How to Remove Malware from WordPress: A Complete Step-by-Step Guide

How to Remove Malware from WordPress: A Complete Step-by-Step Guide

Discovering malware on your WordPress site can be alarming. Whether your site is redirecting visitors to suspicious pages, showing strange ads, or your hosting provider has flagged suspicious activity — you need to act fast. In this guide, we’ll walk you through exactly how to detect and remove malware from your WordPress site.

Signs Your WordPress Site Has Malware

Before you start cleaning, it helps to confirm your site is actually infected. Common signs include:

  • Your site is redirecting visitors to unknown or suspicious websites
  • Google Search Console is showing security warnings
  • Your hosting provider has suspended your account
  • You notice unknown admin users in your WordPress dashboard
  • Your site loads very slowly or crashes frequently
  • Visitors report seeing spam ads or pop-ups
  • Your antivirus flags your website URL

Step 1: Put Your Site in Maintenance Mode

Before you start cleaning, protect your visitors by putting your site in maintenance mode. This prevents users from accessing a potentially compromised site while you work on it.

Step 2: Back Up Your Website

Always create a full backup before making any changes — even if the site is infected. Back up all website files and your WordPress database, and store them somewhere safe and offline.

Step 3: Scan Your Website for Malware

Run a thorough malware scan using a WordPress security plugin like Wordfence, MalCare, or Sucuri Security, or use an online scanner like Sucuri SiteCheck.

Step 4: Remove Infected Files

  • Delete unknown or suspicious PHP files — especially in the uploads folder
  • Replace core WordPress files with fresh copies from WordPress.org
  • Check and reinstall compromised themes and plugins
  • Remove unknown admin accounts

Step 5: Clean Your WordPress Database

Check for spam links, malicious JavaScript, or iframe code injected into posts, and suspicious entries in the wp_options table.

Step 6: Update Everything

Update WordPress core, all plugins, your theme, and ask your host to upgrade PHP to 8.1 or higher.

Step 7: Change All Passwords and Secret Keys

Reset your WordPress admin password, database password, FTP credentials, hosting panel password, and WordPress secret keys/salts.

Step 8: Harden Your WordPress Security

  • Install a security plugin like Wordfence or Sucuri
  • Enable a Web Application Firewall (WAF)
  • Limit login attempts
  • Enable two-factor authentication (2FA)
  • Disable file editing via the dashboard
  • Set correct file permissions (755 for folders, 644 for files)

Step 9: Request a Google Review

If Google flagged your site, go to Google Search Console → Security Issues and submit a review request after cleaning.

Final Thoughts

Removing malware from WordPress takes time and attention to detail, but it’s absolutely doable. The key is to act quickly, clean thoroughly, and then put stronger defenses in place. Regular backups, timely updates, and a good security plugin are your best long-term protection.

🔍

Scan Your Website Right Now — Free

Check any website for malware, phishing, blacklists & SSL issues in seconds.

Free Malware Scan →
Ajay singh

smartmalwarescan security research team.

Leave a Comment

Your email address will not be published. Required fields are marked *