How to Remove Malware from a WordPress Website

Finding malware on your WordPress website is one of those moments that stops everything. Traffic might be dropping, Google is showing warnings to visitors, or your hosting company sent a suspension notice. However it surfaced, the priority is the same — get it cleaned up before the damage compounds.

Malware usually enters through an outdated plugin, a compromised password, or a theme downloaded from an untrustworthy source. Once inside, attackers can inject spam links, redirect visitors to malicious sites, install backdoors for repeat access, or silently collect payment data from checkout pages.

This guide walks you through removing malware from a WordPress website step by step — from scanning and cleaning files to closing the entry point and getting off any blacklists you may have landed on.

What to Do When You Suspect Malware

The short version: scan and identify infected files, clean or delete them, remove backdoors, update everything, change all credentials, then request a blacklist review. Do not jump straight to changing passwords first — if a backdoor file is still in place, the attacker uses it to regain access regardless of your new password.

What Malware Does to Your Site

Beyond the immediate security breach, malware creates a chain of secondary problems that often outlast the infection itself:

• Google Safe Browsing flags the site, and every visitor sees a “deceptive site” warning before reaching your content
• Your hosting provider may suspend the account without warning once they detect malicious code in your files
• Search rankings drop when injected spam links or cloaked content are crawled by Google
• WooCommerce and membership sites risk exposing customer payment details to card-skimming scripts

In my experience, the original malware is rarely the biggest problem — it is the secondary damage (lost traffic, suspended hosting, deindexed pages) that takes weeks to recover from.

How to Remove Malware from WordPress

Step 1 — Put the site in maintenance mode

Before doing anything else, limit how many visitors hit the infected version. A maintenance mode plugin displays a clean holding page while you work. If your hosting provider has already suspended the account, contact their support team — they can usually grant you temporary access to run the cleanup.

Step 2 — Run a malware scan

Install and activate Wordfence Security — the free version includes a full file scanner. Go to Wordfence → Scan and start a new scan. Wordfence compares every core WordPress file against known-good originals and flags anything that has been modified or injected with malicious code.

Make a note of every flagged file before taking action. Understanding the scope of the infection determines whether you clean files manually or restore from a clean backup.

Step 3 — Clean or delete infected files

For each flagged file, the approach depends on what type of file it is:

• Core WordPress files (anything inside /wp-admin/ or /wp-includes/) — delete and replace with a fresh copy from wordpress.org. These files should never be modified, so any change is a red flag
• Theme and plugin files — delete the entire theme or plugin and reinstall from the official source. Never try to edit malware out line by line; one missed obfuscated string and it survives
• Uploaded files (inside /wp-content/uploads/) — scan for .php files in this folder. PHP files have no legitimate place in the uploads directory; delete them all

If you have a recent clean backup from before the infection, restoring from that point is faster than cleaning file by file — provided you also close whatever entry point let the attacker in.

Step 4 — Remove backdoors and suspicious admin accounts

After cleaning files, go to Users in the WordPress dashboard and delete any administrator accounts you didn’t create. Then search all theme and plugin files for common backdoor function patterns: eval(base64_decode, exec(, system(, and passthru(. These are not legitimate in WordPress code.

Also check the database. Open phpMyAdmin and inspect the wp_options table — if the values for siteurl or home point to a different domain, that is a redirect injection. Check wp_users for any administrator entries you don’t recognise.

Step 5 — Update WordPress, themes, and plugins

Every piece of outdated software is a potential re-entry point. Update WordPress core first, then all plugins, then active themes. Delete anything you are not actively using — inactive themes and plugins can still be exploited even without being activated.

Step 6 — Change all credentials

Once the files are clean, reset every credential tied to the site:

• WordPress admin password
• Hosting account password
• Database password (update wp-config.php with the new value)
• FTP and SFTP credentials
• The email address linked to your WordPress admin account

Use passwords of at least 20 characters. If you were reusing a password across services, change those too.

Step 7 — Request removal from Google’s blocklist

If Google flagged the site, open Google Search Console and navigate to Security & Manual Actions → Security Issues. Once you have confirmed the malware is gone, submit a security review request. Google typically responds within 24–72 hours. When the review passes, the interstitial warning stops appearing for visitors.

Practical Tips

• Always keep a recent backup. A clean backup from the previous day beats spending six hours cleaning files by hand. UpdraftPlus, MalCare, and most managed hosts include automatic daily backups
• Re-scan 48 hours after cleanup. In my experience, sites that get reinfected within a few days have a backdoor the initial scan missed. A second pass after the dust settles catches what was hidden during the first
• Enable two-factor authentication. Brute force attacks are the second most common entry point after outdated software. 2FA blocks most of them before they ever reach your login page
• Use a staging environment. Clone the infected site to a staging instance, clean it there, verify everything works, then apply the same changes to the live site

Common Mistakes

• Changing passwords before removing the malware. Backdoors bypass authentication entirely — the attacker uses the shell file to regain access regardless of what you set the password to
• Editing infected files directly. One missed line of obfuscated code and the malware survives. Delete and reinstall from the official source instead
• Assuming the site is clean when the host unsuspends it. Hosts unsuspend once you confirm you are working on the issue, not after verifying the cleanup is complete
• Skipping the database check. Malware injected into the wp_options or wp_users table survives a complete file cleanup

When to Do It Yourself vs. Hire Help

If the infection is limited to a handful of flagged files and you have a clean backup from before the attack, handle it yourself. The steps above cover the majority of WordPress malware cases.

If your site processes payments, stores customer data, or Wordfence is returning hundreds of flagged files with no obvious single entry point, bring in a professional cleanup service. The investment is worth it when customer data or ongoing revenue is on the line.

Once the infection is cleared, setting up a WordPress firewall should be the first preventive step you take. A firewall intercepts the most common attack patterns before they reach your files. After that, run a full WordPress security audit to close any remaining vulnerabilities.

If you are still building or establishing your site, the step-by-step guide to building a WordPress website covers security fundamentals from the start, so you are less likely to end up in this situation.

Conclusion

Malware cleanup follows a predictable sequence: scan, clean infected files, remove backdoors, update everything, change all credentials, and request blacklist removal. Work through the steps in order, verify the site scans clean before taking it live again, and put a firewall and regular backups in place so you are not starting from scratch if it happens again.