Table of contents
Manual removalRemoval with a pluginHow to checkHow to protectFAQsGetting startedAdditional resources
Get the industry’s fastest hosting for WordPress◦ 100% network uptime
◦ Comprehensive security
◦ 24/7 support
Explore options

WordPress GuideSecurity → WordPress Malware

WordPress malware removal: a complete beginner’s guide

Few things are more stressful than discovering malware on your WordPress site. Malware can cause spam, redirect visitors, or even lock you out of your own dashboard. The good news is that with the right steps, you can remove the infection and protect your site going forward.

Get fast, reliable hosting for WordPress

Power your site with the industry’s fastest, most optimized WordPress hosting

WordPress.org hosting

Manual WordPress malware removal

If you don’t want to rely on plugins, you can manually clean your WordPress site. This takes more time but gives you full control over the process. Here are the steps to follow:

  • Back up your entire site: Before making any changes, create a full backup of your WordPress files and database. Even though malware is present, a backup ensures you can restore your site if something goes wrong during cleanup. Use your hosting control panel, or a plugin like UpdraftPlus to create this backup.
  • Put your site in maintenance mode: Temporarily take your site offline to stop visitors from encountering malware-injected pages. You can create a simple maintenance page using a plugin or upload a static HTML file in place of index.php.
  • Check core WordPress files: Download a fresh copy of WordPress from WordPress.org. Compare the files in your site’s root directory (wp-admin, wp-includes, and core files like wp-config-sample.php) with the clean download. Replace any modified or suspicious files with the originals.
  • Scan the wp-content folder: This is where most infections hide, since it contains themes and plugins. Look for unfamiliar files, odd names (such as wp-content/uploads/abc123.php), or recently modified files you didn’t change. Delete or replace suspicious files.
  • Clean the database: Malware often hides in the WordPress database by injecting malicious code into posts, widgets, or plugin settings. Use phpMyAdmin (usually available in your hosting control panel) to search for suspicious keywords like base64, eval, or long strings of random characters. Remove these carefully, making sure not to delete valid content.
  • Change all passwords and security keys: Change your WordPress admin, hosting control panel, FTP, and database passwords. Also update WordPress security keys in wp-config.php. This ensures hackers lose access even if they stole your old credentials.
  • Test and reactivate your site: After cleanup, bring your site out of maintenance mode and check that everything works. Open your site in an incognito window and look for suspicious redirects or unwanted ads.

WordPress malware removal with a plugin

If manual cleanup feels overwhelming, security plugins can automate the process. Here’s how to do it:

  1. Install a malware removal plugin: Popular options include Wordfence Security or MalCare Security. Both actively maintained plugins scan, detect, and remove malware from your site.
  2. Run a full site scan: From the plugin dashboard, start a scan. The plugin checks files, themes, plugins, and the database for suspicious code or anomalies.
  3. Review scan results: The plugin will list infected files or entries. Many plugins allow one-click repair or replacement of infected files. Others give you the choice to delete or restore files manually.
  4. Enable ongoing protection: Most security plugins offer firewall protection, brute force attack prevention, and login security. Activate these to keep your site safe after removal.

How to check your WordPress site for malware

Regular scans help you catch malware before it causes damage. Here’s how to check your site:

  1. Use a plugin-based scanner: Tools like Wordfence and MalCare let you run quick or deep scans anytime. These detect known malware signatures and suspicious code.
  2. Check with an external scanner: Services like Sucuri SiteCheck let you scan your site from the outside. They can catch issues like spammy redirects or blacklisted domains.
  3. Monitor unexpected changes: If your site suddenly slows down, redirects visitors, or displays new ads or links, those are common signs of malware.

How to protect your WordPress site from malware attacks

Once your site is clean, prevention is key. Here are steps to secure your site going forward:

  1. Keep WordPress, themes, and plugins updated: Hackers exploit outdated software. Always install updates promptly through the dashboard.
  2. Use strong login security: Create long, unique passwords for all accounts and enable two-factor authentication with a plugin like WP 2FA.
  3. Install a firewall plugin: Wordfence, MalCare, or Sucuri firewall plugins block malicious traffic before it reaches your site.
  4. Limit plugin and theme sources: Only install plugins and themes from the official WordPress Plugin Directory or trusted premium providers. Avoid “nulled” or pirated downloads.
  5. Schedule automatic backups: Use a backup plugin to create daily or weekly backups. Store them offsite so you can restore your site quickly if needed.
  6. Use SSL (HTTPS): An SSL certificate encrypts communication between your site and visitors, reducing the chance of certain attacks. Most hosts provide free SSL through Let’s Encrypt.

WordPress malware FAQs

You can check for malware by running a scan with a plugin like Wordfence or MalCare. You can also use an external scanner like Sucuri SiteCheck to confirm if your site has been compromised.

Some companies offer professional services to clean hacked WordPress sites, such as Sucuri or Wordfence Care. These services provide expert cleanup, malware removal, and ongoing protection.

Common signs include strange redirects, unfamiliar admin accounts, spammy content, or your site being flagged by Google as unsafe. Running a scan will confirm the infection.

Preventing attacks requires regular updates, strong passwords, firewall protection, backups, and using only trusted themes and plugins.

Additional resources

Comprehensive guide to securing WordPress with ModSecurity

This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.

How to find malware in your website and prevent reinfection →

This guide is your blueprint for detecting and eliminating malware, providing proactive tips to prevent future reinfection. 

Why security matters for WordPress enterprise hosting

Use the blog as your guide to attacks to watch out for, security best practices, and steps to improve the WordPress protection you already have.

Lindsey Miller is the former Partner Manager for Liquid Web Managed WordPress Hosting. She’s been involved in various aspects in the WordPress community for over 7 years and helped start a non-profit teaching kids to code, The Div.