Malware on your WordPress website can damage your reputation, harm your SEO rankings, and even lead to data theft. If your site has been hacked or infected, don’t panic — this step-by-step guide will help you detect, remove, and secure your website quickly and effectively.
- 🧰 Step-by-Step Guide to Remove Malware from WordPress
- ✅ Step 1: Put Your Website in Maintenance Mode
- ✅ Step 2: Backup Your Website
- ✅ Step 3: Scan Your Website for Malware
- ✅ Step 4: Remove Malware from Files
- ✅ Step 5: Clean the Database
- ✅ Step 6: Remove Unknown Users
- ✅ Step 7: Reinstall Themes & Plugins
- ✅ Step 8: Change All Passwords
- ✅ Step 9: Fix Security Vulnerabilities
- ✅ Step 10: Request Google Review
- 🔒 How to Prevent Malware in the Future
🔍 What is WordPress Malware?
WordPress malware is malicious code injected into your website files, database, or server. It can:
- Redirect visitors to spam websites
- Display unwanted ads
- Steal sensitive data
- Slow down or crash your website
- Get your site blacklisted by Google
⚠️ Signs Your WordPress Site is Infected
Before removing malware, confirm the infection. Look out for:
- Sudden drop in website traffic
- “This site may be hacked” warning on Google
- Unknown admin users
- Suspicious pop-ups or redirects
- Modified files or unfamiliar scripts
- Hosting provider suspending your site
🧰 Step-by-Step Guide to Remove Malware from WordPress
✅ Step 1: Put Your Website in Maintenance Mode
Before fixing anything, protect your visitors.
How to do it:
- Install a maintenance plugin OR
- Create a simple maintenance page
This prevents users from being exposed to malware.
✅ Step 2: Backup Your Website
Always create a backup before making changes.
Backup includes:
- Website files
- Database
👉 Use:
- cPanel backup
- Plugins like UpdraftPlus
✅ Step 3: Scan Your Website for Malware
You need to identify infected files.
Use security tools:
- Wordfence
- Sucuri Security
- MalCare
These tools will show:
- Infected files
- Malware location
- Suspicious code
✅ Step 4: Remove Malware from Files
Option A: Clean Manually
- Access your site via cPanel or FTP
- Check suspicious files like:
wp-config.php.htaccess- Theme and plugin files
- Look for:
eval(base64_decode(...));or unknown scripts and remove them.
Option B: Replace Core Files (Recommended)
- Download fresh WordPress files
- Replace:
/wp-admin//wp-includes/
⚠️ Do NOT overwrite wp-content
✅ Step 5: Clean the Database
Malware can hide in your database.
Steps:
- Open phpMyAdmin
- Check:
wp_optionswp_posts
- Remove suspicious entries or spam links
👉 Or use plugins like:
- WP-Optimize
✅ Step 6: Remove Unknown Users
Hackers often create admin accounts.
Go to:
Dashboard → Users
👉 Delete:
- Unknown admins
- Suspicious usernames
✅ Step 7: Reinstall Themes & Plugins
Corrupted themes/plugins are common entry points.
Do this:
- Delete all unused plugins/themes
- Reinstall only from trusted sources
- Update everything to latest version
✅ Step 8: Change All Passwords
Update all access credentials:
- WordPress admin
- Hosting account
- FTP/SFTP
- Database
👉 Use strong passwords (mix of letters, numbers, symbols)
✅ Step 9: Fix Security Vulnerabilities
Secure your site to prevent reinfection.
Implement:
- Install a security plugin (Wordfence, Sucuri)
- Enable firewall
- Limit login attempts
- Disable file editing in WordPress
Add this to wp-config.php:
define('DISALLOW_FILE_EDIT', true);✅ Step 10: Request Google Review
If your site was blacklisted:
- Go to Google Search Console
- Request a security review
Google will remove warnings after verification.
🔒 How to Prevent Malware in the Future
Prevention is better than cure.
🔐 Best Practices:
- Keep WordPress updated
- Use secure hosting
- Install SSL certificate
- Use strong passwords
- Backup regularly
- Avoid nulled themes/plugins
