WordPress Malware Removal: A Complete Step-by-Step Guide for Site Owners
Table of Contents
WordPress powers over 40% of the internet â which also makes it the most targeted website platform on earth. Every day, thousands of WordPress sites are compromised and infected with malware. If your site is acting strangely, your hosting provider has flagged it, or Google has added a warning label, you may be dealing with a WordPress malware infection. This guide walks through everything you need to do.
Signs Your WordPress Site Has Malware¶
The indicators of compromise vary widely depending on the malware type:
- Google Search Console warnings: "This site may harm your computer" or malware alerts in Security Issues
- Google Safe Browsing blacklist: Red warning screens in Chrome for visitors
- Hosting provider suspension: Your host has disabled your site after detecting malicious code
- Unexpected redirects: Visitors (especially from search engines) are redirected to spammy or malicious sites
- Spam pages in search results: Google shows pages on your site you didn't create (pharmaceutical spam, casino spam)
- Unexpected admin users: New administrator accounts you didn't create
- Modified core files: WordPress core files have been changed
- Slow performance: Unusual server resource usage from background malicious processes
- Visitor browsers flagging the site: Visitors report security warnings
Step 1: Take Stock Before Doing Anything¶
Before removing anything, take a full backup of your current (infected) site â files and database. This sounds counterintuitive, but it preserves evidence if you need to investigate what happened and ensures you have a restore point. Store it somewhere outside your server.
Also take note of:
- When symptoms first appeared
- Any recent plugin or theme updates or installations
- Recent admin account creations
Step 2: Scan for Malware¶
Free Scanning Options¶
Wordfence Security (free plugin): Install and run a full scan. Wordfence compares your WordPress files against its reference library and flags modifications, malicious code, and known malware signatures.
Sucuri SiteCheck (sitecheck.sucuri.net): A free external scanner that checks your publicly visible pages for malicious content, blacklist status, and known malware patterns. It doesn't scan server-side files but provides a quick overview.
MalCare: Offers a free scan that identifies malware without exposing your data to third parties.
Paid/Professional Options¶
If you can't clean the site yourself, professional removal services include:
- Sucuri (paid plans with guaranteed cleanup)
- Wordfence Care/Response (dedicated security support)
- Your hosting provider â many premium hosts (Kinsta, WP Engine, SiteGround) include malware cleanup
Step 3: Identify What Was Compromised¶
Common infection vectors and their signatures:
Malicious PHP files: Look for PHP files in the uploads directory, or files with names like wp-feed.php, wp-tmp.php, or random strings like xd4hJ.php.
Modified theme/plugin files: Attackers inject base64-encoded PHP code into theme functions.php, plugin files, or core files.
Database injection: Spam links or redirect code injected into post content, widget settings, or site options.
Backdoors: Files that provide persistent access even after other malware is removed. Common backdoor signatures include eval(base64_decode(...)), eval(gzinflate(...)), exec(), and system() calls in PHP files.
Step 4: Clean the Infection¶
Replace WordPress Core Files¶
Download a fresh copy of WordPress from WordPress.org matching your current version. Replace the wp-admin and wp-includes directories entirely â these should never contain modified files.
Replace Clean Theme/Plugin Files¶
For every theme and plugin, download a fresh copy from WordPress.org or the original developer. Replace the entire plugin and theme directory rather than trying to surgically remove injections.
Delete unused themes and plugins â even inactive ones can contain exploitable vulnerabilities.
Clean the Database¶
Use phpMyAdmin or WP-CLI to search for malicious content in the database:
SELECT * FROM wp_posts WHERE post_content LIKE '%eval(%';
SELECT * FROM wp_options WHERE option_name = 'siteurl' OR option_name = 'home';
Check wp_options for suspicious entries â particularly any unusual values for siteurl, home, or any option containing base64-encoded strings.
Check wp-config.php¶
Your wp-config.php file should not contain any eval(), base64_decode(), or obfuscated code. Replace it with a clean version and re-add your database credentials.
Step 5: Close the Entry Point¶
Malware removal is temporary if you don't fix the vulnerability that allowed the infection:
- Update everything: WordPress core, all themes, all plugins
- Delete unused themes and plugins: Every installed plugin is an attack surface
- Reset all passwords: WordPress admin users, FTP/SFTP, cPanel, database
- Check user accounts: Remove any unknown administrator accounts
- Review file permissions:
/wp-content/uploads/should not be executable (chmod 755 for dirs, 644 for files) - Install a security plugin: Wordfence or Sucuri for ongoing monitoring
Step 6: Request Google Review¶
If Google has blacklisted your site:
1. Fix all malware first
2. Go to Google Search Console > Security Issues
3. Click "Request a Review"
4. Describe what you found and fixed
Google typically reviews within 1â3 days. Once cleared, the security warnings disappear for visitors.
Step 7: Ongoing Hardening¶
After cleanup, implement permanent hardening:
- Enable two-factor authentication for all admin accounts
- Use a Web Application Firewall (WAF) â Cloudflare or Sucuri's WAF blocks malicious requests before they reach WordPress
- Enable file integrity monitoring to alert you when core files change
- Schedule daily backups to an off-site location
- Keep a maintenance schedule for updating plugins and themes
FAQ¶
How did my WordPress site get hacked?
Most commonly through: outdated plugins with known vulnerabilities, weak admin passwords, compromised hosting environments, or insecure themes from unofficial sources.
Can my visitors get malware from my infected site?
Yes. Some WordPress malware serves drive-by downloads to visitors, others redirect them to phishing sites. This is why fixing quickly is critical.
Should I pay for a malware removal service?
If you're not comfortable working in the database and file system, yes â professional services are worth the cost. Sucuri charges around $200 for a one-time cleanup including a 6-month security plan.
Will restoring a backup remove the malware?
Only if the backup was taken before the infection. Using an infected backup will just reinfect your site.
How long does WordPress malware removal take?
A thorough manual cleanup takes 2â6 hours. Professional services typically complete within 24â48 hours.
This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.