How to Remove WordPress Malware

Webmasters have many skills, but one of the most important things they need to be competent in is removing WordPress malware.

You can either remove WordPress malware manually or by using a malware removal plugin. We’ll cover both methods in this guide so you can decide which one you want to go with.

Keep in mind that the manual method to remove WordPress malware will take you a bit of time, and you may need a bit of technical know-how to really get going. The obvious upside to using a manual method to remove WordPress malware is that in the process, you will learn a lot about what happens in the background of a given website and what happens when certain security protocols are breached.

If you don’t feel like getting your hands dirty while removing WordPress malware, you can always skip to the section where we review the security plugins that help you remove WordPress malware without any manual work.

An image featuring a person wearing a dark hoodie and using his laptop representing a hacker with a hacker-ish background concept

Here are some things you need to do ahead of going through the steps to remove malware from your WordPress site:

Turn on Maintenance Mode

This is very important since the only person who should have access to your WordPress site when it has malware is you, the person who is trying to fix it. And the best way to put any WordPress site that you operate into maintenance mode is with the help of a plugin like SeedProd.

This WordPress plugin enables users to generate a maintenance page in a matter of minutes and customize the page to their liking. You can use your preferred fonts, layouts and colors. You also get to pick a background for your maintenance page from over 500,000 photos, and you can change the theme of the page as well.

Backup the WordPress Site That Has Malware

An image featuring a person holding out their finger on a cool drawn system that says backup on it representing data backup

To remove a WordPress malware infection, you will need to tweak several core files. As such, it is always a good idea to backup your WordPress site in case something goes wrong.

There are many ways to backup your WordPress website, but your options might be limited depending on whether you have access to the site or not.

Let’s assume you do not have the ability to log in to your website. In that case, you should find your website’s public_html folder and then save a copy of it.

You can easily do that with the help of an FTP application or the file manager available via your hosting service.

If you’re using a file manager to backup your WordPress website, you’ll need to go to the public_html directory, right-click on it and then choose the option that says “Compress.” After that, you’ll need to save the backup file on your machine. Do that by right-clicking on the archive and selecting the option that says “Download.”

If you’re using the FTP option, you’ll need to go to the “Site Manager” option first. From there, click on “Connect.” Then, download the folder in the same way as you did above. Use FileZilla as your FTP client.

Now, for cases where a user still has access to the WordPress website, using various WordPress plugins can come in handy. Some of the plugins you can use include:

These should be able to save you a lot of time.


If you don’t want to use any of these plugins or apps, you can store your database backup locally.

Scan Your Computer After Backup

An image featuring a person using his MacBook and is scanning his files for malware

As mentioned above, the most convenient way of starting your WordPress malware removal process is to make a backup of your website, download that backup with the help of a file manager or an FTP client, and then save a local copy of it.

After that, you’ll need to scan that backup. You shouldn’t have to use any specialized software for this. In fact, the best way to go about this step is to use the malware scanner or antivirus/anti-malware program that you’re already using.

The two best, and free, applications to diagnose and fix any issues that may exist in your WordPress website’s files are Malwarebytes and Kaspersky.

So, you’ll need to scan WordPress for malware to ensure there aren’t any issues with your files. If you find something wrong with your files while performing a WordPress malware scan, you can remove the malicious code with the help of your antivirus/anti-malware program, malware removal software or malware scanner.

After that, it is considered good practice to change the current FTP password. Then, you should re-upload your WordPress files.

Get Rid of Malware Infection

An image featuring a person using his MacBook with text that says malware and has a malware logo on it representing computer virus malware infection

Malware infection in WordPress sites is not as rare as you may think. And that’s a good thing because if malware problems were rare or non-existent, there wouldn’t be so many tools to fix them. Fortunately, there are many actions you can take to remove WordPress malware and keep track of threats through a WordPress malware scanner. Your first step is to access your WordPress files with the help of a file manager or an FTP client. 

Once you have that access, delete all files and folders you see in the WordPress website’s directory except two: Keep wp-content and wp-config.php and get rid of the rest.

Now, open up your wp-config.php file. And then compare the contents of the file with a file of the same name from a new installation. If that’s too difficult, you can also compare your wp-config.php file with the wp-config-sample.php that is found on the official WordPress GitHub repository.

While comparing, you need to look for code or blocks of code that appear out of place, strange or suspicious. Once you come across malicious code, delete it. 


As mentioned before, if you find malicious code in your database, you must change the current password. Make sure you do it after you have inspected everything.

The next step is to go to your directory named wp-content and then go through the list of actions mentioned below:

First, check all the plugins you have installed. The best way forward here is to erase the WordPress subfolder that contains your plugins. You will need to download and install your WordPress plugins again. 

Secondly, you need to do something about your themes folder as well. The best thing to do here is erase everything and just keep the current WordPress theme. While you are doing that, keep an eye out for bad code. But if you get rid of everything, you wouldn’t need to look for malicious code. That can only happen if you reinstall all the themes again and/or have a backup that is completely clean. 

Thirdly, go through your uploads folder. If you find anything there that you don’t remember uploading, then that thing needs to go. 

Finally, take a look at the index.php folder/file and get rid of it only after the plugins folder has been deleted. 

Install a New WordPress Copy After Downloading It

An image featuring a person using his laptop and is logging in in his WordPress website

Go to this page and download the latest edition of WordPress available there. Then, re-upload all of the content to the WordPress website you’re working on. You can use either a file manager or an FTP client to do that. 

If you’re going the File Manager route, click on “Upload Files” from the main menu and then find the place where you downloaded the WordPress zip file. Once you have successfully uploaded your file, you need to right-click it and extract it. Alternatively, you can click the button that says “Extract.” While doing that, you will also need to supply a directory name, which will also act as the save location. 

When you’re done with the extraction process, you’ll need to put the zip file aside and copy everything to public_html. 

A one-click installer by the name of hPanel (you can go with the usual cPanel if that’s more convenient for you) can do all that for you very quickly.

It can also modify your current database credentials that reside in the wp-config.php file so they direct to the new installation you just made.  

Reset Your WordPress Password

This step is a no-brainer, really. If you run any kind of modern WordPress website, there is a high chance you have multiple people working on the website with different user profiles. It is entirely possible that if hackers did breach your website, they did so through one of the existing accounts. 

The standard practice here is to change all passwords after you have logged out all users. Moreover, you should also check for any suspicious and inactive user accounts. If you find any, delete them.

It goes without saying that you should create strong passwords that are randomized, long and safe from brute force attacks.

This is where password managers come into play. It will be difficult to generate a strong password straight out of your head that is resistant to brute force methods, but a password manager can help you create and store one.

Themes and Plugins: Install Them Again (Including WordPress Malware Removal Plugin)

Once you have the malware out of your WordPress website, you should download and install all the themes and plugins you deleted earlier. While doing that, stay away from plugins and themes that don’t receive regular updates or have been abandoned. 

It is also wise to install a couple of security plugins for your fresh WordPress sites. While many can remove malware from your WordPress website when a need arises, the best WordPress malware removal plugin tools are:

Now, we move to the method where you use a WordPress plugin to remove malware from WordPress websites. 

Use a Plugin to Remove Malware from WordPress

Using this method can sometimes save you a lot of time if you are willing to spend a bit of money upfront. Getting a security plugin like Sucuri is easy enough.

You can download it from the WordPress plugin repository, available here.
An image featuring a laptop that has a phone on top of it with a green malware logo representing malware concept

Once you have installed the Sucuri plugin, you need to go to the dashboard page and then click the button “Generate an API key.” That will give you the full Sucuri experience. It should also integrate the Sucuri API service with your WordPress site. 

The next step is to click on “Dashboard” and then on “Refresh Malware Scan.” From there, if you find any suspicious file (which Sucuri will show you automatically if it finds any), you should select it and then click on one of the many actions you can take on it. 

Enable Public Access

Assuming you have removed WordPress malware successfully, don’t forget to put your website out of maintenance mode and into public access. Most of the time, all you need to do here is to go to the admin dashboard and disable maintenance mode. 

Tell Google You Are Okay Now

If you had WordPress malware and you took the necessary steps to remove it and were successful, then you need to let Google know. Google usually puts a warning label on websites with malware. To get that label removed and enable Google to index the WordPress website again so it shows up in search results, you need to first open your Google Search Console (by clicking here) and then add your WordPress site.

Then, you need to go to the Security Issues Report and choose the option that says “Request a Review.” You will then have to submit the review and mention the steps you took to get rid of the problem. Google should send you a notification after you have submitted your review fairly quickly. 

Get a New Hosting Provider

Sometimes, no matter what you do, you can’t get rid of WordPress malware. If that’s the case with you, you should know that sometimes if you change your hosting provider, you can get rid of WordPress malware. 

Pro Tip:

Before moving, though, it’s a good idea to get in touch with your current hosting provider and ask for help. If they don’t solve your problem, go ahead and move to a hosting provider that has better customer support service and stronger security measures.

The Bottom Line: Follow WordPress Security Best Practices

An image featuring a person holding out his hand while hypothetically holding a security lock that is representing security concept

Now, you’ve learned the WordPress malware removal process and have successfully restored your previously hacked WordPress site. We also showed you how to back up your files, scan your site for malware, remove code that’s infected with malware and install a WordPress malware removal plugin.

Keeping hackers away from your WordPress site is easy if you follow some general guidelines. Always keep your WordPress updated, don’t use old plugins/themes, use WordPress security plugins and regularly change passwords to prevent brute force attacks and other security incidents.

WordPress has a premium plan which has an automatic backup feature for $29 per year. That can be crucial if you have a hacked WordPress site or other security issues.

If you are using a plugin for your backups, make sure it backs up everything in order. A three-step process can help here. Your plugin should allow you to backup your entire database and schedule backup at a later date without your input. Preferably, it should also have the facility to backup the entire website. 

There are a couple of good backup plugins, but the ones you should definitely check out are:

Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Leave a Comment