WordPress Malware Removal: Step by Step Guide for Site Owners

Introduction

warning, danger, street, sign, light, road, construction, site
Photo by Joshgmit on Pixabay

If you run a WordPress site, at some point you might see it start acting weird. Pages redirecting to shady pharmacies. Google slapping a “This site may be hacked” warning on it. Your host suspending your account. That’s the reality of a compromised site, and knowing how to handle WordPress malware removal is something every site owner should be familiar with. This guide is aimed at small business owners, freelancers, and anyone managing a WordPress site who wants to clean things up without immediately calling in an expensive specialist. Malware isn’t just a nuisance—it tanks your SEO rankings, gets you blacklisted by Google, and can lead to data loss for you and your visitors. The good news is that removal is doable, even if the process can get a bit technical. This guide walks you through each step, from spotting the infection to keeping it from coming back. Let’s get into it.

A laptop screen displaying a malware warning on a WordPress site

How Do You Know Your WordPress Site Has Malware?

Before you start deleting files, you need to confirm you’re actually dealing with malware. A lot of performance problems get misdiagnosed as hacks, so look for specific signs. The most obvious one is unexpected redirects—when you or your visitors end up on completely unrelated sites, often for gambling, pharmaceuticals, or fake downloads. Another common symptom is a sudden, drastic slowdown. Your site might take forever to load because malware is running background processes that eat up your server resources. You might also notice spammy banner ads appearing on your pages that you never installed.

Check your WordPress admin dashboard for anything out of place. Are there new users with admin roles that you didn’t create? Do you see files in your media library that don’t belong there? Sometimes, hackers inject malicious JavaScript or PHP directly into your theme files, which can cause visible page changes or strange pop-ups. You might also get a notification from Google Search Console about a security issue, or your host might flag suspicious activity in your account logs.

Another easy check is to view your site’s source code. Right-click on a page and select “View Page Source.” Look for any script tags pointing to unfamiliar domains, blocks of seemingly random base64-encoded text, or hidden iFrames. These are classic malware signatures. If you see any of these signs, it’s time to start the cleanup process.

Step 1: Create a Complete Backup Before You Do Anything

This is the most important rule: backup everything before you touch a single file. I can’t emphasize this enough. A failed cleanup attempt that goes wrong can leave your site in a broken state, and without a backup, you’re looking at a complete rebuild. Your backup must include two things: your WordPress file system (all the folders and files) and your database (all your posts, pages, user data, and settings).

The easiest way to handle this is with a reliable backup plugin. UpdraftPlus is a free, widely trusted option that makes the process simple. It lets you schedule automatic backups and store them on cloud services like Dropbox, Google Drive, or Amazon S3. For a more premium option, consider WPvivid or BackupBuddy. These give you more control and can handle larger sites.

Regardless of the tool you choose, download a full backup to your own computer after it’s created. Don’t rely solely on the server copy. For site owners who need a reliable external drive for local backups, a portable external hard drive is a practical solution. Once you have that backup, you have a safety net. If something goes horribly wrong during the cleanup, you can restore the entire site and try a different approach. Backup first, clean second.

Step 2: Scan Your Site with a Security Plugin

With your backup safely stored, the next step is to run a thorough scan using a dedicated security plugin. Automated scanners can identify infected files, suspicious database entries, and known malware signatures much faster than a manual search. They’re your first line of defense here.

Wordfence is arguably the most popular free option. It includes a powerful scanner that checks your core WordPress files against the official repository to see if they’ve been modified. It also scans themes, plugins, and other files for malware. The free version runs a solid scan, but the premium version adds real-time firewall rules and checks for more advanced threats. Sucuri Security is another excellent option, particularly if you want ongoing monitoring. Their free plugin does a good scan, but their paid service includes actual malware cleanup, which can save hours of manual work.

When you run a scan, pay attention to the classification. Critical threats mean something that is almost certainly malicious. Warnings might be false positives—sometimes security plugins flag legitimate files that simply contain code patterns similar to malware. Don’t automatically delete everything flagged as a warning. Look at the file path, the type of threat, and the modification date. Use the plugin’s built-in diff viewer to compare a suspicious file against the original version. This tells you exactly what was injected into the file. Start with the free scan, and only upgrade to paid if the free results show a severe infection that you can’t resolve yourself.

WordPress admin dashboard showing security plugin scan results with infected files

Step 3: Identify and Remove Malicious Files Manually

Automated scanners are great, but they aren’t perfect. Sophisticated hackers often obfuscate malware to evade detection. That’s why manual file inspection is important for complete removal. You’ll need access to your site’s files via FTP (FileZilla is a good client) or your host’s cPanel File Manager.

security, protection, antivirus, software, cms, wordpress, content management system, editorial staff, contents, backup,
Photo by pixelcreatures on Pixabay

Start by checking these common locations for suspicious files:

  • Root directory: Look for files with strange names like wp-config.php.old, admin.php, bot.php, or files with random letter sequences. The legitimate wp-config.php is essential. Don’t touch it unless you know it’s infected.
  • wp-content/uploads: Hackers often hide PHP files here. Sort by file type and look for any .php files in the upload folders. They don’t belong there.
  • wp-content/themes and plugins: Check every theme and plugin folder. Look for files that don’t match the official package. A folder named after a legitimate plugin might contain a single malicious file.
  • wp-includes: This is a core folder. Hackers sometimes inject code into legitimate files here, but this is less common.

What are you looking for? Files with a modification date that doesn’t match your normal update patterns. Files containing encoded strings, especially base64, or functions like eval(), preg_replace() with the /e modifier, or base64_decode(). These are classic obfuscation tactics. If you see a legitimate-looking file that contains a huge block of base64-encoded text, that’s malware.

Use a diff tool like WinMerge (for Windows) or Meld (for Linux/Mac) to compare the file on your server with a fresh copy from the WordPress repository. This makes it easy to spot exactly what code was added. When you find malicious files, delete them. Be careful not to delete legitimate theme or plugin directories entirely—just remove the infected files within them.

Step 4: Clean Up Your Database

Many malware infections go deeper than just files. Hackers often inject spam content, create hidden admin users, or modify site options directly in your database. You need to check and clean the database as well. This can be done through phpMyAdmin, which is usually available in cPanel, or through a plugin like WP-Optimize or Wordfence’s database scanner (included in the premium version of Wordfence).

Open phpMyAdmin and select your WordPress database. Look at the wp_users table. Check for any user accounts you don’t recognize, especially with admin-level privileges. Delete any unknown users. Next, examine the wp_posts table for any spam posts or pages. Look for posts with titles that are random or contain links to suspicious sites. These can be safely deleted. Also check the wp_options table. Hackers sometimes change the siteurl or home options, or inject malicious scripts into the active_plugins option.

Be very cautious when modifying the database directly. Only delete entries you are absolutely certain are malicious. If you’re unsure, leave it and research it further. A wrong deletion can break your site. If you’re using a plugin to scan the database, it can often auto-remove suspicious entries. This is safer for most people. After cleaning, it’s good practice to run an SQL query to repair and optimize your tables, which can be done in phpMyAdmin by selecting all tables and choosing the “Repair table” option from the dropdown.

Step 5: Reset All Passwords and Keys

Once you’ve removed the active infection, you need to lock the doors the hackers used to get in. This means resetting every credential associated with your site. Start with all WordPress admin user accounts. Require every user to reset their password to a strong, unique one. Don’t reuse passwords across accounts.

Next, reset your FTP credentials and database passwords through your hosting control panel. Then, update the wp-config.php file with new security salts. This is a powerful step. The security salts in wp-config.php are used to create session cookies and authentication tokens. Changing them invalidates all existing sessions, instantly kicking out any attacker who might have a logged-in session. You can generate new salts from WordPress’s salt generator. Copy the new values and paste them into your wp-config.php file, replacing the old ones.

Managing all these strong, unique passwords is much easier with a password manager. 1Password and Bitwarden are both excellent options. They generate strong passwords and store them securely, so you only have to remember one master password. For those who prefer a hands-on approach, a dedicated password journal can serve as a physical backup for critical credentials. It’s a small investment that pays off every time you need to access or change a credential.

Step 6: Reinstall Core WordPress Files, Themes, and Plugins

Even if you cleaned individual files, there’s always a chance a small piece of malware was missed. The safest approach is to reinstall everything from scratch using official sources. This gives you a clean slate. In your WordPress admin dashboard, go to Dashboard > Updates and click Reinstall Now for the WordPress core. This replaces all core files with a fresh download from WordPress.org.

For themes and plugins, manually delete the infected directories via FTP or cPanel first. Don’t just overwrite them—delete them completely. Then, reinstall them from the official WordPress repository. If you’re using a premium theme or plugin, download a fresh copy from the developer’s website. Avoid using nulled or pirated versions, as these are a common source of malware infections. After reinstalling, activate all themes and plugins. Test that your site functions correctly, especially your contact forms, e-commerce functionality, and any other interactive features.

frozen, landscape, cold, sunrise, file, wilderness, rock, december, mongolia, nature, mongolia eastern
Photo by Kanenori on Pixabay

Common Mistakes That Keep Malware Coming Back

Even after a thorough cleanup, many site owners make mistakes that lead to a repeat infection. Here are the most common errors I see. First, thinking that a single scan is enough. Malware can be deeply embedded. You need to do all the steps, not just run a scanner. Second, ignoring the database. Many people clean files but leave the database full of malicious entries. These can reintroduce malware by executing scripts or creating new admin users. Third, not changing all passwords. If you only change your admin password but forget to rotate FTP credentials or API keys, the attacker can still access your site. Fourth, skipping the file change detection setup. After cleaning, you need a way to detect if files change again. A security plugin with real-time file monitoring is essential. Fifth, failing to remove unknown admin users. Even after cleaning files, an attacker’s backdoor admin account can be used to reinfect the site. Always verify and remove any unauthorized users. Finally, not addressing the root cause. If you have a vulnerable plugin or a weak password, the malware will return. Fix the security gap, not just the symptoms.

FTP client interface showing WordPress file directory with suspicious malicious files highlighted

Should You Use a Professional Malware Removal Service?

DIY cleanup works for many infections, but it’s not always the right call. There are clear situations where a professional service is worth the cost. The first is infection severity. If your site has a sophisticated rootkit or a backdoor that scans can’t find, a professional has the tools and experience to track it down. The second factor is your technical skill level. If you’re uncomfortable with FTP, phpMyAdmin, and reading PHP code, the risk of breaking your site is high. A professional can do the job safely and quickly. The third factor is time. Cleaning a deeply infected site can take hours of careful work. If your site generates revenue, the downtime from a DIY approach may cost you more than the service fee. The fourth factor is the need for ongoing monitoring. Services like Sucuri’s cleanup service not only remove the malware but also provide a firewall, monitoring, and a guarantee that they will clean any future infections. This gives you peace of mind. A professional service typically costs between $100 and $250 for a one-time cleanup. For many business owners, that’s a small price compared to lost revenue and SEO damage.

How to Prevent Future Malware Infections

Cleanup is the hard part. Keeping it clean is the ongoing job. The single most effective prevention is keeping everything updated. This includes WordPress core, all themes, and all plugins. Outdated software is the number one entry point for hackers. If a plugin hasn’t been updated in over a year, consider finding a modern alternative.

Next, implement strong authentication. Use two-factor authentication (2FA) for all admin accounts. Plugins like WP 2FA or Wordfence’s built-in 2FA make this easy. Limit login attempts to prevent brute force attacks. Plugins like Login LockDown can block an IP after a set number of failed attempts. Disable the file editor in your WordPress admin dashboard. Add this line to your wp-config.php file: define('DISALLOW_FILE_EDIT', true);. This prevents an attacker who gains admin access from editing theme and plugin files through the dashboard.

Consider using a Web Application Firewall (WAF). A WAF filters all traffic to your site and blocks malicious requests before they even reach your server. Cloudflare offers a free CDN and basic WAF that many hosts integrate with. Sucuri’s firewall is another excellent choice. Choose a reputable hosting company that takes security seriously. Managed WordPress hosts like WP Engine and Kinsta include proactive security measures, daily backups, and automatic updates. Finally, set up a regular backup routine with a plugin like UpdraftPlus or BackupBuddy. A good backup is your last line of defense. If prevention fails and malware gets through, you can restore a clean version of your site quickly. For additional peace of mind, a reliable USB flash drive is a convenient option for storing off-site backup copies.

Final Thoughts and Recommended Workflow

Malware removal in WordPress is a process that requires patience, attention to detail, and a systematic approach. To recap the workflow: first, create a full backup of files and database. Second, run an automated security scan with Wordfence or Sucuri. Third, manually inspect and remove suspicious files via FTP. Fourth, clean the database using phpMyAdmin or a cleaning plugin. Fifth, reset all passwords and security keys to lock out intruders. Sixth, reinstall core files, themes, and plugins from official sources. Finally, implement prevention measures like regular updates, 2FA, a firewall, and a backup routine.

If you follow this workflow, you can remove the vast majority of WordPress malware infections. For severe cases or if you’re not comfortable with the technical steps, consider hiring a professional service like Sucuri’s cleanup service for peace of mind. The cost is often less than the damage a lingering infection can cause. Make security a part of your ongoing site management, not just a reaction to an attack. Your site, your visitors, and your SEO rankings will thank you.