an effective one.
Choosing the Most Effective Security Plugin
Two primary functions of a security plugin are to perform a malware scan and clean hacked websites.
When it comes to scanning, most security plugins only do a surface-level scan, i.e. they only look into places where malware is generally found. The catch is, malware could be hidden anywhere. Hence a surface-level scan is not sufficient to find all the CoinHive malware present on your website.
Moreover, many security plugins are designed to only look for known malware. This means that new types of malware and particularly complex malware goes undetected even if you are using a security plugin.
But what if there is a security plugin that isn’t plagued by these shortcomings?
MalCare Security Plugin will scan as well as clean your website thoroughly.
- Finds All Hidden Malware: MalCare goes beyond the known place where malware is generally located. It looks into every nook and corner of your website to find hidden malware.
- Finds New and Complex Malware: While the plugin looks for known malware, it also goes one step ahead and checks the pattern and behavior of codes. Some codes are disguised to look clean on the surface but they are malicious. Inspecting the codes enables the plugin to recognize new and complex malware.
- Enables Users to Clean Site Instantly: After detecting malware, MalCare will clean your website. With other security plugins, the cleaning process can take up to a few days to complete. But with MalCare, it takes only a few minutes. All you need to do is click a button to initiate the clean-up process. That way, your website will be clean before Google can blacklist your site or your web host can suspend your site.
Now that you have a security plugin that comes with a powerful WordPress malware scanner and cleaner, let’s try to clean a website with it.
CoinHive Malware Removal With MalCare
1. Install the WordPress security plugin on your hacked WordPress site.
2. Add your site to the MalCare dashboard and it will begin scanning your website immediately. After scanning, the plugin will you how many malicious files it found (as shown in the image below).
3. Now that the CoinHive malware is found, you’ll need to clean it. Just click on the Auto-Clean button to initiate the cleanup process.
MalCare will take only a few minutes to clean your site. Once done, it’ll notify you on the dashboard.
With your site clean, you may think that you can now heave a sigh of relief but your site is far from being completely safe. We know that hackers gained access to your website and infected it with CoinHive malware. But how did they gain access to your website in the first place?
Cleaning the hack is only half the battle. To repair your hacked website completely, you need to find your site’s vulnerabilites and fix them.
Step 2: Fixing Website Vulnerability
Hackers generally gain access to a website through vulnerabilities. There are different forms of vulnerabilities. It can be bugs in your themes, plugins or even the WordPress core. Or it can be a rogue user who is allowing hackers to access your dashboard. To plug the hole that enables the hack, you’d need to fix these vulnerabilities. Here’s how you can do that –
i. Update Your WordPress Site
It’s common for software to develop vulnerabilities. Over time, themes, plugins, and core develop vulnerabilities. When these vulnerabilities are discovered, developers quickly release a patch in the form of an update to fix the software. When site owners don’t update their themes, plugins and, core, the vulnerabilities remain. Hackers take advantage of the vulnerabilities to hack your site. Hence, if you have outdated software installed on your site, update them now. Besides keeping your plugins, themes, and core updated, we strongly suggest that you keep your WordPress salts and security keys updated.
ii. Implement Least Privilege Principles
There are 6 different levels of roles that you can assign to a WordPress user (i.e. someone who can log in and make modifications to your site). The highest level is that of an admin who has complete control over your website. The admin role should be only assigned to people you can trust. Making everyone an admin could be a recipe for disaster. A user can take advantage of the power and enable hackers to access your site in return for a reward. A good example that comes to mind is when OurMine (a hacker group) hacked into TechCrunch by using one of the contributor accounts.
iii. Use Unique Username & Strong Password
Every WordPress website has a login page. It’s a gateway to your website which is why it draws a lot of attention from hackers. They design bots to launch attacks on your login page. The bots try to guess your username and password to access your dashboard. If you have an easy-to-guess username and password (like admin and pssword123), hackers can easily break into your website. Therefore, change your default username and generate strong passwords for all user accounts (also read the WordPress Login Protection Guide & brute force attack prevention guide).
These are some of the basic steps you can take to fix the vulnerabilities on your website. After this comes the steps you need to take to prevent future hack attempts on your site.
Preventing CoinHive WordPress Hack
Getting your website hacked once is painful enough. Getting hacked twice is going to be a nightmare. The good news is that you can stop your site from becoming a victim of another CoinHive WordPress hack by taking a few basic security measures. And those are:
I. Always Keep Your Website Updated
For close to a decade we have spent hours investigating hacked websites. And the one reason that stood out in almost all websites is outdated software. Hence, keep your website updated. Set aside a few hours every week to update your website. Recommended read: how to safely update a WordPress website?
II. Avoid Using Pirated Software
Pirated themes and plugins are really tempting to use because they are premium software that comes free of cost. But pirated software is often unsafe. Most of them carry backdoors – a form of malware. When you install the software (i.e. plugin or theme) on your site, the backdoors are activated and it enables hackers to gain access to your website. So, if you are using pirated themes or plugins, remove them from your website right away.
III. Implement Stronger Credentials
We spoke about this in the previous section and we can’t stress on this point enough.
To reiterate – WordPress login pages are more frequently targeted than any other page on a WordPress website. Hackers try to guess the credentials of your website to try and break into your website. Therefore using a unique username and strong passwords.
IV. Use a Security Plugin
A security plugin carries out 3 primary tasks – scanning, cleaning, and protection. It will enable you to harden your website security and detect if there are any malicious activities going on your website. (Earlier in the article, we covered how not all security plugins operate in the same way and how you can choose a good security plugin.)
With that, we will end this section about taking hack prevention measures. But the list of measures that you can take to protect your websites doesn’t just end here. You can take many more steps to ensure that your site remains safe. More on that in this WordPress security guide.
Besides these, you can also take a few more security measures like moving your site from HTTP to HTTPS, protecting the login page, and hardening your WordPress website. Moreover, we strongly suggest following this guide – Secure Your WordPress Site With wp-config.php.
CoinHive malware hack can cause serious issues for a website owner and getting it cleaned should be your number one goal. The trouble is that even after cleaning your site, malware can return with the help of the vulnerabilities present on your site. Moreover, there’s no guarantee that your website will be safe in the future.
Therefore, you need to take certain steps to remove the vulnerabilities and certain measures to protect your websites from future hack attempts. Installing a security plugin is a huge step in that direction. It’ll help you fix vulnerabilities and secure your site from hackers and bots.
Use MalCare Security Services to Secure Your Website!
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.