How to Remove Malware
From WordPress (Manually)
Is your site redirecting to spam? Did your host suspend you? Most guides just say "install a plugin," but plugins miss hidden backdoors. Follow this 4-step manual protocol to clean your hacked site for good.
Step 1: Scan & Verify Infection
You need to confirm if the issue is a plugin conflict or actual malware. Use these free tools to identify infected files.
External Check
Use Sucuri to check if your site is blacklisted by Google, McAfee, or Norton.
Run Free Scan on SucuriInternal File Scan
Install Wordfence (Free). Go to 'Scan' → 'Start New Scan'. It compares your core files against the official repository to find changes.
Step 2: Find Hidden Backdoors
Check Source Code
Malware hides in
header.phporfooter.php. Look for random strings using functions likeeval,base64_decode, orgzinflate.Rogue Admin Users
Go to Users → All Users. Hackers often create hidden admins named 'wp-support', 'admin123', or '100100'. Delete them immediately.
Step 3: Clean Core Files (The Fix)
The safest way to remove malware is to replace your infected files with fresh ones.
- Download Fresh WordPress: Get the official .zip from wordpress.org.
- Connect via FTP: Use FileZilla or your Hosting File Manager.
- DELETE the
/wp-admin,/wp-includes, and all other WordPress core files from the site directory, except forwp-config.phpand thewp-contentdirectory. - UPLOAD the clean folders & files from the zip file to replace them.
- Warning: Never delete
wp-config.phpor the/wp-contentfolder.
Step 4: Fix Specific Symptoms
The core refresh fixes 80% of hacks. For redirects, spam, or database errors, follow these guides.
Fix Backdoors & Shells
- Htaccess Malware: Cookie-Based PHP Backdoor Explained (With Removal Guide)
- Hidden Links Malware: The Simple Guide to SEO-Spam Detection, Cleanup, and Prevention
- WP-Compat Plugin: The Hidden Backdoor in Your WordPress Site
- Is Your Website Hacked by “admnlxgxn”? Here’s How to Spot It and Clean It Up
- Dangerous JavaScript Malware Targeting WordPress and Node.js Sites
- WordPress Malware Alert: How Hidden Admin Backdoors Compromise Your Site
- Case Study: Anatomy of a Sophisticated Mobile-Targeted JavaScript Trojan
- WordPress Malware Removal: How I Fixed a Hacked Site Infected with Trojan.PHP.Webshell.Obfuscated
Fix Redirects & Spam
- The Ultimate Guide to Removing .htaccess Malware from WordPress
- Fix: WordPress Redirects to Spam Site on Mobile Only (Solved)
- Why Is My Website Showing Content From Another Site? (How to Find & Fix Hidden Malware)
- Website Redirecting to getfix[.]win: How to Detect, Remove, and Prevent This Malware
- All JavaScript (.js) Files Infected? A Step-by-Step Virus Removal Guide
- .htaccess Malware: How Hackers Hide Redirects and How to Remove Them Fast
- Recovering from SEO Spam: How We Cleared 242,000 Japanese Spam Pages from a Hacked WordPress Site in 2025
- Japanese Keyword Hack: The Complete Guide to Detection, Removal & Prevention in 2025
- How I Caught and Removed a Hidden Malware Hijacking Google Traffic
- How We Detected and Removed Malware from a Client WordPress Site After a Malicious Redirect
Clean Core Files
Common Cleanup Questions
Can I clean hacked WordPress without plugins?
Yes. In fact, manual cleaning is safer. Plugins can sometimes break your site or get blocked by advanced malware. The method above (Core Refresh) is the industry standard for cleaning file-based infections.
How do I remove "Deceptive Site Ahead"?
This is a Google Blacklist warning. First, follow the cleanup steps above. Then, go to Google Search Console -> Security Issues -> Request Review. Google will scan your site and remove the warning (usually within 24-72 hours).
Why does the malware keep coming back?
Reinfection usually happens because of a 'Backdoor' (a hidden file allowing hackers back in) or an unpatched vulnerability (like an old plugin). Make sure to update all plugins and change your passwords after cleaning.
Don't want to touch the code?
Deleting core files can be scary. One wrong click can crash your site. I can handle the full manual cleanup and security hardening for you.