Removing Malware from WordPress

Finding malware on your WordPress site is a stressful experience. Your site might be redirecting visitors to suspicious pages, showing content you never published, or your host may have flagged the account entirely. Whatever the symptom, the process for dealing with it follows a clear sequence: confirm the infection, remove it, then close the gap that let it in.

This post covers each of those steps in order, along with what to do once your site is clean to reduce the risk of it happening again.

How to tell if your WordPress site is infected

Some infections are obvious. Others sit quietly in the background, harvesting data or sending spam without any visible sign on the front end. The following are common indicators that something is wrong.

• Visitors are being redirected to unrelated or suspicious websites
• Google Search Console is showing security warnings or your site has been flagged in search results
• Your hosting provider has suspended the account or sent an abuse notice
• New admin accounts have appeared that you did not create
• Pages contain spam links or content you did not write
• Your site is loading unusually slowly or throwing unexpected errors

If you are seeing any of these, treat it as a confirmed infection until you can prove otherwise. A free scan using a tool like Sucuri SiteCheck can give you a quick external view of what is visible from outside your server.

Before you start cleaning

Take a backup before touching anything, even if the site is compromised. You want a record of the infected state in case you need to refer back to it, and you do not want to accidentally delete something you need during the cleanup process. Most cPanel accounts include a backup tool, and our knowledgebase has a guide on backing up your WordPress site.

Also change your passwords before you begin. Update your WordPress admin password, your hosting control panel password and your database password. If the attacker still has valid credentials, any cleanup you do can be undone within minutes.

Scanning and removing infected files

The most reliable way to scan a WordPress installation for malware is to use a dedicated security plugin. Wordfence and MalCare are two of the most widely used options. Both can scan your core files, themes and plugins against known clean versions and flag anything that does not match.

Run a full scan from within your WordPress dashboard. The plugin will produce a list of affected files. For each one, you have a few options depending on what the file is.

• Core WordPress files. If a core file has been modified, delete it and replace it with a clean copy from wordpress.org. Do not edit these files manually.
• Plugin or theme files. Deactivate and delete the affected plugin or theme, then reinstall from the official WordPress repository. Never reinstall from the same source if you downloaded it from a third-party site.
• Uploaded files. Check your wp-content/uploads directory for PHP files. There should not be any. If you find them, delete them.
• Unknown files in the root directory. Any PHP file you do not recognise sitting in your root folder warrants investigation. Compare against a fresh WordPress install to identify what should and should not be there.

Our knowledgebase article on removing malware from WordPress covers the file-level cleanup process in more detail, including how to check your database for injected content.

Why outdated plugins create openings

The majority of WordPress infections come through one of three routes: an outdated plugin with a known vulnerability, a nulled (pirated) theme or plugin, or a weak admin password. Outdated plugins are by far the most common.

When a security vulnerability is discovered in a plugin, the developer typically releases a patch. That patch also, in effect, publishes the vulnerability to anyone paying attention. Sites still running the old version become targets. The window between a patch being released and attackers scanning for unpatched sites can be very short, sometimes hours.

Nulled plugins and themes carry a different kind of risk. They are often distributed with backdoors already built in, meaning the person who packaged the file has intentional access to any site that installs it. There is no patch for this because the malicious code is the feature. The post on how plugins compromise WordPress security goes into this in more depth.

Keeping the site clean after recovery

Once the infection is removed, a few ongoing habits will significantly reduce the chance of a repeat. These are not complicated, but they do need to be consistent.

• Keep WordPress core, all plugins and all themes updated. Enable automatic updates where possible.
• Remove plugins and themes you are not actively using. Inactive code is still a potential entry point.
• Use strong, unique passwords for every admin account and your hosting control panel.
• Install a security plugin that includes a firewall and login protection, not just a scanner.
• Take regular backups and store them somewhere separate from your hosting account.

If you want a broader view of WordPress security practices, the post on security plugins for WordPress covers the main options worth considering.

Recovering from a malware infection takes time, but the process is manageable if you work through it methodically. Confirm the infection, back up, change credentials, scan and remove, then address the root cause. Skipping any of those steps tends to mean the problem comes back.

If you are running WordPress on a managed plan, our WordPress hosting includes tools to help you stay on top of security before problems develop.

If you have been through an infection and are not sure whether your site is fully clean, get in touch and we can take a look.