WordPress Malware Removal: A Complete Step-by-Step Guide for Site Owners

wordpress

Table of Contents

WordPress powers over 40% of the internet — which also makes it the most targeted website platform on earth. Every day, thousands of WordPress sites are compromised and infected with malware. If your site is acting strangely, your hosting provider has flagged it, or Google has added a warning label, you may be dealing with a WordPress malware infection. This guide walks through everything you need to do.

Signs Your WordPress Site Has Malware

The indicators of compromise vary widely depending on the malware type:

  • Google Search Console warnings: "This site may harm your computer" or malware alerts in Security Issues
  • Google Safe Browsing blacklist: Red warning screens in Chrome for visitors
  • Hosting provider suspension: Your host has disabled your site after detecting malicious code
  • Unexpected redirects: Visitors (especially from search engines) are redirected to spammy or malicious sites
  • Spam pages in search results: Google shows pages on your site you didn't create (pharmaceutical spam, casino spam)
  • Unexpected admin users: New administrator accounts you didn't create
  • Modified core files: WordPress core files have been changed
  • Slow performance: Unusual server resource usage from background malicious processes
  • Visitor browsers flagging the site: Visitors report security warnings

Step 1: Take Stock Before Doing Anything

Before removing anything, take a full backup of your current (infected) site — files and database. This sounds counterintuitive, but it preserves evidence if you need to investigate what happened and ensures you have a restore point. Store it somewhere outside your server.

Also take note of:
- When symptoms first appeared
- Any recent plugin or theme updates or installations
- Recent admin account creations

Step 2: Scan for Malware

Free Scanning Options

Wordfence Security (free plugin): Install and run a full scan. Wordfence compares your WordPress files against its reference library and flags modifications, malicious code, and known malware signatures.

Sucuri SiteCheck (sitecheck.sucuri.net): A free external scanner that checks your publicly visible pages for malicious content, blacklist status, and known malware patterns. It doesn't scan server-side files but provides a quick overview.

MalCare: Offers a free scan that identifies malware without exposing your data to third parties.

Paid/Professional Options

If you can't clean the site yourself, professional removal services include:
- Sucuri (paid plans with guaranteed cleanup)
- Wordfence Care/Response (dedicated security support)
- Your hosting provider — many premium hosts (Kinsta, WP Engine, SiteGround) include malware cleanup

Step 3: Identify What Was Compromised

Common infection vectors and their signatures:

Malicious PHP files: Look for PHP files in the uploads directory, or files with names like wp-feed.php, wp-tmp.php, or random strings like xd4hJ.php.

Modified theme/plugin files: Attackers inject base64-encoded PHP code into theme functions.php, plugin files, or core files.

Database injection: Spam links or redirect code injected into post content, widget settings, or site options.

Backdoors: Files that provide persistent access even after other malware is removed. Common backdoor signatures include eval(base64_decode(...)), eval(gzinflate(...)), exec(), and system() calls in PHP files.

Step 4: Clean the Infection

Replace WordPress Core Files

Download a fresh copy of WordPress from WordPress.org matching your current version. Replace the wp-admin and wp-includes directories entirely — these should never contain modified files.

Replace Clean Theme/Plugin Files

For every theme and plugin, download a fresh copy from WordPress.org or the original developer. Replace the entire plugin and theme directory rather than trying to surgically remove injections.

Delete unused themes and plugins — even inactive ones can contain exploitable vulnerabilities.

Clean the Database

Use phpMyAdmin or WP-CLI to search for malicious content in the database:

SELECT * FROM wp_posts WHERE post_content LIKE '%eval(%';
SELECT * FROM wp_options WHERE option_name = 'siteurl' OR option_name = 'home';

Check wp_options for suspicious entries — particularly any unusual values for siteurl, home, or any option containing base64-encoded strings.

Check wp-config.php

Your wp-config.php file should not contain any eval(), base64_decode(), or obfuscated code. Replace it with a clean version and re-add your database credentials.

Step 5: Close the Entry Point

Malware removal is temporary if you don't fix the vulnerability that allowed the infection:

  • Update everything: WordPress core, all themes, all plugins
  • Delete unused themes and plugins: Every installed plugin is an attack surface
  • Reset all passwords: WordPress admin users, FTP/SFTP, cPanel, database
  • Check user accounts: Remove any unknown administrator accounts
  • Review file permissions: /wp-content/uploads/ should not be executable (chmod 755 for dirs, 644 for files)
  • Install a security plugin: Wordfence or Sucuri for ongoing monitoring

Step 6: Request Google Review

If Google has blacklisted your site:
1. Fix all malware first
2. Go to Google Search Console > Security Issues
3. Click "Request a Review"
4. Describe what you found and fixed

Google typically reviews within 1–3 days. Once cleared, the security warnings disappear for visitors.

Step 7: Ongoing Hardening

After cleanup, implement permanent hardening:

  • Enable two-factor authentication for all admin accounts
  • Use a Web Application Firewall (WAF) — Cloudflare or Sucuri's WAF blocks malicious requests before they reach WordPress
  • Enable file integrity monitoring to alert you when core files change
  • Schedule daily backups to an off-site location
  • Keep a maintenance schedule for updating plugins and themes

FAQ

How did my WordPress site get hacked?
Most commonly through: outdated plugins with known vulnerabilities, weak admin passwords, compromised hosting environments, or insecure themes from unofficial sources.

Can my visitors get malware from my infected site?
Yes. Some WordPress malware serves drive-by downloads to visitors, others redirect them to phishing sites. This is why fixing quickly is critical.

Should I pay for a malware removal service?
If you're not comfortable working in the database and file system, yes — professional services are worth the cost. Sucuri charges around $200 for a one-time cleanup including a 6-month security plan.

Will restoring a backup remove the malware?
Only if the backup was taken before the infection. Using an infected backup will just reinfect your site.

How long does WordPress malware removal take?
A thorough manual cleanup takes 2–6 hours. Professional services typically complete within 24–48 hours.


This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.

Sc

ScamSandbox Team

Cybersecurity Expert at ScamSandbox

Share: