How to Remove Malware from WordPress: A Practical Cleanup Guide

Written by: Abigail Ivy
Published on:

How to remove malware from WordPress

If your site suddenly redirects visitors, shows spam content, or gets flagged by Google, you may be dealing with a WordPress malware infection.

This guide explains how to remove malware from WordPress step by step and how to prevent it from coming back.

WordPress sites are frequent targets because outdated plugins, weak passwords, and vulnerable themes create easy entry points for attackers.

The good news is that most infections can be cleaned systematically if you identify the source, remove malicious code, and restore trust with search engines and users.

What malware on WordPress usually looks like

Malware on a WordPress site can take many forms, and the symptoms are not always obvious.

Some infections affect only one file, while others hide in the database, inject scripts into the homepage, or create backdoors that allow attackers to return after cleanup.

  • Unexpected redirects to unfamiliar domains
  • Spam links appearing in pages, posts, or widgets
  • New admin users you did not create
  • Browser warnings or Google Safe Browsing alerts
  • Sudden drops in traffic from search engines
  • Files with unusual names in wp-content, wp-includes, or wp-admin

First steps before you clean the infection

Before changing anything, take your site offline if possible or place it in maintenance mode.

This reduces the risk of spreading malware to visitors and helps prevent additional damage while you investigate.

Create a full backup of the current infected site, including files and the database.

Even though the backup is compromised, it is essential for forensics, comparison, and recovery if you delete something important during cleanup.

  • Back up all site files through SFTP, SSH, or your hosting control panel
  • Export the MySQL database through phpMyAdmin or the command line
  • Record any error messages, redirects, or suspicious URLs
  • Note recent changes to plugins, themes, users, or hosting settings

How to remove malware from WordPress manually

Manual cleanup is often the fastest way to regain control when you know what to inspect.

It requires attention to file integrity, database content, and user accounts, because malware often hides in multiple locations.

1. Scan the site files for suspicious code

Connect to the server using SFTP, SSH, or your host’s file manager.

Review recently modified files and look for obfuscated PHP such as base64_decode, gzinflate, eval, str_rot13, or long strings of random characters.

Focus on common infection points:

  • wp-content/themes/your-theme/functions.php
  • wp-content/plugins/installed-plugin/
  • wp-content/uploads/
  • wp-config.php
  • .htaccess

Delete any file that is clearly malicious and restore legitimate core files from a clean WordPress download.

If you are unsure, compare the file against the official version from WordPress.org or the plugin or theme vendor.

2. Replace WordPress core files

Attackers often modify WordPress core files to maintain persistence.

Download a fresh copy of the same WordPress version, then replace everything except wp-config.php and the wp-content directory.

This step helps remove injected code in core directories such as wp-admin and wp-includes.

It is one of the safest ways to ensure the base installation is clean.

3. Clean infected plugins and themes

Deactivate and remove any plugin or theme you do not recognize.

Reinstall trusted plugins and themes from the official repository or the vendor’s distribution package rather than trying to repair unknown files manually.

Pay special attention to nulled themes and pirated plugins, which are a common malware source and often include backdoors, SEO spam, or hidden admin access.

4. Check the database for injected content

Malware frequently inserts spam links, malicious scripts, or phishing content into wp_posts, wp_options, and wp_usermeta.

Use phpMyAdmin or a database client to search for suspicious HTML, JavaScript, iframe tags, or unfamiliar external domains.

Review the following areas closely:

  • Posts and pages with hidden links or scripts
  • Site title, tagline, and widget settings in wp_options
  • Admin-related metadata in wp_usermeta
  • Redirect rules stored by compromised plugins

5. Remove unknown administrator accounts

Open the Users section in WordPress and verify every account with elevated privileges.

Delete unknown administrators, reset passwords for legitimate users, and review user roles carefully.

If attackers gained admin access, they may have created additional accounts, changed email addresses, or modified password reset settings to regain entry later.

How to verify the site is clean

After removal, run a security scan using a reputable WordPress security plugin or an external malware scanner.

Popular options include Wordfence, Sucuri SiteCheck, and hosting-level malware scanners from providers such as SiteGround, Kinsta, or WP Engine.

Also inspect the site in a private browser window and test key pages, forms, and login areas.

Watch for strange redirects, broken layouts, or hidden scripts loaded from unfamiliar domains.

  • Check the homepage and top landing pages
  • Open source code and look for injected external scripts
  • Test wp-admin login and password reset flows
  • Confirm that no new files are being created after cleanup

How to secure WordPress after malware removal

Cleaning an infection is only half the job.

If the underlying vulnerability remains, the site can be reinfected within hours or days.

Reset all credentials

Change passwords for WordPress admin accounts, hosting control panels, SFTP/FTP, databases, and email accounts tied to the site.

Also regenerate authentication salts in wp-config.php so old cookies become invalid.

Update everything

Update WordPress core, plugins, themes, and server software.

Remove anything that is abandoned, unnecessary, or no longer maintained by the developer.

Install layered security

Use a web application firewall, malware scanning, login protection, and file integrity monitoring.

Services like Cloudflare, Sucuri, and Wordfence can block known attack patterns and alert you to suspicious changes.

  • Enable two-factor authentication for administrator accounts
  • Limit login attempts and disable XML-RPC if unused
  • Use least-privilege user roles
  • Restrict file editing in wp-config.php
  • Keep off-site backups on a regular schedule

How to recover search visibility after an infection

If Google or other browsers flagged your site, request a review after cleanup.

Use Google Search Console to check Security issues and Manual actions, then submit a reconsideration request if necessary.

Review your sitemap, robots.txt, and indexed pages to make sure no spam URLs remain.

If malicious pages were indexed, remove them from the server and let search engines recrawl the cleaned version.

When to hire a WordPress security professional

Professional help is worth considering if the infection keeps returning, if the database is heavily compromised, or if the site handles sensitive customer data.

Agencies and specialists can perform a deeper forensic review, identify the initial entry point, and help restore hardened infrastructure.

It is also a good choice when uptime, ecommerce revenue, or compliance obligations make a DIY cleanup too risky.

For WooCommerce stores, membership sites, and high-traffic publications, a failed cleanup can cost more than expert remediation.

Common mistakes to avoid during cleanup

Some cleanup attempts remove visible symptoms but leave the infection in place.

Avoid these mistakes if you want a lasting fix:

  • Deleting random files without checking what they do
  • Reinstalling infected plugins from the same source
  • Ignoring the database and only scanning files
  • Leaving stolen admin accounts active
  • Skipping password resets after recovery
  • Restoring backups without verifying they are clean

By taking a structured approach, you can remove malware from WordPress, restore site integrity, and reduce the odds of another compromise.

The most important priorities are isolating the site, cleaning every infection point, and closing the security gap that allowed the attack in the first place.