How to remove malware from my WordPress site? If you find yourself often asking this question, you’re not alone. WordPress website owners across the world are worried about malware and hackers, thanks to the popularity of the WordPress platform. Think about it. When a platform is popular enough to be the undisputed CMS market leader, you can be sure that hackers have their eyes set on it too.
In this article, we show you some effective and recommended ways to remove malware from your WordPress site.
SYMPTOMS OF MALWARE INFECTION ON YOUR SITE
Before we tell you how to remove malware from WordPress websites, let us take a moment to understand how you can tell if your site is infected.
Here are some of the telltale signs of a malware infection:
- There is a sudden change in your website traffic
- Your website is suspended by your web host or by Google, thus blocking traffic to your site.
You could even be blacklisted by Google.
- The message “This site may be hacked” shows up for your website on Google search results.
- Your customers start complaining about not being able to access their accounts or even your website.
- Unauthorized pop-up ads appear on your website.
- You or your customers start receiving many spam emails.
These are only a few symptoms that suggest that your WordPress site could be infected with malware. You can see how damaging malware can be for your reputation, SEO rankings, your traffic, and your bottom line.
Before discussing removing malware from WordPress, let us first understand where most malware infections are located in your installation.
WHERE CAN YOU LOCATE MALWARE ON YOUR SITE?
Depending on the type of attack, hackers can gain unauthorized access to different areas of your WordPress installation. Listed below are the areas that are most likely to be infected:
- WordPress files or folders, including PHP files like the wp-config.php file.
- database tables or records.
- Plugin/theme files installed on your website.
The best way to know the actual site of infection is to perform a deep scan of your entire site. Let us look at ways of scanning your WordPress site for malware infections.
HOW TO SCAN YOUR WORDPRESS SITE FOR MALWARE
Malware scanning is the first step towards cleaning your WordPress site from all infections. A complete scanning determines if your website is indeed infected or not.
For complete malware scanning and removal, here are the three steps you need to perform:
- Scan for malware in your WordPress site.
- If found, remove malware from the WordPress site.
- Prevent future malware infections on your WordPress site.
Let us first learn how to scan for malware on your WordPress site either through:
- manual scanning
- a malware scanning tool
Scan for malware manually
For a complete scan, you need to scan your WordPress installation files and your WordPress database system. This needs you to possess a fair bit of technical and WordPress know-how, enough to work with tools like FileZilla or phpMyAdmin, and WordPress files and databases.
Most core WordPress files should never be modified. You need to check for integrity issues in the wp-admin, wp-includes, and root folders.
For manual scanning of WordPress installation files:
- Download a fresh copy of the WordPress version your site uses.
- Then, access your installation files through FTP or a file manager.
- Compare the current installation files with the downloaded copy – to see if they have been recently modified (using their date and time stamp).
- Make sure to check for any recent modifications in crucial files (or folders) of your existing installation like wp-config.php, .htaccess, or wp-content folder. These folders should not contain any executable files. If there are any PHP or javascript files here, this could point to malware.
For manual scanning of your database:
- Connect to your current database tables and check for malicious code in database functions like “base64_decode” and “gzinflate.”
- Check for unknown links or iFrames that hackers inject into database records.
As observed, manual scanning is long and time-consuming – and must be attempted only by technical WordPress experts. There is also the possibility of missing some hidden malware.
Next, let us discuss automated scanning using a malware scanning tool or plugin.
SCAN FOR MALWARE USING A PLUGIN OR TOOL
A faster and easier way of scanning your WordPress website and database for malware is through a malware scanning tool or plugin. WordPress security plugins have evolving algorithms that can detect even malware that you may miss in the manual method. They can be installed just like other WordPress plugins and help you scan multiple websites, plugins, themes, and the database in a few clicks.
There are plenty of free and paid malware scanning tools available in the market but we recommend investing in a paid plugin like MalCare, Sucuri, or Wordfence, for the deep scanning and up-to-date malware detection they guarantee.
Now that you know how you can confirm the malware infection on your site, let us look at how to remove malware from a WordPress site.
HOW TO REMOVE MALWARE FROM WORDPRESS WEBSITES
After detecting the malware code, it is time to remove the infection from your WordPress site. This needs to be done in such a way that there is no more trace of the malware on your entire site.
As in the case of malware scanning, there are two ways to remove WordPress malware, namely:
- Through manual cleanups
- Using a malware removal tool
Let us discuss each of these two methods. However, before executing either of these methods, make sure you take a complete backup of your existing WordPress installation and database files. You can use an automated backup plugin like BlogVault that lets you run unlimited on-demand backups.
CLEANUP MALWARE FROM WORDPRESS MANUALLY
As in the case of manual malware scanning, manual cleanup is a long and technical process, where you need to complete two steps:
- Cleaning the infected WordPress files or folders
- Cleaning the hacked database tables
To begin, download a fresh copy of the WordPress version that you are using.
To clean your infected WordPress files:
- Use an FTP tool like FileZilla to connect to your current WordPress installation.
- Replace each of your infected (or modified) files with the corresponding file from your fresh copy or stored backup.
To clean your WordPress database:
- Connect to your database using your admin panel.
- Delete any records containing suspicious code – or remove the entire table. For any customized files, you need to remove the suspicious code from the file manually.
Because of their complexity, manual cleanups can easily go wrong and end up damaging your website. Additionally, with hackers devising new ways of compromising websites, manual scanning and cleaning may not be effective against every type of malware attack.
Let us check how automatic malware removal using plugins fare compared to manual cleanups.
FIGHT MALWARE USING A MALWARE REMOVAL PLUGIN
Apart from detecting malware on websites, malware scanning tools can also eliminate malware from WordPress sites with just a few clicks. All you need to do is to install a security plugin like MalCare or Sucuri on your website, and they will do the rest.
With the MalCare tool, you do not need to even wait to get WordPress support or technical assistance to remove the malware. Once you have installed the tool, it automatically scans your website for any malware. If it finds a hack, it alerts you so you can log in and use the “Auto Clean” feature to clean both your WordPress files and database in a few clicks and within a few minutes.
However, malware attempts and attacks are not a one-time affair. Hackers will be back again to try and infect your site. You have to make sure that your site is protected from future attacks. Next, let us find out how you can do that.
Creating and managing your own WordPress site has never been easier. With free themes, plugins and more you can have your business website or blog up and running in no time. Yet, one problem with this increase in site volume is an increase in malware. Malware is any software that disrupts normal functioning of a site and/or steals data. What is worse, most users are not aware that their sites are exposed to these nasty programs. But the good news is this. There are a ton of WordPress plugins that combat malware! So, here are the best WordPress malware removal plugins you can get today.
First, how do I know if my site has malware?
Malware comes in all shapes and sizes. And new versions of malware come daily. So, how do you know if your websites’ infected? Here are 7 common signs that your site might have malware.
- Unable to login to WordPress
- Sudden drop in traffic
- Design of site altered or removed
- New user accounts in WordPress dashboard
- Spammy links added to your site
- Popups screen and ads
- Your site becomes unresponsive
If your site is experiencing any of the above symptoms, you might want to do a malware scan.
The good news is free and paid plugins offer protection against these programs. So, let us dive into the 12 best WordPress malware plugins you can get today…
1) Wordfence Security – Firewall & Malware Scan
First on the list is one of the most popular WordPress security plugins on the market. Wordfence Security protects your site from malicious attacks, hackers, and bots. This plugin offers a firewall and malware scans designed to get rid of existing malware. It also provides security protection to keep new attacks from infecting your site.
Our Score – 9.5/10
Highlights:
- Free version should meet most site owner’s security needs
- Custom login URL option for advanced user login
- Weekly reporting option directly to your email
- reCAPTCHA to protect WordPress login, register and comment forms.
- All in one security plugin
Downsides:
This plugin is one of the best all-encompassing security plugins out there. The only knock on this plugin is the speed of its malware scan. It tends to run slow, because of how in depth it is. But other than that, this is our top for security features and user friendliness.
2) Cerber Security, Anti-spam & Malware Scan
Cerber security anti-spam and malware scan is one of the best for complete protection. Offering advanced protection against hackers, spam, malware and brute force attacks, this plugin does it all. Also includes a routine security report as an added benefit
Score – 9.2/10
Highlights:
- Email report setup and log file access.
- Offers malware background scans
- Includes dual malware/virus protection
- Create custom login URL
- Automatically detects spam comments
- Security scanner verifies WP core files.
Downsides:
This plugin is a great choice for experienced WordPress users that know how to navigate plugin settings. This plugin may be hard to use for the novice site owner.
3) iThemes Security (formerly Better WP Security)
Next up is the iThemes Security plugin. This plugin was formerly Better WP security, and the new and improved plugin is certainly worth a look. With 1+million active installations, iThemes provides over 30 ways to keep your site secure. These include malware scans, virus detection, anti-spam, and file checkers. This robust plugin is a great option for those that have some experience and want a lot of security features.
Score – 9/10
Highlights:
- Offers Google reCaptcha for anti-spam.
- Deep malware scans and scheduling.
- Password security.
- Two factor authentications offered.
Downsides:
This is a widely used WordPress malware plugin that offers a ton of advanced features.
One downside of this plugin is it is not quite as user friendly as some others on the list. If you have a little experience however, this is a great option to try!
4) Anti-Malware Security and Brute-Force Firewall
Next up is the Anti-Malware Security and Brute-Force Firewall plugin. As their name suggests, this plugin specializes in identifying and removing malware. Designed to identify new threats, this makes a great choice for ongoing security.
Score – 8.8/10
Highlights:
- Massive defense against malware.
- Complete scan removes known security threats and database injections.
- Checks the integrity of your WordPress core files.
- Automatically downloads definition updates to protect against new attacks.
Downsides:
This plugin specializes in malware. It may not be as comprehensive as your site needs if you are suffering from spam comments and pingbacks.
5) Titan Anti-Spam & Security
The next plugin that is known for identifying malware is Titan Anti-spam & Security. This plugin includes anti-spam, firewall, malware scanner and defense audits. This all in one security plugin is great for getting rid of existing malware. Their comprehensive firewall that stops brute force attacks and by restricting login attempts is a nice addition! What is more, Titan anti-spam and security has an easy to use interface. Perfect for those that need a quick solution.
Score – 8.4/10
Highlights:
- Impressive malware security scanner with over 1000 signatures for the basic plan.
- Titan user interface makes deleting suspect files easy.
- Checks your site’s existing vulnerabilities and provides defense recommendations.
- Comprehensive security plugin
Downsides:
Although this is a comprehensive plugin, many of the advanced features are only accessible with a PRO plan. May not be enough protection for more established sites.
6) Astra Security Suite- Firewall and Malware Scan
Next up on our list of the best WordPress malware fighting plugins is the Astra Security Suite. The newest plugin to join the list, this has the potential to be one of the best security plugins out there. With advanced all in one suite that includes firewall anti-spam, brute force protection and malware scans. What is even better is this plugin being extremely easy to set up. A 5-minute quick installation is all you need. No DNS changes necessary. This is a fantastic option for those looking for an all in one solution that has a smaller active user base.
Score – 8.2/10
Highlights:
- All in one security platform for most needs.
- Guided setup
- One click scans for easy detection.
- Impressive spam detection for SEO and comments.
Downsides:
The only downside to this plugin is its relatively small user base and lack of in-depth user reviews. However, this is a solid choice for security plugins with advanced anti-spam features.
7) Defender Security – Malware Scanner, Login Security & Firewall
This impressive, all-encompassing security plugin should be given serious consideration. Defender security offers a malware scanner, IP blocking, audit logs and more. And this is standard for the free version of the plugin. Be sure to check out their platform of plugins to improve SEO and enhance your site!
Score – 8.2/10
Highlights:
- Login masking.
- Server and core update alerts (critical for security)
- Disable WordPress file editor to stop hackers in their tracks.
- Includes malware scan and security firewall.
Downsides:
This a great plugin for those that need all in one security solution. Yet, we did not find the interface to be the most user friendly. Also, some of the advanced features negatively impact search engine visibility. Use carefully!
8) Sucuri Security
Another immensely popular all in one security plugin is Sucuri. This plugin specializes in all thing’s malware removal, auditing. This is a good option for those in search of a tried and tested malware security plugin. Sucuri also specializes in transparency to their users. Easily monitor logs, core files, brute force attacks and more!
Score – 8/10
Highlights:
- Blacklist Monitoring
- Deep scan malware protection.
- Post hack actions
- Offers remote malware scanning.
Downsides:
This is a widely used WordPress malware removal solution. However, this does not feature a full suite of protection. It does offer a firewall with its premium plan.
9) Ninja Scanner Virus and Malware Protection
This lightweight plugin offers some great security features. And it should not slow down your site! The malware scanner checks for existing vulnerabilities and identifies security gaps. What is more, this plugin includes virus detection as well. With this fast security plugin, you receive good protection without sacrificing speed.
Score – 8/10
Highlights:
- File integrity checker.
- Email report setup and log file access.
- Offers malware background scans
- Includes dual malware/virus protection
Downsides:
This plugin is designed to give solid security without slowing down your site. The scans may not provide an in-depth review of infected files. This plugin also does include anti-spam.
10) Malcare Security Plugin for WordPress Websites
The Malcare plugin has been around for some time, and with good reason. It is one of the most utilized plugins for security scans and malware detection. The best part is Malcare might be the easiest to use plugin on the list. Malcare offers a one click protection scan. This makes finding and removing harmful programs a breeze. It also has a deep cloud-based scanner offering optimal protection against advanced attacks.
Score – 7.8/10
Highlights:
- File integrity checker.
- Email report setup and log file access.
- Offers malware background scans
- Includes dual malware/virus protection
Downsides:
This plugin is designed to give solid security without slowing down your site. The scans may not provide an in-depth review of infected files. This plugin also does include anti-spam.
11) NinjaFirewall (WP Edition) – Advanced Security
This plugin operates slightly differently than the rest on this list. As a true standalone firewall, this provides additional security measures to your site. And it still operates much like any other plugin would. This gives you the added benefit of having security built in front of your WordPress site. This is opposed to cloud-based security plugins.
Score – 7.5/10
Highlights:
- Blazing fast brute force attack protection.
- Standalone firewall.
- Offers a live log of traffic.
- Simple to use interface.
Downsides:
This plugin offers great security with the added benefit of being a true standalone security plugin. However, its malware scanning might be lacking compared to other options on this list.
12) Quttera
Another solid malware scanning option is Quttera. This plugin features in depth malware scanning and trojan horse detection. One added benefit of this plugin is it also checks Google periodically to see if your site has been blacklisted! This is a common sign that indicates your site has been hacked.
Score – 7.5/10
Highlights:
- Offers a comprehensive security platform for most needs.
- Google blacklisted site integration.
- One click scans for easy detection.
- Simple to use interface.
Downsides:
This plugin has an impressive list of security features; however, these may conflict with other plugins. Some users have noted compatibility issues. Be sure to test this plugin in a staging environment before going live.
13) CleanTalk Security and Malware Scan
A lightweight and all in one security plugin that is relatively new to the scene. It may be worth a look as it includes a suite of features in their free plan. Clean Talk offers one click malware scans, web app firewall, security log and updates.
Score – 7.5/10
Highlights:
- All in one security platform for most needs.
- Daily malware log and reporting
- One click scans for easy detection.
- Lightweight so should not interfere with site speed
Downsides:
This plugin is still working out some user interface issues. However, this could be due to plugin incompatibility. Much like the Clean Talk plugin, make sure to test in a staging environment first.
HOW TO PREVENT MALWARE INFECTIONS IN THE FUTURE
While there is no such thing as 100% immunity from hackers, you can implement security measures to make it harder for them to attack your site. Here are ten measures that help:
- Switch to a more secure WordPress web hosting provider.
- Apply regular updates to Core WordPress as well as installed plugins/themes.
- Implement a strong password policy for all users.
- Install a website firewall to block any suspicious IP requests to your website server.
- Take regular backups of your WordPress website and database files.
- Protect your WordPress account by limiting the number of login attempts or enabling Two-Factor authentication.
- Implement the SSL certification for your website.
- Limit the number of administrative (or “admin”) users by implementing various user roles.
- Install a WordPress security plugin or tool.
- Implement website hardening measures such as disabling file editing of PHP files, blocking PHP execution in untrusted folders, changing security keys, etc. Security software like MalCare integrate website hardening measures into their features so even non-technical users can harden their websites in a few clicks.
These measures, recommended by WordPress security experts should be part of your WordPress maintenance strategy.
CONCLUSION
We hope this article helped you understand how to eliminate malware from a hacked WordPress site. Manual scanning and removal methods are quite complex and recommended for more technical users with an understanding of WordPress, its file structure, etc. For everyone else, we recommend security plugins like MalCare or Sucuri designed specifically to ensure the security of a WordPress site. MalCare, for instance, includes most of the security measures included in this article in addition to malware scanning and removal. So whether it is firewall protection, login protection, 2-factor authentication, or updates, everything is taken care of from within a single dashboard.
Need help keeping your WordPress website safe and secure? You may want to consider our WordPress maintenance service. We would be happy to help and partner with you!