This page explains how to respond to users (those who use the site) when there is a possibility of damage to users who visit the site, such as being redirected to another site, being sent to a sweepstakes site, or downloading malicious files due to WordPress tampering. This page explains how to respond to users (those who use the site) in cases where users who visit the site may be harmed.


Identify what damage could be done to users who visit the site

First, identify what harm could be done to users who visit your site.

Redirected to an unauthorized site
Users are redirected to an unauthorized site.
Spam emails are sent from the site
Downloading malicious files
Unknown malicious pages are hosted on the server.

We know that there are many reasons for this.

If the entire site does not need to be shut down immediately

For example, if the cause of the problem is only a few pages or the server itself, such as spam mail being sent, you may only need to temporarily disable the contact form page instead of shutting down the entire site.

In the case of malicious pages appearing in search results, even if the entire site is closed, it may take some time for Google to confirm that the pages are no longer there and remove them from its search index. If you can remove the malware immediately (within a week), it may be better to continue with the malware removal process instead of closing the entire site.

When it is better to consider temporarily closing the site

In other cases, if it is expected to take more than a week to remove the malware from the server, or if the site has been repeatedly tampered with and reinfected, we may want to consider temporarily closing the entire site because of the possibility of increased damage to users visiting the site.

In addition, if the site has a large number of hits, or if it is a government site with high social significance, it may be possible that users may be sent to an unauthorized site where they may be infected with a virus or their credit cards may be stolen, so we recommend that you consider shutting down the site immediately. Please contact us for more information.

How to close the site and save files

Maintenance Mode
Even if you put your site into maintenance mode with a plugin, all WordPress program files are still in the same location, which means that vulnerabilities and backdoors are still accessible to hackers in many cases. It also does not prevent the downloading of malicious files hosted on your site.

Therefore, while our maintenance mode will not prevent a drastic site tampering from spreading, it will prevent visitors from being redirected to another site or from using a hosted malicious page.

File Evacuation
Create a folder on the server, place all WordPress-related and other webroot files in it, and set the folder’s permissions to 000 (not allowed).

Then, create an HTML file (index.html) that notifies users accessing the site that the site is temporarily closed, upload it, and redirect all accesses to that HTML file.

The .htaccess file that redirects all accesses to the above index.html is configured as follows

RewriteEngine on
RewriteCond %{REQUEST_URI} ! ^/index.html$
RewriteCond %{REQUEST_URI} ! \.gif|jpe?gif} ! (gif|jpe?g|png|css|js)$
RewriteRule .* /index.html [L,R=302].

Malware is generated outside the saved folder without permission
Recently, there is a type of malware that is generated by itself even if all WordPress files are saved to a different folder. Please refer to the following article for how to deal with this situation.

HTACCESS file and Index.php file tampered with again in an instant in WordPress

Malware removal as soon as possible during the temporary closure of the site

In case of maintenance mode, you can use the WordPress admin page, etc,
You can use the free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] to scan for and remove malware from the WordPress administration screen.

If you have deleted your files, you will not be able to use WordPress itself, so you will need to backup your files and database, clean them up manually, and then re-upload them to the server.