How to Remove Malware from a WordPress Website (With 6 Security Tips)

How to Remove Malware from WordPress Site

Tanvir Faisal July 8, 2022

27 Min Read
Category: Tutorials

Since WordPress is the most used CMS globally, it faces the highest number of malware attacks. Malware, also known as malicious software, includes viruses, trojans, ransomware, spyware, and other harmful software that can make changes to a website without its user’s consent. Thus, website owners unknowingly host infected files within their websites.

The presence of Malware affects the user experience of a website negatively. It slows down a website, shows unwanted content, deteriorates the site’s performance, inserts malicious Javascript/iFrame files, and more. Most importantly, malware hampers the reputation of a website and questions its credibility.

Feeling worried? We’ve got your back. This article explains how to remove malware from a WordPress site. Before that, let’s learn why your website might become a target for malware attacks.

Why Your Website May Get Infected With Malware 

An illustration related to website security

A website can be infected with malware for various reasons. Malicious software doesn’t appear without any reason. There are always some identified or unknown factors that make a website susceptible to external attacks. The following list mentions the top reasons here.

Weak security: You may become a victim of malware if your site has vulnerable scripts that let hackers easily crawl into your website. People who run malware attacks are usually well-versed in technical knowledge. They can identify weak security and exploit that in the following ways:

  • Break into the backdoors and upload web-shells
  • Implant the virus in the website database
  • Add, modify, or remove admin roles.

Vulnerable plugins, themes, and templates: Free themes, plugins, and templates usually come with less security. Especially, nulled products often contain web shells and malicious scripts accessible by hackers. Using such infected products on your website opens a door for hackers.

Easy-to-guess passwords: Most people tend to use passwords that are easy to remember and related to them. Your pet name or birthday is not a strong password. Nowadays, it’s possible to get these pieces of information easily from social media accounts.

According to a study, 61% of unauthorized entry into organizations happens because of compromised credentials.


Sometimes, hackers try different combinations of passwords to access the website. This is called a brute-force attack.

A girl accessing a WordPress site

Theft of FTP credentials: Having access to FTP (File Transfer Protocol) is enough to infect malware on your website. Your login credentials may get stolen easily if you use an unprotected browser. Use secure channels while connecting your website via FTP.

Inexperienced hosting provider: Some hosting providers resell services after buying them from bigger companies. They don’t have hands-on experience in how to configure and administrate their hosting securely. Websites hosted on such servers are more vulnerable.

Untrustworthy freelancers/contractors: You may need to employ a freelancer or contractor from the service marketplaces. While most of them are honest and decent, a few may turn into a threat to your website’s security.

These freelance contractors have access to the website when they work on it. They may leave some code within the website and exploit your website in the future to earn more money.

How Can Malware Attacks Affect Your WordPress Website

WordPress security illustration

Malware in a WordPress site can affect its performance in every aspect, from the user experience to the site’s SEO health. It also hampers the reputation of a website to a great extent. And all these things are directly or indirectly associated with a significant monetary loss. Learn more about how different types of malware can affect your WordPress site from the below list.

  1. The hackers will have partial or complete control of your website
  2. They may attack other websites and send spam emails using your website as a host
  3. Malware usually stores thousands of files on the website occupying a large amount of your disk space
  4. Malware affects the user experience by slowing down your website
  5. It might modify a website’s SEO structure and result in a loss of website traffic
  6. Google blacklists websites that consist of malicious codes
  7. Your website’s content may get replaced by content from hackers
  8. Visitors may click on infected ads and get affected by the malware
  9. An infected website may grant cybercriminals to access your website
  10. Your website will lose a significant amount of visitors and revenue

How to Detect Malware on Your WordPress Site

There are multiple signs that are directly attacked by malware. You can easily detect if your WordPress site has malware by identifying these symptoms. You can also perform security audits regularly to find out the threats.

Keep reading the following section to learn how to detect malware on your WordPress website.

1. Scan your website using a URL Scanner

VirusTotal URL scanner

One of the easiest ways to check whether a website is hacked or infected with malware is to use a URL checker. VirusTotal scans WordPress websites for free to check if the site has any files flagged as malware. You can use such URL scanners to find out an infected website right away. However, these are not always able to find the malware.

2. Notice if there are any unexpected changes

Try to log in to your website’s dashboard. If your credentials don’t work anymore, try to recover the password. If you still fail to access the website, chances are high that your site has been compromised.

You may find unexpected changes in the core system files of a hacked website. Look out for new files containing suspicious-looking names or JavaScripts. Even a tiny code snippet can be used to extract credit card information and passwords from a website.

3. Look out for warning messages from Google Search Console

Google sends warning messages to owners of the linked websites. Take it seriously if you ever receive such warnings from Google. These notifications contain highly usable information about the overall situation.

4. Identify the underlying reasons for a slow website

A website loads slowly for various reasons. It may take longer to load because of less optimized content or heavy plugins, themes, and scripts. Find out why your website has become slow suddenly. If there are no valid reasons, it might be malware doing the trick. Malware uses a large number of server resources which eventually makes the website slower.

5. Identify spam results for your website on Google

Two persons discussing about WordPress

Search your brand name/domain name on Google. Examine the search results and notice if they look strange to you. If the results contain unrelated meta descriptions and weird characters, take that as a sign of malware.

6. Find if there are any web host flags issues

Web hosting providers regularly audit their servers and take immediate action if there is any malicious activity. They will disable your website and notify you about the issue if your website ever gets attacked by malware. The main reason for this is to prevent the malware from spreading to other websites hosted by them.

7. Consider customer complaints

Most of the time, customers face malware issues before the website owners. If your customer alerts you about unusual activity, compromised user experience, credit card theft, or any other performance issues, take their complaints seriously. Make it your first priority if you run an eCommerce website.

8. Investigate unexpected behavior in analytics

If you see a sudden spike or significant drop in the different parameters in your analytics, investigate this unexpected behavior. Usually, traffic, sales, the number of backlinks, the number of pages, etc. don’t increase or decrease overnight. Sudden significant change means there is something wrong with it. And, in many cases, it’s malware.

How to Remove Malware from WordPress Site

How to Remove Malware from WordPress Site

Once you’re sure that your WordPress website has malware, clean it as soon as possible. You can remove malware from a WordPress site both manually and using a plugin. We suggest using a plugin since it requires less technical knowledge and associates less risk with the cleaning process. However, the following section has both ways of malware removal for your convenience.

Clean WordPress Malware Manually

Here’s a step-by-step tutorial on how to clean WordPress malware manually.

1. Back up your website

You’re going to make significant changes to your WordPress website during this malware cleaning process. There are slight chances that you’ll lose valuable data if you don’t have a backup beforehand.

Back up all your files and database using a WordPress plugin. UpdraftPlus is a great WordPress backup plugin that you can use easily.

You can also make a backup of your website by accessing the cPanel or your FTP- File Transfer Protocol Client like FileZilla.

Backup option of the cPanel

Note: The .htaccess file is invisible by default. You can see it only after enabling the visibility of hidden files from the host’s File Manager. Make it visible and download it on your computer for future use.

2. Thoroughly check the backup files

The future of your website depends on these backup files. So, it’s important to examine them before you move to the next steps. Have a close look at the following types of files.

  • All WordPress core files
  • wp-config.php file
  • .htaccess file
  • wp-content folder
  • SQL database

Check all these files and folders to see if you have everything you need. Go to the next step if your backup files are okay.

3. Clean your public_html folder

Now go to the public_html folder via the File Manager of the cPanel. Delete all files from the folder (except server-related folders and the cgi-bin folder) that look free from malware. If you have multiple websites connected via the same hosting account, make sure to clean all of them.

4. Clean malware from WordPress database tables

You have a complete backup of your website now. It’s time to do some internal cleansing. Go to the website database through phpMyAdmin. Scan the data tables to find out suspicious names like spammy keywords or links. Remove everything that looks malicious.

5. Clean themes and plugin files

Make a list of all the plugins you have on your WordPress site. This list will help you reinstall them once the cleaning is done. Erase all files related to the plugins from the subfolder. Delete the theme contents as well. Maybe, you got affected by the malware in your plugins or themes. So, delete all of these to minimize the risk.

6. Reinstall WordPress core

Now that the cleaning is almost done, it’s time to install WordPress again. You can reinstall WordPress via the one-click installer of your cPanel. Use the database credentials from the old wp-config.php file to connect the new installation to the old database.

Now you can upload the backup files of your website to the newly installed WordPress.

7. Reset passwords and configure the WordPress settings

Login to your website dashboard and reset credentials for all users. Set a strong password for each user. If you don’t see any unusual user name or activity, your database is clean of malware. Now, configure the settings for your WordPress website. Pay special attention to the permalink settings.

8. Reinstall plugins and themes

Best WordPress Themes and Plugins

Since you deleted files related to themes and plugins, you need to reinstall them freshly from the WordPress repository. Don’t go for unauthorized or nulled plugins or themes. Refer to your backup files to replicate the customization you made before.

9. Remove all the backdoors you can identify

Hackers can enter your website backdoors. Backdoors look like WordPress core files but contain different extensions as follows.

  • gzuncompress
  • base64
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file
  • eval
  • str_rot13
  • exec

If any of your WordPress files carries such PHP functions, they might be malware in disguise. Remove these infected files right away. But, keep in mind that some plugins legitimately use such PHP functions to improve their functionality. Spare them to keep your website running without breaking.

10. Reach out to remove security warnings

Search engines and web hosting providers flag a website as malicious if it remains affected by malware for a long time. If you get any such security warning, you need to contact them to remove the warning after cleaning the malware. They’ll review your request and remove the warning if everything looks fine to them.

11. Install a security plugin to scan your website

You’re all done! Now install a security plugin to your WordPress site to tighten the security. Run a complete scan using the plugin to identify potential threats. Hopefully, you’ll face no issues after doing all the hard work. However, if you find anything after scanning, you can clean that using the plugin you’ve installed.

In the following section, we will show you how to remove malware from a WordPress site using a plugin.

Clean WordPress Malware with a Plugin (MalCare)

Malcare landing page

The manual process of cleaning WordPress malware is a bit complex, especially for people with low technical knowledge. A quality security plugin can unburden you from the painstaking steps of malware removal.

We used MalCare here as it is one of the best WordPress security plugins that keep the website secure with automatic scans, one-click malware removal, and a security firewall.

Let’s learn how you can clean WordPress malware with MalCare from the following section.

Step 1: Install the MalCare plugin to your WordPress website.

Go to your WordPress admin panel. Visit Plugins> Add New from the left sidebar. Search the MalCare plugin by searching its name on the search bar. Then install and activate the plugin.

You can purchase the premium from the MalCare website.

MalCare plugin from the WordPress plugin directory

Step 2: Connect MalCare to your website

Insert your email address on the welcome widget to connect your website with the MalCare security dashboard. Verify the email address by clicking on the link sent to you.

Step 3: Go to the security section of your MalCare dashboard

Visit the Security section of your MalCare dashboard. Scan your WordPress site and MalCare will automatically identify all malware with optimal accuracy. Click on the Clean Site button to get rid of the affected files.

MalCare security overview
Source: MalCare

MalCare employs a robust firewall that can protect your WordPress website from future potential attacks. So, with MalCare, you can clean the existing infected files and prevent future malware attacks.

How to Prevent Malware Attacks – 6 Handy Tips 

Prevention is better than cure- this cliche sentence is applicable to this matter also. Isn’t it a great hassle to clean WordPress malware? You can avoid these painstaking things with the right prevention measures. Here are the five essential security tips that anyone should follow.

1. Keep Your Site Updated

Outdated software is often associated with security issues. Keep all your software updated including WordPress version, themes, plugins, PHP version, and more. The latest version of software comes with improved security patches. We recommend you have a backup before any major update. This way, you can prevent data loss.

2. Harden Your Website Security

This step includes the overall security of a website. Let’s put all these security measures in a bite-sized list.

  • Limit your entry points by allowing only the authorized users to access your website’s backend
  • Use strong passwords along with multi-factor authentication
  • Keep your website hosted in an isolated hosting plan to avoid cross-contamination
  • Use a renowned antivirus program for your operating system
  • Use a quality website firewall to prevent brute force attacks and DDoS attacks.

3. Avoid Nulled Plugins

Apparently, nulled plugins look exactly like original plugins at cheaper prices. But, they are actually cracked versions of the premium plugin that can provide some of the features. Such plugins come with high-security risks and often come with malware. You should avoid using nulled plugins and install plugins from the official plugin website or only.

4. Choose a Proven Hosting Provider

Best WordPress Hosting Providers

There are hundreds of hosting providers in the market. Sadly enough, only a few of them have effective security systems to protect your WordPress site. Moreover, most hosting services don’t have a responsive support team that immediately addresses your problems and solves them.

That’s why we recommend choosing a reliable hosting provider that has a great security system and an active support team.

5. Make Sure Your Website Has an SSL Certificate

SSL- Security Sockets Layer is a digital security certificate that authorizes a website’s identity and ensures an encrypted connection between a web server and a browser. Having an SSL certificate is a basic security measure nowadays. Add an SSL certificate to your WordPress website to keep it secure across different web browsers.

6. Install a Security Audit Plugin & Scan Your Site Regularly

Install and activate a WordPress security audit plugin to ensure optimal security for your website. A security plugin alerts the users whenever there’s any security threat. And, you can detect the issues instantly by scanning the website using that plugin.

It’s a better practice to scan your website regularly so that you can stay one step ahead and prevent serious security issues in the primary stage.

FAQs on How to Clean WordPress Malware

1. Does WordPress have malware?

According to a report, 70% of the top 40,000 WordPress websites are vulnerable to cyber-attacks. Almost 90,000 attacks are targeting WordPress sites every minute. Malware attacks account for a significant percentage of these attacks.

2. How do I protect my WordPress site from malware?

You can secure your website by following the below steps:
1. Keep your CMS, plugins, themes, and other components updated
2. Use strong passwords and multi-factor authentication
3. Download/buy plugins and themes from only the official platforms
4. Install a security plugin and a website firewall
5. Scan your website regularly and clean WordPress malware (if any)

3. How do WordPress sites get hacked?

Malicious users/hackers look for websites that have low security and try to hack them. If your website is vulnerable and doesn’t follow the best WordPress security practices, it may become a victim of hacking.

4. How do I manually check for malware?

You can check the malware manually in the following ways:
* Examine the recently added/modified files
* Check the WordPress core files for unusual names
* Keep track of the number of pages created within your website
* Examine the .htaccess file to find out files with strange extensions

5. How do I check for malware warnings on Google?

Google marks a website as deceptive and shows a Malware warning page to the viewers if it detects malware on the website. And, sometimes it blocks the affected website from appearing on the search engine. You can check for malware warnings on your website by browsing it from an incognito window.

You can also look for user feedback related to malware attacks on your website. And check the email address that you used when connecting your website to the search console. You may receive an email from Google about the ongoing issues.

Wrapping Up

To sum it up, let’s conclude this blog with a precious expert tip. Cleaning WordPress malware is now easier with a plugin, but you will lose valuable website data if you fail to create a regular backup.

It’s pointless to restore a website from an old backup. If you’re serious about your WordPress website, you would publish content or make changes almost every day. So, clean WordPress malware but create a backup beforehand. Daily backup is the best, if you publish fewer contents, weekly backup is a more suitable option.

Wordpress Icon

Disclosure: WP Hive earns a commission when you buy through partner links. It does not influence the unbiased opinions of our writers. Learn more →

Share: icon

Tanvir Faisal

Md. Tanvir Faisal is a Content Writer at WP Hive with over 7 years of experience in Content Writing, Copywriting, Proofreading, and Editing. He specializes in creating helpful content that engages readers, drives social media shares, and improves SEO ranking. In his free time, Tanvir enjoys exploring new cuisines, traveling to unknown places, and spending quality time with his family.

Subscribe To Our Newsletter

Newsletter Subscription Form

Leave a Reply

Your email address will not be published. Required fields are marked *