WordPress Malware Removal: Expert Guide to Clean Hacked WordPress Site

WordPress is the CMS that has the largest market share and powers 33% of all websites on the web.

And due to its popularity, WordPress faces about 90,000 attacks per minute.

So, whenever you are on something unusual on your WordPress website, I am afraid that your website has been infected by malware.

That’s why I came up with a blog on WordPress malware removal where you can fix hacked WordPress site in just a few steps.

Before proceeding, it’s crucial to recognize the common types of malware that frequently threaten websites.

• Trojans and Backdoors: Hackers embed malicious code deep within themes, plugins, or core files. This creates a hidden backdoor, giving them persistent, unauthorized access to your website for future exploits.
• File-Infecting Viruses: These potent viruses attach themselves to your website’s essential files, such as PHP scripts. Once infected, they can corrupt your site’s functionality, steal data, or redirect your visitors to harmful websites.
• Ransomware: This malware encrypts your website’s files and database, effectively locking you out of your own content. The attackers then demand a ransom payment, typically in cryptocurrency, to restore your access.
• Spyware and Keyloggers: Often concealed in compromised plugins or themes, this type of malware secretly records sensitive information. It can capture admin login credentials, customer data, and payment details entered on your site.
• Adware: Malicious code is injected into your website to force unwanted, often malicious, advertisements upon your visitors. This disrupts the user experience and can damage your site’s reputation.
• Botnet Malware: A compromised website can be turned into a “zombie” and enslaved into a botnet. Your server is then used without your knowledge to send spam, participate in large-scale Distributed Denial-of-Service (DDoS) attacks, or perform other illegal activities.
• SEO Spam and Malicious Redirects: A very common outcome of a hack, this involves injecting spammy links and keywords into your content or forcefully redirecting your traffic to other, often illicit, websites. This severely harms your search engine rankings and user trust.

However, to give a better listing of malware, you can read my blog further on Most Common WordPress Malware in 2025.

How to Detect Malware on Your WordPress Website

Knowing the malware basics will make you eager to learn how to detect malware. And it’s your instincts and site performance will tell you whether you are hacked or not.

Consider these following reasons to convince yourself that your site has been hacked:

• You will see spam appearing in your site header or footer that contains advertisements like pornography, drugs, illegal services, etc. They usually appear as dark text on a dark background and are not very visible to human eyes (but the search engines can detect them).
• You search for your website, and it’s redirecting somewhere else. Often, attackers inject malicious redirects to send your traffic to their ads or spam pages to improve their SEO rankings and hijack your traffic.
• Some malware uses significant server resources, makes your site very slow and take a longer to load. Though this is rare, but you should stay alert.
• You are having strange-looking JavaScript code in your WordPress core. Attackers often use obfuscation techniques, formatting, and code comments to conceal their malware from view. Even a small snippet of malicious JavaScript can be used to redirect website traffic, harvest credit card details, or steal passwords from a hacked website.
• Sometimes your audience may report that they are being redirected to a malicious or spammy website. These hacks will detect that you are the site administrator and will not show you anything spammy; instead, they will show spam to your visitors or search engines.
• You receive a report from your hosting provider that your website is engaging in malicious or spammy behaviour.

Else, you can try these automatic methods to detect malware for your website too:

• Just scan your site with a security plugin. You can use “Wordfence Security,” “Sucuri Security,” or “MalCare,” which are the best for scanning malware signatures and suspicious files.
• Or try an online WordPress malware scanner. Among them, “VirusTotal” and “sitecheck.sucuri.net” serve best in their field.

Note: You are advised to make a WordPress malware cleanup when using these plugins or online malware scanners, but it’s better to move on manually first.

How to Remove Malware from WordPress Site Manually

You are known with the WordPress malware basics and how to detect malware on your site.

Now let’s walk through the steps to completely remove malware from your WordPress site.

Step #1: Restrict WordPress Access Immediately

Whenever you suspect your WordPress site has been compromised, immediately restrict its access to prevent users from visiting it. Otherwise, the malware might spread to visitors’ devices or redirect them to phishing sites.

If not, your website will be the reason to hold you back when it cure and you want to grow. The audience now wants secure browsing, not an infected one.

This solution can only be solved by you(as you are the administrator), allowing you to track changes more easily in case of errors.

You can make this happen easily by turning on the maintenance mode in your WordPress. But it doesn’t come along with the default version, so you have to use a plugin.

You can use a plugin like “LightStart” or “Site Offline” to complete your task. These free tools let you easily enable maintenance mode on your site in just a few clicks.

Let’s assume you have installed and activated the LightStart plugin.

Now, navigate to Settings> LightStart> General to access the maintenance mode and click on the “Activated” to turn on.

However, restricting WordPress user access can be achieved through many other methods. You can use any one of these:

• User Roles and Capabilities
• Limiting Dashboard Access
• Code-Based Restrictions
• IP-Based Restrictions

Google it if you want to know which one suits you best. Because we found no perfect blog or tutorial to make you suggest.

Step #2: Backup your WordPress Files (But Do It Safely)

Before making any changes to your website, the second you can do is to take a full backup of your website.

There are two things you’ll need to back up,

• Your Database: Where your content, settings, and user information are stored.
• Your Files: The other things, like your themes, plugins, and images.

The easiest way to take a site backup is using a WordPress plugin. There are free WordPress plugins like UpdraftPlus, All in one wp migration, and Jetpack to get your job done.

However, you can back up your WordPress site manually, too, by using File Manager (cPanel) tools and phpMyAdmin.

Most users skip the manual option to back up files because it’s technically difficult, has a learning curve, and takes time to complete.

Anyways, if you don’t know how to make this happen, you can check this full guide on how to take a backup of your WordPress website to continue.

Step #3: Reset All Passwords & Access Keys

Your compromised website means your WordPress administrators’ credentials are open to the dark web. Any hacker can steal and use your website data.

So, immediately changing all passwords can give you some relief from a hack.

It’s wise to update your credentials on other platforms too, like the WordPress database, hosting panel, and File Transfer Protocol (FTP) client.

To minimize security threats, use a robust and unique password for each account. You can use a password generator tool like 1Password, Strong Password Generator to make your process easy.

Plus, you can store all your credentials in applications like NordPass or 1Password, which provide an encrypted vault to safeguard your login information for the future.

After resetting passwords, change the WordPress salts to keep your new login details secure further. Just reset salts and all admin passwords to a random string of characters by running the following command via SSH:

wp config shuffle-salts && wp user reset-password $(wp user list --role=administrator --field=ID)

Step #4: Check Recently Modified Files

You also have to look over the files that have recently changed or been modified. There are several ways to check new or recently modified files, such as reviewing SSH or cPanel.

Starting with the SSH ls command. Log in to your server via SSH and navigate to your site’s home directory, and run any one of these commands:

$ ls -1tlah | head -100
$ find . -type f -mtime -60

Here’s the thing you should know about these code lines, if you want to tweak:

• The “head-100” means it will show only the first 100 files for your WordPress site, so you can quickly review the most recently modified files.
• Whereas the second line code “-mtime -60” means it will find files modified in the last 60 days.

However, the results will show a list of files that were modified. Review them, and if you find any suspicious files, delete them.

Else, you can check your modified files from cPanel too. Here’s how you can do it:

1. Log in to cPanel and navigate to File Manager
2. Navigate to your site’s home directory and click Last Modified to view files with recently modified dates, starting at the top
3. Also, check the wp-content/plugins and wp-content/themes directories for any questionable or suspiciously generic-titled plugins. Attackers often love to upload malware to these compromised environments

So, if you find any suspicious files, just delete them to be safe.

Step #5: Remove Hidden Backdoors

To create a backdoor, hackers often inject harmful code into PHP files in your WordPress installation. Plugins, themes, and uploads folders are also the most popular targets of these backdoor injections.

They mostly use common files to target, like- wp-config.php and functions.php. These PHP files are the WordPress core functionality files, so you can’t simply remove them.

However, the PHP files vary in functionality, and among them, base64, exec, str_rot13, and move_uploaded_file are commonly used.

Now, to quickly identify those potentially compromised PHP files in your directories, use the following SSH command:

find . -type f -name "*.php" | xargs grep -iE "base64_decode|exec|move_uploaded_file|str_rot13|gzuncompress|eval|stripslashes|system|assert|preg_replace.*\/e"

You should remove any additional scripts in the compromised files, too. For reference, you can set up a new staging WordPress site to see the original code.

However, we also recommend checking image and iframe files since hackers might include a backdoor when uploading them to your website.

Here are the commands:

find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

find . -type f -name '*.php'| grep -i '<iframe'

You can place any format image you want to check, instead of JPG, like PNG, GIF, SVG, and others.

Note: Some themes and plugins use these PHP functions to work correctly. Check the extensions after cleaning them to ensure you don’t remove any essential functions.

Step #6: Replace Hacked WordPress Core Files

WordPress is made with so many files and folders; they work together to create a functional website. Most of these files are core files, which are consistent across installations of the same version.

So, if your continuing WordPress malware removal process still shows the malware after taking #step 5, you should clean the WordPress core files further.

The easiest way to fix it is by downloading a fresh installation from the WordPress.org and replacing each compromised file with a clean copy.

To do so, just open the file as well as your existing wp-config.php file in a text editor to compare them. You will see some legitimate differences in your file from the original due to your database. But take the time to look for anything suspicious and remove it if necessary.

When you’re done, save the cleaned-up file, then upload it to your server.

Just a small reminder, don’t overwrite your wp-config.php file or wp-content folder, and ensure you have a working backup beforehand to make this process complete!

Step #7: Reinstall your Themes & Necessary Plugins

After having all the existing steps above, if you still face the problem, the suggestion is to try reinstalling your themes and plugins. This ensures that you have applied the latest patch, minimizing the known attack surface for hackers.

To reinstall your theme, go to your WordPress dashboard and then navigate to Appearance> Themes. Now install and activate your chosen theme.

Next, head to the plugin. Click on the Plugins option from the left sidebar of your WordPress dashboard and then click the Add New option to install and activate plugins on your site.

However, today’s WordPress ecosystem is built with an automatic update system. So, you don’t need to bother with this update section unless you turn off the automatic update option manually in the themes and plugins.

Note: Hackers are more likely to target abandoned plugins and themes because developers no longer patch known vulnerabilities. So, stay alert when you are using them.

Step #8: Remove your Website from URL Blocklists (Additional)

This is an additional step on how to remove malware from WordPress website.

Because if you follow the above-mentioned 7 steps, then malware should be removed from your website.

Now all you have to do is- remove your website URL from Google’s blocklist. You can do that using Google Search Console. Simply follow these steps:

1. Navigate to your Google Search Console’s admin dashboard
2. Open the Security & Manual Actions> Security issues tab
3. Select I have fixed these issues> Request a review to have Google review and re-index your WordPress site

Keep in mind that Google can take a couple of days to process the blocklist removal request.

We recommend doing it immediately since the longer Google blocks your website, the more it harms your website’s SEO and reputation.

Remove malware from your WordPress site Automatically

If you don’t want to remove WordPress malware manually, you can use a best WordPress malware removal plugin to clean your website or hire a professional security expert to do the job for you.

Using a WordPress Security Plugin

Here we are going to use the Wordfence plugin to make this tutorial. Because I found it’s the one that serves best WordPress security plugin on the internet.

Simply follow these steps to continue:

1. Go to your WordPress dashboard, click on “Plugins> Add New.” Search for “Wordfence,” install the plugin, and activate it.
2. Next, go to Wordfence(left below) in your WordPress dashboard and click on “Scan.”
3. Choose the “Scan Type” as “Full Scan” and click on the “Start New Scan” button. Wordfence will now scan your website for malware.
4. After completing the scan, Wordfence will display a list of identified issues. Review the results carefully and identify any malware or suspicious files.
5. Then quarantine or remove the identified malware. In the scan results, locate the malware files, and select the action you want to take (quarantine or delete).

Or Hiring a WordPress Malware Removal Service Expert

If you tried all the steps we covered along with the plugin option, and still face issues, hiring a WordPress security professional is the only last resort.

A professional can properly clean malware on your website, ensuring no malicious scripts or backdoors remain. Their expertise prevents you from deleting important files during the removal process to maintain functionality.

Here you can check my profile. Myself MD Pabel, founder and CEO of 3Zero Digital– a leading agency specializing in WordPress malware removal, security services, and custom web development services.

I have 7 years+ of experience in clean hacked WordPress websites. As well as completed more than 2000+ projects, served over 1700+ clients, and resolved 4500+ cases of malware and hacked websites.

However, you don’t have to remain biased only toward me. You can try freelance services too. Just search for a perfect one. After getting candidates, review their portfolios to determine if their expertise is suitable for your recovery task or not.

Closing Thoughts on WordPress Malware Removal

You know that malware in a WordPress site is a common cyber attack that can cause serious damage. So, it’s wise to check your website for malware every 30 days.

If you found any suspicious, just follow our guide to make your website clean.

Or if you want a professional touch on your WordPress malware removal, I would love to assist you further.

Let’s connect to make your website happy!