How to remove .w3-cache malware from WordPress website

My website has been infected by a malware that spamming my traffic. This is what was happened to my website:

  1. Traffic from France with Agent named contains ahrefs.com
  2. Bandwidth is up to 1.7 GB a day
  3. Some weird folders have been appeared automatically like: wp-content/uploads/.w3-cache
  4. Malware code has been added to wp-config.php, wp-content/themes/current-themes/index.php

Actions

Follow these steps to remove them from your website.

Block traffic from Ahrefs.com

I’m using CloudFlare for my website. So it is easily to block traffic with User-Agent contains ahrefs.com

Firewall setting in CloudFlare

Detect and remove all infected files

Use terminal/ssh, login to your website’s root. Then you can find infected files using grep command.

grep -r eval.*base64_decode

A list of files should be appeared. You can delete the infected files then.