How to Scan WordPress for Malware and Clean a Hacked Website

How to Scan WordPress for Malware and Clean a Hacked Website

by

A WordPress website can run normally for months and then suddenly start behaving strangely. You might notice spam pages appearing in Google, redirects to suspicious websites, new admin users you did not create, hosting warnings, or a sudden drop in traffic. In many cases, these are signs that malware has been added to the site.

This is one of the more stressful problems website owners deal with because it affects SEO, trust, and sometimes even email delivery. I have also seen situations where the site still looked normal on the front end while hidden malware was quietly sending spam or creating backdoor access in the background.

The good news is that most WordPress malware issues can be identified and cleaned if you work through the process carefully. The important thing is avoiding shortcuts that leave infected files behind.

Quick Answer

To scan WordPress for malware, you should first back up the website, then scan files and the database using a security plugin or hosting malware scanner. After identifying infected files, remove malicious code, replace compromised core files, themes, or plugins, reset passwords, and update everything. Once the site is clean, improve security settings to prevent reinfection.

Why This Matters

A hacked WordPress website affects more than just security.

Malware can:

  • Damage search rankings
  • Trigger Google security warnings
  • Redirect visitors to scam pages
  • Send spam emails from your domain
  • Slow down the website
  • Create hidden admin accounts
  • Infect future backups if left unresolved

In my experience, many hacked sites were infected through outdated plugins, weak passwords, or abandoned themes rather than WordPress itself.

Cleaning the site properly matters because partial cleanup often leads to the infection returning later.

Signs Your WordPress Website May Be Infected

Some warning signs are obvious, while others are easier to miss.

Common symptoms include:

  • Unexpected redirects
  • Spam pages indexed in Google
  • Security warnings in browsers
  • Hosting suspension notices
  • New admin accounts
  • Unknown plugins or files
  • Sudden traffic drops
  • Slow website performance
  • Modified files without explanation
  • Strange code injected into pages

You can also check Google Search Console for security warnings or indexing issues.

If Google starts indexing pages that you never created, there is a good chance the website has been compromised.

Step 1: Back Up the Website First

Before changing anything, create a full backup of the website. If you have not set one up yet, follow this guide on how to back up a WordPress website before you start cleaning infected files.

This includes:

  • WordPress files
  • Database
  • Uploads
  • Themes
  • Plugins

Even infected backups are useful because they allow you to recover important content if something breaks during cleanup.

If your hosting provider offers backups, download a copy locally before continuing.

Step 2: Put the Website Into Maintenance Mode

If the infection is actively affecting visitors, temporarily place the website into maintenance mode.

This helps prevent:

  • Visitors being redirected
  • Further spam activity
  • Additional file modifications
  • Search engines indexing infected pages

A simple maintenance plugin is usually enough for temporary downtime.

Step 3: Scan WordPress for Malware

There are several ways to scan WordPress.

Option 1: Use a WordPress Security Plugin

This is the easiest method for most website owners.

Common malware scanning plugins include:

  • Wordfence
  • Sucuri Security
  • Solid Security
  • MalCare

A good scanner checks:

  • Core WordPress files
  • Plugins
  • Themes
  • Malware signatures
  • File modifications
  • Backdoors

When I set this up on WordPress sites, I usually start with Wordfence because it highlights modified files clearly and helps identify suspicious changes quickly.

Run a full scan rather than a quick scan.

Step 4: Check WordPress Core Files

One common mistake is trying to clean individual core files manually.

Instead:

  1. Download a fresh copy of WordPress from WordPress.org
  2. Delete old core folders except:
    • /wp-content/
    • wp-config.php
  3. Upload fresh core files

This removes many infections hiding inside WordPress core directories.

Do not overwrite blindly without checking backups first.

Step 5: Inspect Plugins and Themes

Outdated or nulled plugins are one of the most common infection sources.

Check for:

  • Plugins you no longer use
  • Themes you do not recognize
  • Disabled plugins left installed
  • Pirated premium themes
  • Plugins abandoned by developers

Delete anything unnecessary.

If you suspect a plugin or theme is infected:

  1. Delete it completely
  2. Download a fresh version from the official source
  3. Reinstall it

I usually recommend removing inactive plugins entirely instead of leaving them installed.

Step 6: Scan the Uploads Folder

The /wp-content/uploads/ folder should mainly contain media files.

Hackers often place malicious PHP files inside uploads folders because many website owners never inspect them.

Look for suspicious files such as:

  • .php
  • .phtml
  • Randomly named files
  • Strange folder structures

Image folders should not normally contain executable PHP scripts.

Step 7: Check the Database for Malware

Some malware injects spam directly into the database.

Common examples include:

  • Hidden spam links
  • Injected JavaScript
  • Redirect scripts
  • SEO spam pages

You can inspect the database using:

  • phpMyAdmin
  • Hosting database tools
  • Security plugins

Search for:

  • eval(
  • base64
  • iframe
  • suspicious scripts
  • unknown admin users

Be careful when editing database entries manually.

Step 8: Reset Passwords and User Accounts

After cleanup, reset all passwords immediately.

This includes:

  • WordPress admin accounts
  • Hosting account
  • FTP/SFTP accounts
  • Database passwords
  • Email accounts connected to the domain

Also:

  • Remove unused users
  • Review administrator accounts
  • Enable strong passwords
  • Enable two-factor authentication if possible

A hacked admin account can reinfect the website even after cleanup.

Step 9: Update Everything

Outdated software is one of the main causes of reinfection.

Update:

  • WordPress core
  • Themes
  • Plugins
  • PHP version

If a plugin has not been updated in a long time, replacing it is often safer than continuing to use it.

Step 10: Request a Review if Google Flagged the Website

If your website was marked as unsafe in Google Search Console:

  1. Clean the website fully
  2. Confirm the infection is removed
  3. Open Google Search Console
  4. Request a security review

Google may take several days to remove warnings.

Practical Tips From Real Website Cleanup Work

A few things regularly help during malware cleanup:

Keep Old Clean Backups

Sometimes restoring a clean backup is faster than manual cleanup.

However, always scan old backups before restoring them because older infections may already exist inside them.

Avoid Nulled Plugins and Themes

Many hacked websites trace back to pirated premium plugins.

The short-term savings usually lead to security problems later.

Use Hosting-Level Security Too

Good hosting providers often include:

  • Malware scanning
  • Firewall protection
  • File monitoring
  • Automatic backups

This adds another security layer beyond WordPress plugins.

Monitor File Changes

Some security plugins track file changes and alert you when files are modified unexpectedly.

This helps detect future problems earlier.

Common Mistakes

Cleaning Only Visible Symptoms

Removing spam pages without finding the actual backdoor usually leads to reinfection.

Leaving Old Plugins Installed

Inactive plugins can still be exploited if vulnerabilities exist.

Ignoring User Accounts

Unknown administrator accounts are a major warning sign.

Skipping Password Resets

Even clean websites can be compromised again if attackers still have login access.

Restoring an Infected Backup

This is more common than many people realize.

Always scan backups before restoring them.

When to Use a Security Plugin vs Professional Cleanup

For smaller infections, security plugins are often enough.

However, professional cleanup may be better if:

  • The site keeps getting reinfected
  • Hosting access is compromised
  • Multiple websites on the server are infected
  • Search engines blacklisted the domain
  • You cannot identify the infection source

On business websites with SEO traffic or ecommerce revenue, professional cleanup can sometimes save a lot of time.

Conclusion

Scanning WordPress for malware is usually a process of identifying infected files, replacing compromised components, resetting access credentials, and improving long-term security.

The important part is removing the source of the infection rather than only fixing visible symptoms. In most WordPress sites I build, regular updates, reliable hosting, backups, and careful plugin management prevent most security problems before they start.