WP Malware Removal: A Step-by-Step Guide to Cleaning and Securing Your WordPress Site

WP malware removal is one of those tasks we hope you never need, but if you’re reading this, chances are something already feels off. Maybe your site started redirecting visitors to a sketchy pharmacy page, or Google slapped a red warning screen on your homepage last Tuesday. We’ve been there. We once watched a client’s WooCommerce store lose three days of sales because a single outdated plugin opened the door to a cryptominer script.

Here is the good news: cleaning a hacked WordPress site is not a mystery. It follows a repeatable process, and once you understand the steps, you can move fast, limit the damage, and lock things down so it doesn’t happen again. This guide walks you through exactly how WordPress sites get infected, how to spot the signs, how to remove the malware, and how to harden your site for the long haul.

How WordPress Sites Get Infected in the First Place

Before we talk cleanup, it helps to understand the attack surface. WordPress powers roughly 43% of all websites on the internet (W3Techs, 2025). That popularity makes it a prime target.

Most infections trace back to one of these entry points:

• Outdated plugins and themes. This is the number-one cause. When a plugin developer patches a vulnerability and you skip the update, automated bots find your site within hours. Not days, hours.
• Weak or reused passwords. Brute-force attacks hammer wp-login.php with common username/password combos. If your admin account is still “admin / password123,” you’re essentially leaving the front door open.
• Nulled (pirated) themes and plugins. Free premium software sounds great until you realize the ZIP file ships with a backdoor baked in. We see this more than you’d expect.
• Shared hosting without isolation. On cheap shared servers, one infected neighbor account can sometimes cross-contaminate yours.
• File permission misconfigurations. World-writable directories (chmod 777) invite trouble.

The pattern is the same nearly every time: an attacker finds one weak spot, drops a web shell or backdoor PHP file, and then injects malicious code into your database, theme files, or both. Understanding the entry point matters because it tells you what to patch after the cleanup. If you skip that step, you’ll be cleaning the same mess again next month.

For a deeper look at common attack vectors and how different hosting setups affect your risk, our guide on managed WordPress hosting breaks down what to look for in a secure host.

Signs Your WordPress Site Has Malware

Some infections are loud. Others are whisper-quiet. Here is what to watch for:

• Unexpected redirects. Visitors land on your homepage but end up on a gambling or pharma site. This usually means malicious JavaScript injected into your header or footer.
• Google Search Console warnings. Google will flag “harmful content” or “hacked site” notifications. If you haven’t set up Search Console yet, do it today.
• Slow load times that came out of nowhere. Cryptomining scripts and spam mailers consume server resources. A sudden performance drop with no code changes on your end is a red flag.
• Strange new admin users. Check your Users panel. If you see an account you didn’t create, assume compromise.
• Modified core files. WordPress core files like wp-config.php, index.php, or files inside wp-includes should not change between updates. Unexplained modifications signal tampering.
• Spam content or links injected into pages. Sometimes visible only to search engine crawlers (cloaking), so run a “site:yourdomain.com” search in Google and look for odd pharmaceutical or gambling keywords in your indexed pages.
• Hosting provider suspension. Some hosts will suspend your account after detecting outbound spam or malicious activity.

If you spot even one of these symptoms, move to the next section. Speed matters, every hour the malware sits on your server, it can spread further and do more reputational damage. Running a WordPress malware scanner right away gives you a clear picture of how deep the infection goes.

How to Remove Malware From WordPress Step by Step

This is the hands-on part. Follow these steps in order. Skipping ahead usually means missing a backdoor that reinfects the site within days.

Scan and Identify the Infection

1. Back up everything first. Yes, even the infected files. Use your hosting panel’s backup tool or download via SFTP. You want a snapshot so you can compare files later and so you don’t lose data if something breaks during cleanup.
2. Run a reputable malware scanner. Wordfence, Sucuri SiteCheck, or MalCare are solid options. The scanner flags suspicious files, modified core files, and known malware signatures. We’ve written a detailed comparison of the best malware removal tools for small business sites if you want help choosing.
3. Check file integrity. Compare your current wp-admin and wp-includes folders against a fresh WordPress download from wordpress.org. Any file that doesn’t match the official version needs investigation.
4. Review recently modified files. Sort your site files by modification date. Anything changed around the suspected infection date (that you didn’t touch) goes on the suspect list.
5. Search for known backdoor patterns. Look for eval(base64_decode(, preg_replace with the /e modifier, system(), exec(), and passthru() calls in PHP files. These are the usual suspects.

Clean Infected Files and Database Entries

1. Replace WordPress core files. Download a fresh copy of WordPress matching your version. Replace the entire wp-admin and wp-includes directories. Do not touch wp-content yet, that’s where your themes and plugins live.
2. Clean wp-content manually. Go through your theme and plugin folders. Delete any files you don’t recognize. If a plugin is available from the WordPress repository, delete the folder entirely and reinstall from a fresh download.
3. Check wp-config.php and .htaccess. Compare them against default versions. Remove any injected code. Pay close attention to lines above the “That’s all, stop editing.” comment in wp-config.php.
4. Scan and clean the database. Use phpMyAdmin or a plugin like Sucuri to search the wp_options and wp_posts tables for suspicious <script> tags, base64 strings, or unknown URLs. Our step-by-step malware cleanup guide walks through database cleaning in more detail.
5. Remove unknown user accounts. Delete any admin accounts you didn’t create. Then change passwords for every remaining admin, SFTP, and database user.
6. Re-scan. Run the malware scanner again. If it comes back clean, move on. If not, repeat the cleaning steps for any newly flagged files.

How to Harden Your Site Against Future Attacks

Cleaning a hacked site without hardening it is like mopping a floor while the faucet is still running. Here is how we lock things down:

• Update everything. WordPress core, every plugin, every theme. Set a recurring calendar reminder, weekly works well for most sites.
• Delete unused plugins and themes. Even deactivated plugins can be exploited. If you’re not using it, remove it.
• Enforce strong passwords and two-factor authentication (2FA). Use a plugin like WP 2FA or Wordfence Login Security. This single step stops most brute-force attacks cold.
• Limit login attempts. Plugins like Limit Login Attempts Reloaded block IPs after repeated failed logins.
• Hide WordPress fingerprints. Changing default login URLs and removing version numbers from your source code makes automated scanning harder. We walk through how to do this safely using WP Hide & Security Enhancer without breaking your site.
• Set correct file permissions. Directories should be 755, files should be 644, and wp-config.php should be 440 or 400.
• Use a Web Application Firewall (WAF). Cloudflare’s free plan or Sucuri’s firewall filters malicious traffic before it reaches your server.
• Schedule automatic backups. Store them off-site (cloud storage or a separate server). If malware strikes again, you can restore to a clean version in minutes instead of hours.
• Monitor continuously. Set up uptime monitoring and file change detection. Catching an infection within the first hour versus the first week is the difference between a quick fix and a full rebuild.

If you’d rather hand this process to a team that handles WordPress malware cleanup every week, that’s a smart move too, especially for eCommerce stores or sites handling sensitive client data.

Conclusion

WP malware removal is stressful, but it follows a predictable path: identify the entry point, scan and map the infection, clean the files and database, and then harden the site so it doesn’t happen again. The biggest mistake we see is stopping after the cleanup. Hardening is what turns a one-time crisis into a lasting fix.

If your site is infected right now, take a breath, follow the steps above, and move methodically. And if you need a second set of eyes, or just want someone else to handle it, we’re here to help.

Frequently Asked Questions About WP Malware Removal

What is the first step in WP malware removal?

The first step is to back up your entire site—even the infected files—so you have a snapshot for comparison. Then run a reputable WordPress malware scanner like Wordfence, Sucuri SiteCheck, or MalCare to identify compromised files, modified core files, and known malware signatures before you begin cleaning.

How do I know if my WordPress site has been hacked?

Common signs include unexpected redirects to spam sites, Google Search Console warnings, sudden slowdowns, unknown admin accounts, modified core files, and injected spam links. If you notice even one symptom, act immediately—every hour malware remains increases reputational damage. Our step-by-step malware cleanup guide walks you through the full detection and removal process.

Can I remove WordPress malware without a plugin?

Yes, manual WP malware removal is possible. Download a fresh copy of WordPress from wordpress.org and replace the wp-admin and wp-includes directories. Then manually inspect wp-content, wp-config.php, and .htaccess for injected code. Search your database for suspicious scripts or base64 strings. However, using a trusted malware removal tool speeds up the process and reduces the risk of missing hidden backdoors.

How do I prevent my WordPress site from getting hacked again?

Harden your site by updating WordPress core, plugins, and themes weekly. Enforce strong passwords with two-factor authentication, limit login attempts, and set correct file permissions (755 for directories, 644 for files). Use a Web Application Firewall and schedule automatic off-site backups. You can also hide WordPress fingerprints to make automated scanning harder for attackers.

Does hosting affect WordPress malware risk?

Absolutely. Cheap shared hosting without proper account isolation can let one infected neighbor site cross-contaminate yours. A managed WordPress host typically offers server-level firewalls, automatic updates, malware scanning, and isolated environments—significantly reducing your attack surface compared to budget shared plans.

How long does professional WordPress malware cleanup take?

Most professional WP malware removal services can clean a standard site within 4–24 hours, depending on infection severity. Complex cases involving database-level injections or multiple backdoors may take longer. For eCommerce stores or sites handling sensitive data, hiring a team that handles WordPress malware cleanup regularly ensures nothing is missed and downtime stays minimal.