If your WordPress website is acting oddly, redirecting visitors to unexpected pages, or you’ve received a warning from your hosting provider – you’re likely facing malware. In the U.S. alone, estimates show that over 400,000 websites are hacked every month, many of them powered by WordPress.
With 30 years of writing and security experience, I’ll walk you through how to remove malware from your WordPress website safely, restore your site, and protect yourself moving forward. In this article you will learn how to detect infection, perform a full cleanup, secure your site and prevent future attacks.
Why Malware Cleanup on WordPress Is Critical
Malware on your WordPress site can hit you in multiple ways: search engines may delist you, your site could silently send spam, visitors may get redirected, and your server resources may be hijacked for malicious purposes.
According to recent reports, compromised WordPress sites are used as malware distribution hubs, harming reputation and ranking. Identifying and removing the issue quickly is essential to preserve traffic, revenue, and trust.
Signs Your WordPress Site Is Infected
Before diving into cleanup, here are common red flags:
- Your site redirects visitors to unrelated or spammy pages.
- You notice unfamiliar admin users or files added to wp-content, wp-includes or other core folders.
- Google or your host sends notices that your site is compromised.
- Your site has unusually slow performance or emits spam emails from your domain.
- You find obfuscated code (base64, eval, iframe) in PHP files.
Be aware: malware sometimes lurks even once the front-end appears normal.
Step 1: Take a Full Backup Immediately
Before making any changes, back up your entire site — all files and your database. This gives you a fallback in case something goes wrong during cleanup. Download via FTP/SFTP or your hosting control panel. Then store the backup in a safe offline location. You’ll also want to create an extra backup after cleanup, so you have a clean baseline.
Step 2: Put Your Site into Maintenance Mode
While you work on cleanup, prevent normal users (and bots) from accessing your site. Use a maintenance mode plugin or set up a simple “503 Service Unavailable” message. This avoids further damage, gives you room to work and helps preserve your search engine rankings while you fix things.
Step 3: Scan and Identify Malware
Use a reliable WordPress security scanner plugin or an online tool to identify infected files and malicious code. Good choices include security plugins that scan files, database entries and logs. Set them to run a complete scan of files, database tables and cron jobs. Note the flagged items so you know what to remove. Keep in mind some malware hides in places typical scanners might miss.
Step 4: Delete or Replace Compromised Files
Start the actual cleanup:
- Replace WordPress core files with fresh copies of the same version.
- In the wp-content/plugins and wp-content/themes folders, delete any unused, outdated or suspicious plugins/themes entirely. Reinstall only from trusted sources.
- Review your wp-uploads folder for PHP files or files you didn’t upload. Delete any you didn’t add.
- Examine root files like .htaccess, wp-config.php and custom index.php. Remove suspicious code, unfamiliar files or recent modifications.
- If you cannot confidently clean a file, replace it with a verified copy from WordPress.org or your theme/plugin vendor.
Step 5: Clean Up the Database
Malware often injects harmful entries into your database — spam content, unfamiliar users, hidden redirects. Use phpMyAdmin or a database tool to:
- Look for admin users you did not create and delete them.
- Search posts in wp_posts or other tables for strange <script> tags or external redirects.
- Use search/replace plugins or SQL queries to remove malicious strings (e.g., look for suspicious code fragment patterns).
Once the database is cleaned, your site has a much better chance of being fully free of malware.
Step 6: Change All Credentials and Review Access Rights
After the cleanup, change all relevant passwords. This includes:
- WordPress admin users (use strong random passwords).
- Hosting panel, FTP/SFTP, database user, SSH (if applicable).
- Email accounts associated with the site.
Enable Two-Factor Authentication (2FA) for all admin accounts if possible. Also review file permissions: ideally directories should be 755 (or stricter) and files 644; disable file editing from within WordPress using define(‘DISALLOW_FILE_EDIT’, true); in wp-config.php.
Step 7: Secure Your Site to Prevent Future Attacks
Cleanup is only half the job. To avoid a re-infection you must harden the site:
- Keep WordPress core, themes and plugins updated. Many malware attacks exploit outdated components.
- Remove or disable unused plugins/themes entirely — they often become backdoors.
- Install a security plugin with firewall, malware scanning and login protection.
- Use a Web Application Firewall (WAF) at the hosting or DNS level.
- Limit login attempts, change default login URL, and require strong passwords + 2FA.
- Back up your site regularly (daily or weekly), and store backups off-site.
- Monitor user accounts — delete inactive or unknown users.
- Choose a strong, secure hosting environment with isolation if hosting multiple sites on the same account.
Step 8: Clear Search Engine and Host Warnings
If your site was flagged by Google or your hosting provider, you’ll want to lift the warnings once you’re sure it’s clean:
- In Google Search Console (or equivalent for your domain), request a review for any security issues or flagged content. Only do this once you are confident the site is clean; otherwise you risk the request being rejected.
- Remove any black-listing by checking online tools to verify your domain/IP is no longer flagged.
- Clear caches: server-side and browser. A cached version could still contain the malicious code even after you clean it.
Once you complete these steps your site should recover its normal status in search results and hosting logs.
Step 9: Create a Clean Baseline Backup and Resume Normal Operation
Now that your site is cleaned and secured, make a fresh full site backup and store it in a safe location. Resume normal mode for your site. Continue monitoring logs, user activity, plugins and file changes. Consider scheduling scans (monthly or weekly depending on your traffic) so you catch issues early.
Summary & Final Thoughts
Removing malware from a WordPress website requires decisive action: detect the infection, clean both files and database, change credentials, harden your site, and remove search engine/hosting warnings.
If you follow each step systematically, you can restore your site’s integrity, protect your visitors, and recover your search visibility. With thorough scans, strong passwords, limited plugins/themes and regular backups you vastly reduce the risk of future infections. Treat security as an ongoing process, not a one-time fix.