WordPress Malware Removal: Step-by-Step Guide

Introduction

Discovering malware on your WordPress site is alarming, but recoverable. This guide provides a systematic approach to identifying, removing, and recovering from malware infections while preventing future attacks.

Signs of Malware Infection

Common Indicators

• Unexpected redirects
• Spam content appearing
• Site flagged by Google (red warning)
• Slow performance
• Unknown admin users
• Modified files
• Suspicious outbound links
• Customer complaints
• Hosting suspension notice

Checking for Infection

External Scanners:

• Sucuri SiteCheck
• VirusTotal
• Google Safe Browsing

Internal Scanners:

• Wordfence scan
• Sucuri plugin
• MalCare

Malware Removal Process

Step 1: Stay Calm and Document

Before making changes:

• Screenshot error messages
• Document suspicious activity
• Note when issues started
• Save scan results

Step 2: Backup Current State

Even infected, backup everything:

• Complete file backup
• Database backup
• Document backup location

Why: May need to analyze or recover specific files.

Step 3: Take Site Offline

Prevent further damage:

Maintenance Mode:

// In functions.php or plugin
function maintenance_mode() {
    if (!current_user_can('administrator')) {
        wp_die('Site under maintenance.');
    }
}
add_action('init', 'maintenance_mode');

Or via hosting:

• Suspend site temporarily
• Password protect

Step 4: Identify the Malware

Full Scan with Wordfence:

1. Install/update Wordfence
2. Run full scan
3. Note all findings
4. Check "Files changed" report

Manual Investigation:

• Check recently modified files
• Look for unfamiliar files
• Review wp-content/uploads for PHP
• Check .htaccess for redirects

Common Malware Locations:

• wp-config.php
• .htaccess
• theme functions.php
• wp-includes (shouldn't have custom files)
• wp-content/uploads (PHP files suspicious)

Step 5: Remove Malware

Option A: Restore Clean Backup

If you have clean backup:

1. Identify backup from before infection
2. Restore files and database
3. Update all passwords
4. Update everything

Option B: Manual Cleaning

1. Replace Core Files:

   • Download fresh WordPress
   • Replace wp-admin/
   • Replace wp-includes/
   • Replace root files (except wp-config.php)

2. Clean Theme:

   • Compare with original theme
   • Or reinstall theme fresh
   • Reapply customizations

3. Clean Plugins:

   • Delete all plugins via FTP
   • Reinstall from repository
   • Reconfigure settings

4. Clean Uploads:

   • Scan for PHP files
   • Remove suspicious files
   • Keep only legitimate media

5. Clean Database:

   • Check for spam users
   • Review wp_options for injected code
   • Check posts/pages for spam

Step 6: Change All Credentials

Change:

• WordPress admin passwords
• Database password
• FTP/SFTP passwords
• Hosting password
• API keys

Update wp-config.php:

• New database credentials
• Fresh salt keys (WordPress.org/secret-key)

Step 7: Update Everything

• WordPress core
• All themes
• All plugins
• PHP version (if possible)

Step 8: Harden Security

After cleaning:

• Install security plugin
• Enable 2FA
• Limit login attempts
• Set proper file permissions
• Review user accounts

Step 9: Request Reviews

If blacklisted:

• Google Search Console > Security Issues
• Request review after cleaning
• Check other blacklists (MX Toolbox)

Step 10: Monitor Closely

• Daily scans for 2 weeks
• Monitor traffic patterns
• Watch for reinfection
• Check file changes

Common Malware Types

Pharma Hack

• Spam links in content
• Often in theme files
• Hidden via CSS

Redirect Malware

• Redirects visitors
• Often in .htaccess
• JavaScript-based

Backdoors

• Hidden access points
• Often in innocent-looking files
• Survives other cleanup

SEO Spam

• Injected links
• Hidden pages
• Cloaked content

Professional Help

When to Hire Experts

• Complex infection
• No clean backup available
• E-commerce/sensitive data
• Repeated infections
• Time-critical recovery

Professional Services

• Sucuri
• Wordfence Care
• MalCare
• WP Site Care

Costs

• One-time cleanup: $150-500
• Ongoing protection: $200-500/year

Prevention for Future

Immediate Actions

• Regular updates
• Strong passwords
• Security plugin
• 2FA enabled
• Regular backups

Ongoing Practices

• Monthly security audits
• Review user access
• Monitor file changes
• Keep backups current
• Security training

Frequently Asked Questions

How did I get infected?

Usually: outdated software, weak passwords, vulnerable plugins, or compromised hosting.

Will removing malware restore my rankings?

After Google re-crawls and you're removed from blacklists, rankings typically recover over weeks.

How do I prevent reinfection?

Update everything, strong passwords, 2FA, security plugin, regular monitoring.

Should I rebuild from scratch?

Only if infection is severe and cleanup isn't possible. Usually cleaning works.

Key Takeaways

• Stay calm—most infections are recoverable
• Document everything before making changes
• Clean backup is the fastest recovery
• Manual cleaning requires systematic approach
• Change all credentials after cleaning
• Harden security to prevent reinfection
• Monitor closely after recovery
• Consider professional help for complex cases

Next Steps

If currently infected, follow this guide step by step. If not, ensure you have security measures and clean backups in place. Prevention is far easier than recovery.

Meta Description: Complete WordPress malware removal guide. Step-by-step instructions for identifying, removing, and recovering from website infections.

Keywords: wordpress malware removal, hack recovery, wordpress infected, malware cleanup, website security