WordPress Malware Removal: Expert Guide to Clean Hacked WordPress Site

WordPress is the CMS that has the largest market share and powers 33% of all websites on the web.

Due to its popularity, WordPress faces approximately 90,000 attacks per minute.

So, whenever you notice something unusual on your WordPress website, I am afraid that your website has been infected with malware.

That’s why I came up with a blog on WordPress malware removal where you can fix hacked WordPress site in just a few steps.

But yes, before proceeding, you should know some common types of malware that you can see most frequently on your website:

Trojan/Backdoor: Hackers insert malicious code into themes, plugins, or core files to maintain persistent access.
File-infecting Viruses: Rare but can infect PHP files, altering website behaviour or redirecting visitors.
Ransomware: It encrypts site files or databases, demanding a ransom.
Spyware/ Keyloggers: Can be hidden in plugins or themes to steal credentials and user data.
Adware: Often injected into sites to display unwanted ads to visitors.
Botnet Malware: Compromised sites may be used to send spam emails or participate in DDoS attacks.
SEO Spam/ Malicious Redirects: Not a traditional malware type, but often a result of hacked plugins/themes, affecting search engine ranking.

However, for a more comprehensive list of malware, you can read my blog further on “Most Common WordPress Malware in 2025.”

How to Detect Malware on Your WordPress Website

Understanding the basics of malware will make you eager to learn how to detect it. And it’s your instincts and site performance that will tell you whether you are hacked or not.

Consider the following reasons to convince yourself that your site has been hacked:

You will see spam appearing in your site’s header or footer that contains advertisements, such as pornography, drugs, or illegal services.
They usually appear as dark text on a dark background and are not very visible to the human eye (but search engines can detect them).
You search for your website, and your WordPress site redirecting to spam or somewhere else. Often, attackers inject malicious redirects to send your traffic to their ads or spam pages to improve their SEO rankings and hijack your traffic.
Some malware consumes significant server resources, making your site very slow and increasing its load time. Though this is rare, you should stay alert.
You are having strange-looking JavaScript code in your WordPress core. Attackers often use obfuscation techniques, formatting, and code comments to conceal their malware from view.
Even a small snippet of malicious JavaScript can be used to redirect website traffic, harvest credit card details, or steal passwords from a hacked website.
Sometimes your audience may report that they are being redirected to a malicious or spammy website.
These hacks will detect that you are the site administrator and will not show you anything spammy; instead, they will show spam to your visitors or search engines.
You receive a report from your hosting provider that your website is engaging in malicious or spammy behaviour.

Otherwise, you can try these automatic methods to detect malware for your website, too. Read this blog post to know further.

Now let’s walk through the steps on how to remove malware from WordPress site.

Step 1: Put Your Site in Maintenance Mode

Whenever you suspect your WordPress site has been compromised, immediately restrict its access to prevent users from visiting it.

You can do this by enabling restricted mode, which hides your website content from visitors and displays a message informing them that your site will be back soon.

However, the default WordPress version does not let you control maintenance mode. Here are three ways you can activate WordPress maintenance mode on your site.

modifying the .htaccess file
adding a custom function, and
using a maintenance plugin

Among the three options, I will use the easiest plugin method because it’s suitable for non-technical users as well.

You can use a plugin like “LightStart,” “SeedProd,” or “Site Offline” to complete your task. These free tools enable you to easily activate maintenance mode on your site with just a few clicks.

We will do the demonstration by picking one. Let’s assume “SeedProd.”

Just install and activate the SeedProd plugin and follow this guide to continue:

Open the SeedProd tab on the left sidebar of your WordPress dashboard and select Set up a Maintenance Mode Page.
Choose a free maintenance mode page template from the library and save it. You can also modify or edit the template further.
Then click the cross symbol on the top right corner of the editor. SeedProd will prompt you to enable maintenance mode. Select “Yes” to activate it.
You will return to the SeedProd dashboard. Highlight the toggle to ensure that the Maintenance Mode setting is Active.

Step 2: Backup your WordPress Files

Before making any changes to your website, the second you can do is to take a full backup of your website.

There are two things you’ll need to back up,

Your Database: Where your content, settings, and user information are stored.
and Your Files: The other items, such as your themes, plugins, and images.

The easiest way to take a site backup is using a WordPress plugin. There are free WordPress plugins, such as UpdraftPlus, All in one wp migration, and Jetpack, that can help you accomplish your task.

However, you can back up your WordPress site manually, too, by using cPanel/file manager and phpMyAdmin.

Most users skip the manual option to back up files because it’s technically difficult, has a steep learning curve, and requires a significant amount of time to complete.

Anyways, if you don’t know how to make this happen, you can check this full guide on how to take a backup of your WordPress website to continue.

⚠️ Tip: Store the backup outside of your hosting server (Google Drive, Dropbox, or local computer). If your hosting is compromised, local backups are useless.

Step 3: Replace Core WordPress Files & Update Themes/Plugins

When a WordPress site hacked with malware, it often hides inside the core files (like wp-config.php, wp-includes, or even the index.php).

Hackers inject malicious code into these files because they’re loaded every time your site runs, giving them easy access to spread malware or steal data.

Replacing the core WordPress files can be one of the steps. You can make it in two ways:

Automatic Process: This is the easiest way to replace core WordPress files. Just use the built-in reinstallation feature in your WordPress dashboard by navigating to Dashboard > Updates and clicking “Re-install Now”.
Manual Process: Second, you can fix it by downloading a fresh installation from WordPress.org and replacing each compromised file with a clean copy.
To do so, just extract the downloaded files on your computer, delete the “wp-content” folder from the extracted files, and then upload the rest to your website (using FTP or your host’s file manager). Replace the old files when asked.

After having these, you have to update your themes and plugins. This ensures that you have applied the latest patch, minimizing the known attack surface for hackers.

To update themes and plugins-

Go to your site’s dashboard and navigate to the Dashboard > Updates page or the Plugins > Installed Plugins page
Then click the “Update Now” link or select multiple items from the list to update them in bulk.
However, today’s WordPress ecosystem is built with an automatic update system. So, you don’t need to bother with this update section unless you turn off the automatic update option manually in the themes and plugins.

Note: Hackers are more likely to target abandoned plugins and themes because developers no longer patch known vulnerabilities. So, stay alert when you are using them.

⚠️ Tips: Avoid nulled/pirated plugins– they’re one of the most common infection sources.

Step 4: Scan with Security Tools

Now that your files have been replaced, run deep scans to detect any hidden malware. You can make this possible in two ways:

Just scan your site with a security plugin. You can use “Wordfence Security,” “Sitecheck Sucuri,” or “MalCare,” which are the best for scanning malware signatures and suspicious files.
Or try an online WordPress malware scanner. Among them, “VirusTotal” and “Quttera” serve best in their field.

To provide a better understanding, I will use the Wordfence plugin in this tutorial. I found it to be one of the best WordPress security service plugins on the internet.

Simply follow these steps to continue:

Go to your WordPress dashboard, click on “Plugins> Add New.” Search for “Wordfence,” install the plugin, and activate it.
Next, go to Wordfence(left below) in your WordPress dashboard and click on “Scan.”
Choose the “Scan Type” as “Full Scan” and click on the “Start New Scan” button. Wordfence will now scan your website for malware.
After completing the scan, Wordfence will display a list of identified issues. Review the results carefully and identify any malware or suspicious files.
Then quarantine or remove the identified malware. In the scan results, locate the malware files, and select the action you want to take (clean or delete).

Step 5: Scan Your Database for Malware

Most security plugins only scan files, not the database.

Some free versions of plugins allow you to check the database file, but they’re too limited for WordPress malware cleanup. And the best WordPress virus removal(database) comes with the premium version of a few plugins.

That’s why hackers have the option to hide malicious code inside your database. If you don’t check it, the infection can persist even after you’ve cleaned your site files.

Some of the most common database targets are:

Wp_posts: Hackers may insert hidden spam content, fake redirects, or malicious scripts inside your posts and pages.
Wp_options: Attackers sometimes inject harmful JavaScript or iframes into your site’s settings.
Custom plugin tables: Certain plugins create their own tables, which hackers can also exploit.

So, the best method is to use a plugin + manual scan to make your website malware-free.

As I have made a move in step 4 with plugin checking. Here, I will guide you through the manual scan process.

To check this:

Log in to phpMyAdmin (or your hosting’s database tool).

Search for suspicious code, such as base64, <script>, iframe, or unusual links. Here are more listings given below. Check them too.

1. Remove any spammy entries that you see.

⚠️Tips: Be careful; don’t delete legitimate entries. Always take a database backup before making any edits.

Step 6: Reset Passwords & Security Keys

A compromised website means that your WordPress administrators’ credentials are exposed on the dark web. Any hacker can steal and use your website data.

So, immediately resetting all passwords can give you some relief from a hack.

It’s wise to update your credentials on other platforms as well, such as the WordPress database, hosting panel, and File Transfer Protocol (FTP) client.

To minimize security threats, use a robust and unique password for each of your accounts. You can use a password generator tool, such as 1Password, NordPass, or Strong Password Generator, to make the process easier.

Plus, you can store all your credentials in these applications, which provide an encrypted vault to safeguard your login information for the future.

Finally, update your WordPress security keys (salts):

Go to WordPress Secret Key Generator: https://api.wordpress.org/secret-key/1.1/salt/.

Copy new salts.

Replace the existing ones in your wp-config.php file.

This step will log out all existing sessions and prevent stolen cookies from being reused.

Step 7: Remove Blacklist

After a WordPress malware cleanup, your site might still appear as “dangerous” in search engines or browsers. So, all you have to do is remove your website URL from your search engine blacklist.

As 89.57% users are from Google, that’s why, I will show you how to remove the blacklist using Google Search Console.

Here’s how to fix it:

Navigate to your Google Search Console’s admin dashboard
Open the Security & Manual Actions> Security issues tab
Select I have fixed these issues> Request a review to have Google review and re-index your WordPress site

Please note that Google may take a couple of days to process the blocklist removal request.

I recommend that you do it immediately since the longer Google blocks your website, the more it harms your website’s SEO and reputation.

However, there’s another way to get blacklisted if you use products from big security companies like McAfee, Norton, Yandex, Spamhaus, and others.

As it will result in warnings(your visitors may see), or browsers may block your site.

The solution is- these companies provide public forms where you can submit a request to review your site after you’ve done the WordPress malware cleanup.

If they confirm it’s safe, they will remove your site from their blacklist, and the warnings will disappear.

Step 8: Strengthen Security to Prevent Future Attacks

Cleaning malware from your WordPress site is only half the battle; the real challenge is ensuring it doesn’t come back.

In most cases, the primary cause of malware infection is the website’s weak security. Hackers often exploit the same weak points, so strengthening your site’s security is the best option.

Here are some steps that you can take to improve your WordPress website’s security:

Ensure that all your passwords are random strings, a combination of letters, numbers, and symbols. Avoid using dictionary phrases. Use a two-factor authentication plugin in WordPress.
Set proper file permissions in WordPress and remove any old backups present on the server. Instead, keep the backup securely on your local computer.
Change your WordPress admin URL to prevent attackers from brute-forcing login attempts and disabling file indexing.
Keep your WordPress core and themes/plugins up to date. Do not use null themes and plugins as they contain malware.
Use SSL and install a plugin to force users to use HTTPS.
Follow secure coding practices for WordPress development while building something for your website.
Enhance the security of your server by blocking sensitive ports and utilizing subnetting on shared hosting.
Use a WordPress firewall and security solution on your website. Additionally, conduct regular security audits to identify any vulnerabilities in your WordPress site before hackers do.

Hiring a WordPress Website Malware Removal Service

If you tried all the steps we covered along with the plugin option, and still face issues, hiring a WordPress security professional is the last resort.

A professional can properly clean malware on your website, ensuring no malicious scripts or backdoors remain. Their expertise prevents you from deleting important files during the removal process to maintain functionality.

Here you can check my profile. Myself MD Pabel, founder and CEO of 3Zero Digital– a leading agency specializing in WordPress malware removal, security services, and custom web development services.

I have 7 years+ of experience in clean hacked WordPress websites. As well as completed more than 2000+ projects, served over 1700+ clients, and resolved 4500+ cases of malware and hacked websites.

However, you don’t have to remain biased only toward me. You can try freelance services too.

Just search for a perfect one. After getting candidates, review their portfolios to determine if their expertise is suitable for your recovery task or not.

Closing Thoughts on WordPress Malware Removal

You are aware that malware on a WordPress site is a common cyberattack that can cause serious damage. So, it’s wise to check your website for malware every 30 days.

If you find any suspicious content, just follow our guide to make your website clean.

Or, if you’d like to hire a WordPress malware removal expert, I’d be happy to assist you further.

Let’s connect to make your website happy!