Chat with us, powered by LiveChat

This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

Say hello to redesigned Cloudways, an empowering Startup Program, enhanced Staging, a new Let’s Encrypt Wildcard SSL certificate feature, and more. GET STARTED

How to Remove Malware from Magento Ecommerce Store

Updated on  28th November

4 Min Read
Reading Time: 4 minutes

Malware is short for malicious software. This type of software is designed to gain entry into a system without the knowledge of the owner. Once present, a malware generally goes on to create chaos. It can target the infected system itself or it can hurt other systems too.

In this world of connected devices, malware attacks are becoming more common and the easiest way to target people is through websites. When it comes to websites, targeting stores with bad security is a favorite among cyber-criminals.

Magento Malware Scan

Generally, it happens because store owners ignore site upkeep once their ventures start to earn. They only get involved once a malware attack hits. As Magento is the most-used store-building solution, websites built on it are mostly targeted too.

In most cases, malware attacks on Magento stores are script-based and can be fixed in a few steps.

So, in this article, I will teach you how you can remove malware from a Magento store.

Cleaning Malicious Script From Site

The first step to check and clean any malicious code on your site is to bring an experienced developer or solution partner on board.

Create Backup

Before making any changes to your site, you must create a backup of your site’s data and files.

Magento Malware Scan

Go to MageReport and start a Magento malware scan for your site in order to identify the unapplied patches for Magento core and to find the malware scripts present in your site.

Install Missing Patches

After the Magento malware scan, you should install all the patches the scanner has recommended. Once installed, you should your Magento site in a testing (non-production) environment. You can download Community Edition patches from here.

Note: If you are on Cloudways Magento commerce hosting, simply update your version as is shown in this Youtube video.

Remove Unknown Admin Account

An unknown Admin Account is like a ringing alarm. In most cases, it indicates the failure of your website’s security. You must remove such accounts immediately. Therefore, you need to login into your Magento store’s Admin Panel. Then, go to System → Permissions → Users and then remove all unknown accounts from it.

Once done, you need to protect your current admin accounts. So, you should change the passwords of all known admin and also change the admin ID to a unique name while avoiding IDs like administrator, root, admin, and so on.

(While you are at it, you should read what our CTO said about website security in one of his talks. The talk is about WordPress, but a lot of things he said to apply on all types of websites.)

remove unkown admin account

Review SSH & FTP Users

Once you have removed unauthorized admin accounts, you should check for other entry points. As a safety measure, review all SSH and FTP users and all users who are old, unused, and unknown. Change the passwords of all active users.

Unknown Javascript Code

Till this step, I taught how you can protect the entry points from malware infections. Now, I will discuss the steps you need to take for removing malware code from your Magento store.

Remove Code From Head

Navigate to System → Configuration → Design → HTML Head → Miscellaneous Scripts to remove unknown Javascript code. Remove all code excerpts except the ones you recognize.

remove code head

Remove Code From Footer

Navigate to System → Configuration → Design → Footer → Miscellaneous Scripts to remove unknown Javascript code. Remove the code that you suspect the most.

remove code footer


Once you are done with code clean-up, you should scan your site again using MageReport to verify that the malware is no longer present.

Secure Admin Panel

Once you have cleaned the Magento malware, you need to check the protection of the possible entry flaws. You should change the front name of Admin panel in order to secure it. Furthermore, verify that your site URLs (‘app/etc/local.xml’ and ‘var’) are not accessible publicly.

secure admin panel

For more protection, you can read our Magento security tips to keep your ecommerce store safe.

Remove Google Warnings

If Google has marked your site for having malicious code, then you can request for a review after cleaning your site. The entire procedure takes a few days. Search results and browser warnings are removed within 72 hours, once Google verifies that your site is now clean. For review requests, you can get a ton information from Google Developers site.

Suffering From Persistent Attacks?

The above method will help you in typical malware attacks. Sometimes, Javascript is the reason behind the attack on your file system. This may result in recurring malware attacks. Experienced developers and solution partners are required to deal with these type of complex attacks. Therefore, if you have the budget, create a site maintenance team for your Magento store.

Keep Your Eyes Open

It is a lifetime process to protect your site from malware. Keep your Magento software updated and visit the Magento Security Center regularly. Remember, when it comes to malware attacks, prevention is better than cure.

Share your opinion in the comment section. COMMENT NOW

Syed Muneeb Ul Hasan

Syed Muneeb Ul Hasan is a Magento Developer and Blogger at Magenticians - a platform for Magento Tutorials. He is an expert in PHP and Magento and prefers to educate users in the implementation of Magento. When not working, he loves to play games and watch cricket.

Convert visitors into buyers on your 100% faster Magento store.

Deploy your Magento stores on optimized Magento hosting servers.


Get Our Newsletter
Be the first to get the latest updates and tutorials.