How To Remove Malware From Your WordPress Website

Remove Malware From WordPress

How to remove malware from my WordPress site? If you find yourself often asking this question, you’re not alone. WordPress website owners across the world are worried about malware and hackers, thanks to the popularity of the WordPress platform. Think about it. When a platform is popular enough to be the undisputed CMS market leader, you can be sure that hackers have their eyes set on it too.

In this article, we show you some effective and recommended ways to remove malware from your WordPress site.


Before we tell you how to remove malware from WordPress sites, let us take a moment to understand how you can tell if your site is infected.

Here are some of the telltale signs of a malware infection:

  • There is a sudden change in your website traffic
  • Your website is suspended by your web host or by Google, thus blocking traffic to your site.

You could even be blacklisted by Google.

  • The message “This site may be hacked” shows up for your website on Google search results.
  • Your customers start complaining about not being able to access their accounts or even your website.
  • Unauthorized pop-up ads appear on your website.
  • You or your customers start receiving many spam emails.

These are only a few symptoms that suggest that your WordPress site could be infected with malware. You can see how damaging malware can be for your reputation, SEO rankings, your traffic, and your bottom line.

Before discussing removing malware from WordPress sites, let us first understand where most malware infections are located in your installation.


Depending on the type of attack, hackers can gain unauthorized access to different areas of your WordPress installation. Listed below are the areas that are most likely to be infected:

  • WordPress files or folders, including PHP files like the wp-config.php file.
  • WordPress database tables or records.
  • Plugin/theme files installed on your website.

The best way to know the actual site of infection is to perform a deep scan of your entire site. Let us look at ways of scanning your WordPress site for malware infections.


Malware scanning is the first step towards cleaning your WordPress site from all infections. A complete scanning determines if your website is indeed infected or not.

For complete malware scanning and removal, here are the three steps you need to perform:

  1. Scan for malware in your WordPress site.
  2. If found, remove malware from the WordPress site.
  3. Prevent future malware infections on your WordPress site.

Let us first learn how to scan for malware on your WordPress site either through:

  • manual scanning
  • a malware scanning tool

Scan for malware manually

For a complete scan, you need to scan your WordPress installation files and your WordPress database system. This needs you to possess a fair bit of technical and WordPress know-how,  enough to work with tools like FileZilla or phpMyAdmin, and WordPress files and databases.

Most core WordPress files should never be modified. You need to check for integrity issues in the wp-admin, wp-includes, and root folders.

For manual scanning of WordPress installation files:

  1. Download a fresh copy of the WordPress version your site uses.
  2. Then, access your installation files through FTP or a file manager.
  3. Compare the current installation files with the downloaded copy – to see if they have been recently modified (using their date and time stamp).
  4. Make sure to check for any recent modifications in crucial files (or folders) of your existing installation like wp-config.php, .htaccess, or wp-content folder. These folders should not contain any executable files. If there are any PHP or javascript files here, this could point to malware.

For manual scanning of your WordPress database:

  1. Connect to your current WordPress database tables and check for malicious code in database functions like “base64_decode” and “gzinflate.”
  2. Check for unknown links or iFrames that hackers inject into database records.

As observed, manual scanning is long and time-consuming – and must be attempted only by technical WordPress experts. There is also the possibility of missing some hidden malware.

Next, let us discuss automated scanning using a malware scanning tool or plugin.


A faster and easier way of scanning your WordPress website and database for malware is through a malware scanning tool or plugin. WordPress security plugins have evolving algorithms that can detect even malware that you may miss in the manual method. They can be installed just like other WordPress plugins and help you scan multiple websites, plugins, themes, and the database in a few clicks.

There are plenty of free and paid malware scanning tools available in the market but we recommend investing in a paid plugin like MalCare, Sucuri, or Wordfence, for the deep scanning and up-to-date malware detection they guarantee.

Now that you know how you can confirm the malware infection on your site, let us look at how to remove malware from a WordPress site.


After detecting the malware code, it is time to remove the infection from your WordPress site. This needs to be done in such a way that there is no more trace of the malware on your entire site.

As in the case of malware scanning, there are two ways to remove WordPress malware, namely:

  • Through manual cleanups
  • Using a malware removal tool

Let us discuss each of these two methods. However, before executing either of these methods, make sure you take a complete backup of your existing WordPress installation and database files. You can use an automated backup plugin like BlogVault that lets you run unlimited on-demand backups.


As in the case of manual malware scanning, manual cleanup is a long and technical process, where you need to complete two steps:

  1. Cleaning the infected WordPress files or folders
  2. Cleaning the hacked WordPress database tables

To begin, download a fresh copy of the WordPress version that you are using.

To clean your infected WordPress files:

  1. Use an FTP tool like FileZilla to connect to your current WordPress installation.
  2. Replace each of your infected (or modified) files with the corresponding file from your fresh copy or stored backup.

To clean your WordPress database:

  1. Connect to your WordPress database using your admin panel.
  2. Delete any records containing suspicious code – or remove the entire table. For any customized files, you need to remove the suspicious code from the file manually.

Because of their complexity, manual cleanups can easily go wrong and end up damaging your website. Additionally, with hackers devising new ways of compromising websites, manual scanning and cleaning may not be effective against every type of malware attack.

Let us check how automatic malware removal using plugins fare compared to manual cleanups.


Apart from detecting malware on websites, malware scanning tools can also remove malware from WordPress sites with just a few clicks. All you need to do is to install a security plugin like MalCare or Sucuri on your website, and they will do the rest.

With the MalCare tool, you do not need to even wait to get WordPress support or technical assistance to remove the malware. Once you have installed the tool, it automatically scans your website for any malware. If it finds a hack, it alerts you so you can log in and use the “Auto Clean” feature to clean both your WordPress files and database in a few clicks and within a few minutes.

However, malware attempts and attacks are not a one-time affair. Hackers will be back again to try and infect your site. You have to make sure that your site is protected from future attacks. Next, let us find out how you can do that.


While there is no such thing as 100% immunity from hackers, you can implement security measures to make it harder for them to attack your site. Here are ten measures that help:

  1. Switch to a more secure WordPress web hosting provider.
  2. Apply regular updates to Core WordPress as well as installed plugins/themes.
  3. Implement a strong password policy for all users.
  4. Install a website firewall to block any suspicious IP requests to your website server.
  5. Take regular backups of your WordPress website and database files.
  6. Protect your WordPress account by limiting the number of login attempts or enabling Two-Factor authentication.
  7. Implement the SSL certification for your website.
  8. Limit the number of administrative (or “admin”) users by implementing various user roles.
  9. Install a WordPress security plugin or tool.
  10. Implement website hardening measures such as disabling file editing of PHP files, blocking PHP execution in untrusted folders, changing security keys, etc. Security plugins like MalCare integrate website hardening measures into their features so even non-technical users can harden their websites in a few clicks.

These measures, recommended by WordPress security experts should be part of your WordPress maintenance strategy.


We hope this article helped you understand how to remove malware from a hacked WordPress site. Manual scanning and removal methods are quite complex and recommended for more technical users with an understanding of WordPress, its file structure, etc. For everyone else, we recommend security plugins like MalCare or Sucuri designed specifically to ensure the security of a WordPress site. MalCare, for instance, includes most of the security measures included in this article in addition to malware scanning and removal. So whether it is firewall protection, login protection,  2-factor authentication, or updates, everything is taken care of from within a single dashboard.

About The Author

Dustin Reed

Dustin Reed, is the owner and senior web technician for Innovative Solutions Group. He started working at Innovative Solutions Group in 2011 and took over as owner in 2016. He takes great pride in the fact that he truly enjoys doing what he does best, Building Professional Websites! During his 10 years working at Innovative Solutions Group, he has been responsible for many different aspects of the business ranging from creating new accounts/domains on Innovatives server to responsive(mobile-friendly) template creation. Some of his other responsibilities/strengths are WordPress website design, CSS/HTML coding, creating visual animations using Jquery, page layout, and troubleshooting many different types of problems that may arise. When he is not busy working at Innovative Solutions Group, he enjoys doing all of the great outdoor activities that the beautiful state of Montana has to offer. Such as, fishing, camping, hiking and enjoying a day at the lake during the summer.

Leave a reply

Your email address will not be published. Required fields are marked *

wordpress maintenance service and security


Innovative Solutions Group
Based on 11 reviews
powered by Google
Nobe Eyecare Associates
Nobe Eyecare Associates
17:13 07 Apr 20
Dustin is great. Quick to respond to any inquiries and reasonable pricing.
Troy Kennett
Troy Kennett
13:57 15 Jan 20
I have been with Dustin and Innovative Solutions for over a year now. Dustin and his company have taken my business to a whole new level. With what they have done with our website and how people find us is amazing. We have grown 10 times over because of Innovative. If your in need of the next level of success in marketing, your in great hands here. You will not be disappointed. Thank you Dustin and the team!!
Helena Dweller
Helena Dweller
21:13 03 Jan 20
Great, courteous and fast service. A very honest business that will not overcharge. Highly recommended!
john scannell
john scannell
15:40 23 Apr 19
I have used Dustin and his team for years- - exceptional service and Dustin is incredibly responsive
Susan Duclos
Susan Duclos
15:45 06 Sep 17
Excellent service. We have been with Innovative since the launching of our site. They not only designed the entire site with the functionality we wanted, but have hosted it reliably no matter how high the traffic spikes. I would recommend Innovative to anyone looking for a professional, reliable and very responsive team.
Jacob Wandersee
Jacob Wandersee
12:41 19 Jun 17
Work was done in a very timely matter and Dustin was great to work with!
Gary Gavin
Gary Gavin
23:01 09 Jun 17
I used Dustin at Innovative Solutions to initially just host my website. After working with him I decided to do a pretty significant makeover on my site. He did a great job, was super responsive and has Fletcher in the Design Department to help with graphics and such. He answered inquiries after hours and is very reasonably priced. I have used quite a few web people over the years and Innovative Solutions is undoubtedly who I will continue to use.
Serapha Cruz
Serapha Cruz
16:57 03 Jun 17
Super helpful! From the very beginning the designer was patient and offered great suggestions. Very customer friendly. They wanted the site to be perfect for me. Also, ease of billing. Thank you for creating a great site.
Dan Deininger
Dan Deininger
13:54 22 May 17
I owned the company for over 20 years, and Dustin treats customers in a very courteous and professional manner. That why I'm going back to Innovative for help with our latest personal web project.
Nobe S. Nijjar BSc, BS, OD
Nobe S. Nijjar BSc, BS, OD
14:22 10 Nov 16
Fantastic service and very quick responses to any problems or feedback! Extremely helpful despite being out of country.
See All Reviews