A WordPress website can run normally for months and then suddenly start behaving strangely. You might notice spam pages appearing in Google, redirects to suspicious websites, new admin users you did not create, hosting warnings, or a sudden drop in traffic. In many cases, these are signs that malware has been added to the site.
This is one of the more stressful problems website owners deal with because it affects SEO, trust, and sometimes even email delivery. I have also seen situations where the site still looked normal on the front end while hidden malware was quietly sending spam or creating backdoor access in the background.
The good news is that most WordPress malware issues can be identified and cleaned if you work through the process carefully. The important thing is avoiding shortcuts that leave infected files behind.
Table of Contents
Quick Answer
To scan WordPress for malware, you should first back up the website, then scan files and the database using a security plugin or hosting malware scanner. After identifying infected files, remove malicious code, replace compromised core files, themes, or plugins, reset passwords, and update everything. Once the site is clean, improve security settings to prevent reinfection.
Why This Matters
A hacked WordPress website affects more than just security.
Malware can:
- Damage search rankings
- Trigger Google security warnings
- Redirect visitors to scam pages
- Send spam emails from your domain
- Slow down the website
- Create hidden admin accounts
- Infect future backups if left unresolved
In my experience, many hacked sites were infected through outdated plugins, weak passwords, or abandoned themes rather than WordPress itself.
Cleaning the site properly matters because partial cleanup often leads to the infection returning later.
Signs Your WordPress Website May Be Infected
Some warning signs are obvious, while others are easier to miss.
Common symptoms include:
- Unexpected redirects
- Spam pages indexed in Google
- Security warnings in browsers
- Hosting suspension notices
- New admin accounts
- Unknown plugins or files
- Sudden traffic drops
- Slow website performance
- Modified files without explanation
- Strange code injected into pages
You can also check Google Search Console for security warnings or indexing issues.
If Google starts indexing pages that you never created, there is a good chance the website has been compromised.
Step 1: Back Up the Website First
Before changing anything, create a full backup of the website. If you have not set one up yet, follow this guide on how to back up a WordPress website before you start cleaning infected files.
This includes:
- WordPress files
- Database
- Uploads
- Themes
- Plugins
Even infected backups are useful because they allow you to recover important content if something breaks during cleanup.
If your hosting provider offers backups, download a copy locally before continuing.
Step 2: Put the Website Into Maintenance Mode
If the infection is actively affecting visitors, temporarily place the website into maintenance mode.
This helps prevent:
- Visitors being redirected
- Further spam activity
- Additional file modifications
- Search engines indexing infected pages
A simple maintenance plugin is usually enough for temporary downtime.
Step 3: Scan WordPress for Malware
There are several ways to scan WordPress.
Option 1: Use a WordPress Security Plugin
This is the easiest method for most website owners.
Common malware scanning plugins include:
- Wordfence
- Sucuri Security
- Solid Security
- MalCare
A good scanner checks:
- Core WordPress files
- Plugins
- Themes
- Malware signatures
- File modifications
- Backdoors
When I set this up on WordPress sites, I usually start with Wordfence because it highlights modified files clearly and helps identify suspicious changes quickly.
Run a full scan rather than a quick scan.
Step 4: Check WordPress Core Files
One common mistake is trying to clean individual core files manually.
Instead:
- Download a fresh copy of WordPress from WordPress.org
- Delete old core folders except:
/wp-content/wp-config.php
- Upload fresh core files
This removes many infections hiding inside WordPress core directories.
Do not overwrite blindly without checking backups first.
Step 5: Inspect Plugins and Themes
Outdated or nulled plugins are one of the most common infection sources.
Check for:
- Plugins you no longer use
- Themes you do not recognize
- Disabled plugins left installed
- Pirated premium themes
- Plugins abandoned by developers
Delete anything unnecessary.
If you suspect a plugin or theme is infected:
- Delete it completely
- Download a fresh version from the official source
- Reinstall it
I usually recommend removing inactive plugins entirely instead of leaving them installed.
Step 6: Scan the Uploads Folder
The /wp-content/uploads/ folder should mainly contain media files.
Hackers often place malicious PHP files inside uploads folders because many website owners never inspect them.
Look for suspicious files such as:
.php.phtml- Randomly named files
- Strange folder structures
Image folders should not normally contain executable PHP scripts.
Step 7: Check the Database for Malware
Some malware injects spam directly into the database.
Common examples include:
- Hidden spam links
- Injected JavaScript
- Redirect scripts
- SEO spam pages
You can inspect the database using:
- phpMyAdmin
- Hosting database tools
- Security plugins
Search for:
eval(base64iframe- suspicious scripts
- unknown admin users
Be careful when editing database entries manually.
Step 8: Reset Passwords and User Accounts
After cleanup, reset all passwords immediately.
This includes:
- WordPress admin accounts
- Hosting account
- FTP/SFTP accounts
- Database passwords
- Email accounts connected to the domain
Also:
- Remove unused users
- Review administrator accounts
- Enable strong passwords
- Enable two-factor authentication if possible
A hacked admin account can reinfect the website even after cleanup.
Step 9: Update Everything
Outdated software is one of the main causes of reinfection.
Update:
- WordPress core
- Themes
- Plugins
- PHP version
If a plugin has not been updated in a long time, replacing it is often safer than continuing to use it.
Step 10: Request a Review if Google Flagged the Website
If your website was marked as unsafe in Google Search Console:
- Clean the website fully
- Confirm the infection is removed
- Open Google Search Console
- Request a security review
Google may take several days to remove warnings.
Practical Tips From Real Website Cleanup Work
A few things regularly help during malware cleanup:
Keep Old Clean Backups
Sometimes restoring a clean backup is faster than manual cleanup.
However, always scan old backups before restoring them because older infections may already exist inside them.
Avoid Nulled Plugins and Themes
Many hacked websites trace back to pirated premium plugins.
The short-term savings usually lead to security problems later.
Use Hosting-Level Security Too
Good hosting providers often include:
- Malware scanning
- Firewall protection
- File monitoring
- Automatic backups
This adds another security layer beyond WordPress plugins.
Monitor File Changes
Some security plugins track file changes and alert you when files are modified unexpectedly.
This helps detect future problems earlier.
Common Mistakes
Cleaning Only Visible Symptoms
Removing spam pages without finding the actual backdoor usually leads to reinfection.
Leaving Old Plugins Installed
Inactive plugins can still be exploited if vulnerabilities exist.
Ignoring User Accounts
Unknown administrator accounts are a major warning sign.
Skipping Password Resets
Even clean websites can be compromised again if attackers still have login access.
Restoring an Infected Backup
This is more common than many people realize.
Always scan backups before restoring them.
When to Use a Security Plugin vs Professional Cleanup
For smaller infections, security plugins are often enough.
However, professional cleanup may be better if:
- The site keeps getting reinfected
- Hosting access is compromised
- Multiple websites on the server are infected
- Search engines blacklisted the domain
- You cannot identify the infection source
On business websites with SEO traffic or ecommerce revenue, professional cleanup can sometimes save a lot of time.
Conclusion
Scanning WordPress for malware is usually a process of identifying infected files, replacing compromised components, resetting access credentials, and improving long-term security.
The important part is removing the source of the infection rather than only fixing visible symptoms. In most WordPress sites I build, regular updates, reliable hosting, backups, and careful plugin management prevent most security problems before they start.
Etienne Basson works with website systems, SEO-driven site architecture, and technical implementation. He writes practical guides on building, structuring, and optimizing websites for long-term growth.