How to Remove Malware from WordPress (Emergency Step-by-Step Guide)

Take a deep breath. I know you're probably reading this because something is very wrong with your WordPress site right now — maybe it's redirecting visitors to sketchy websites, maybe Google is showing a big red warning page, or maybe your hosting provider just suspended your account with a vague email about "malicious content detected." I've been there. Over the past 20 years of working with WordPress, I've cleaned malware from hundreds of sites, ranging from small personal blogs to WooCommerce stores processing thousands of orders a month. The vast majority of infections can be completely fixed, and your site can be back to normal within a few hours. The key is to stay calm, follow a systematic process, and not make any panicked decisions that could make things worse.

Here's the reality that nobody tells you when you're in crisis mode: most WordPress malware infections follow predictable patterns. Attackers use automated bots to scan for known vulnerabilities in outdated plugins, weak passwords, or misconfigured file permissions. They inject their code into specific files, create backdoors in specific directories, and modify specific database entries. Once you understand these patterns — and I'm going to walk you through all of them — removing malware becomes a methodical process rather than a terrifying mystery. Let's get your site clean.

Signs Your WordPress Site Has Been Hacked

Before you start removing anything, it's worth confirming that you're actually dealing with malware and not a different issue like a plugin conflict or a hosting problem. Here are the telltale signs I look for when a client contacts me in a panic, and most hacked sites exhibit at least two or three of these symptoms simultaneously.

Unexpected redirects are the most common and most obvious symptom. Your visitors click a link to your site from Google and end up on a casino, pharmacy, or adult website instead. Sometimes the redirect only happens for search engine visitors (the malware checks the referrer header), so you might not notice it when visiting your own site directly. If someone reports this, check by Googling your site name and clicking the result. New admin users you didn't create are a dead giveaway — go to Users → All Users in your WordPress dashboard and look for any accounts you don't recognize, especially those with administrator privileges. I once found a site with 14 fake admin accounts, all created within the same hour at 3 AM.

Modified core files often show up as strange PHP files in your root directory or in wp-includes with names like wp-tmp.php, wp-feed.php, or random strings of characters. Google Search Console warnings or a red "This site may be hacked" label in search results mean Google has already detected the infection — this is urgent because every day your site stays flagged, you're losing organic traffic and SEO authority. Slow performance can indicate that your server is being used for cryptocurrency mining or sending spam emails. And speaking of spam, if your hosting provider emails you about outgoing spam — that's malware using your site as a relay. Take all of these signs seriously; even one warrants a full investigation.

Step-by-Step Malware Removal Process

Step 1: Put Your Site in Maintenance Mode

First things first: stop the bleeding. You need to prevent visitors from seeing the hacked version of your site, and more importantly, prevent the malware from spreading to their browsers. If you can still access your WordPress dashboard, install and activate a maintenance mode plugin like SeedProd or WP Maintenance Mode and turn it on immediately. If you can't access the dashboard, ask your hosting provider to put up a maintenance page — most hosts can do this from their end within minutes. Some hosts, like SiteGround and Bluehost, have a "temporary disable" feature in the control panel that effectively takes your site offline while you work on it.

Important: Do NOT delete your entire site at this point. I know it's tempting to just nuke everything and start over, but you need the infected files for analysis, and deleting them might remove evidence you need to find the entry point. If your hosting provider suspended your account, contact their support team and explain that you're actively working on cleaning the infection — they'll usually give you temporary access to your files and database while you work.

Step 2: Scan Your Site for Malware

Now you need to find exactly what's infected and where. I recommend running two different scanners because no single tool catches everything — they each have different detection signatures and methods. Start with Wordfence if you can access your WordPress dashboard. Install it from Plugins → Add New, activate it, and go to Wordfence → Scan. Click Start New Scan and let it run a full scan. Wordfence compares your WordPress core files, themes, and plugins against the official repository versions and flags any modifications. It also checks for known malware signatures, suspicious code patterns, and backdoors. The scan usually takes 5-15 minutes depending on your site size.

For an external scan, use Sucuri SiteCheck at sitecheck.sucuri.net. Enter your domain and it'll scan your site's frontend for malware, blacklisting status, website errors, and outdated software. SiteCheck is useful because it scans from the outside (like a visitor would see), so it catches redirect-based malware that might not show up in a server-side scan. Between Wordfence's deep file inspection and Sucuri's external analysis, you'll have a comprehensive picture of what you're dealing with. Make a note of every flagged file and issue — you'll need this list for the cleanup phase.

Pro tip: If you can't install Wordfence because the dashboard is inaccessible, download your entire site via FTP/SFTP and scan the files locally with ClamAV (free, open-source antivirus). It won't catch WordPress-specific threats as well as Wordfence, but it'll find the most common malware patterns.

Step 3: Restore from a Clean Backup (If Available)

If you have a recent backup from before the infection started, this is by far the fastest and most reliable path to a clean site. Restoring from backup eliminates all malicious files, database modifications, and backdoors in one step — it's like a factory reset for your WordPress installation. Check your hosting control panel for automatic backups (most managed hosts keep 7-30 days of daily backups), or check if you had a backup plugin like UpdraftPlus or BlogVault running. If you've been following my WordPress backup guide, you should have a clean copy available.

Here's the critical question: how do you know which backup is clean? You need to figure out approximately when the infection started. Check your scan results for file modification dates, look at when suspicious admin accounts were created, and review your access logs if your host provides them. Restore a backup from at least a few days before the earliest sign of compromise. After restoring, immediately update WordPress, all plugins, and all themes before doing anything else — the vulnerability that let the attacker in the first time is probably still there in the restored version.

Warning: After restoring a backup, change ALL your passwords before making the site live again. The attacker may have captured your credentials, and restoring files doesn't change passwords. I'll cover this in detail in Step 5.

Step 4: Manual Cleanup (If No Clean Backup Exists)

No backup? Don't worry — I've cleaned plenty of sites manually, and while it takes longer, the results are just as good. Here's the systematic approach I use, in order of priority. Start by deleting any files flagged by your malware scan. Common locations for injected malware include the root directory (look for PHP files that shouldn't be there), wp-includes (WordPress never stores random PHP files here), and wp-content/uploads (PHP files in your uploads directory are almost always malicious — legitimate uploads are images, PDFs, and similar media files). If you find files with names like wp-tmp.php, wp-vcd.php, class.theme-modules.php, or anything with base64-encoded content, delete them immediately.

Next, reinstall WordPress core files. Download a fresh copy of your WordPress version from wordpress.org, extract it, and upload the wp-admin and wp-includes directories to your server, overwriting the existing files. This replaces any modified core files with clean originals. Do NOT overwrite wp-config.php or the wp-content directory — those contain your site's configuration and content respectively.

Now check wp-config.php carefully. Open it in a text editor and look for anything that doesn't belong. Legitimate wp-config.php contains database credentials, authentication keys, table prefix, and debug settings — nothing else. If you see any eval(), base64_decode(), preg_replace with the /e modifier, or @include statements pointing to strange files, remove those lines. While you're in there, regenerate your WordPress security keys by visiting the WordPress salt generator and replacing the existing keys in wp-config.php. This invalidates all existing login sessions, including any the attacker might be using. For more on securing this critical file, see my guide on WordPress file permissions.

Finally, check your database. Go to Users → All Users and delete any accounts you don't recognize. Then check your active theme's functions.php file — this is a favorite injection point because it runs on every page load. Look for encoded code blocks, eval() statements, or functions you didn't write. If your theme is from the WordPress repository or a reputable theme shop, download a fresh copy and compare the files. I also recommend checking Settings → General to make sure your site URL hasn't been changed, and Settings → Reading to verify your homepage settings are correct.

Step 5: Change ALL Passwords

This step is absolutely non-negotiable, and I mean all passwords. I've seen sites get reinfected within hours because the site owner only changed their WordPress password and forgot about FTP, database, or hosting panel credentials. Here's the complete list: your WordPress admin password (and force a password reset for all other WordPress user accounts while you're at it), your FTP/SFTP password, your database password (update it in wp-config.php after changing it in your hosting panel), your hosting control panel password (cPanel, Plesk, or whatever your host uses), and your email password for any accounts associated with the site. Use a password manager like Bitwarden or 1Password to generate strong, unique passwords for each one — at least 16 characters with mixed case, numbers, and symbols.

Pro tip: While changing passwords, check your FTP accounts in your hosting panel. Attackers sometimes create additional FTP accounts to maintain access even after you change the main password. Delete any FTP accounts you don't recognize. This is one of those details that 90% of malware removal guides skip, and it's the reason many sites get reinfected. For more password security practices, check out my WordPress login security guide.

Step 6: Update Everything

The malware got in through a vulnerability, and if you don't patch that vulnerability, you'll be right back where you started. Go to Dashboard → Updates and update everything: WordPress core, every plugin, and every theme. If you have any plugins or themes you're not actively using, delete them entirely — not just deactivate, delete. Inactive plugins and themes still have their files on your server, and if those files contain vulnerabilities, attackers can exploit them even though the plugin isn't active. I've seen sites hacked through themes that were installed but never activated.

After updating, review your plugin list with fresh eyes. Do you actually need every plugin that's installed? Every plugin is a potential attack surface. If a plugin hasn't been updated by its developer in over a year, consider replacing it with a maintained alternative. This is also a good time to install a proper security plugin if you didn't have one before — it's the single most important thing you can do to prevent future infections.

Step 7: Install a Security Plugin

If you don't already have a security plugin running, install one immediately. At minimum, you need a Web Application Firewall (WAF), malware scanning, and login protection. I cover all the options in detail in my best WordPress security plugins guide, but the short version is: Wordfence is my top free pick (you already have it installed if you used it for scanning), and Sucuri is my premium pick because of their cloud-based firewall. Enable the firewall, schedule automatic malware scans, and turn on login attempt limiting. This isn't optional — running WordPress without a security plugin in 2026 is like leaving your front door wide open.

Another excellent option is MalCare, which specializes in malware detection and offers one-click cleanup on their paid plans. If you've been through a malware nightmare and want the peace of mind that comes with knowing an expert service is constantly monitoring your site, MalCare is worth the investment. Their scanner runs on their own servers rather than yours, so it doesn't slow down your site — a common complaint with other security plugins. For a comprehensive approach to keeping your site secure going forward, follow my complete WordPress security guide.

Step 8: Request a Google Review (If Your Site Was Flagged)

If Google was showing a "This site may be hacked" or "This site may harm your computer" warning for your domain, you need to request a review after cleanup. Go to Google Search Console (you need to have your site verified — if you haven't done this yet, do it now). Navigate to Security & Manual Actions → Security issues. You should see the specific issues Google detected. Click Request Review and write a brief description of what happened and what you did to fix it. Be specific: mention that you removed malware, updated all software, changed all passwords, and installed security monitoring. Google typically reviews and lifts the warning within 1-3 business days, though I've seen it take up to a week during busy periods.

Important: Don't request a review until you're absolutely certain the site is clean. If Google re-scans and still finds malware, the review process takes longer the second time, and repeated failed reviews can delay removal significantly. Run one more scan with Wordfence and Sucuri SiteCheck before submitting your request. Also check that your overall security setup is solid so Google can see you've taken comprehensive measures.

When to Hire a Professional

Look, I'm all for DIY — this entire site is built on the premise that you can handle WordPress yourself. But there are situations where hiring a professional malware removal service is the smart call, and I'd be doing you a disservice if I didn't acknowledge that. If you've followed every step above and your site keeps getting reinfected, there's likely a well-hidden backdoor that you're missing. If you're running a business site or WooCommerce store and every hour of downtime is costing you real money, the $200-400 for professional cleanup pays for itself in avoided lost revenue. And if the thought of editing wp-config.php or connecting via SFTP makes you break into a cold sweat, there's no shame in calling in an expert.

Sucuri offers a professional website cleanup service starting at $229/year, which includes malware removal, blacklist removal, and ongoing monitoring with their cloud-based firewall. It's the service I recommend most often because you're not just paying for a one-time cleanup — you get continuous protection for the entire year. MalCare offers one-click malware removal in their paid plans (starting at $149/year), and it's genuinely one-click — their system identifies and removes the malware automatically. For sites that are severely compromised or where manual cleanup hasn't worked, Wordfence also offers a professional site cleaning service. Whichever service you choose, make sure they also identify the entry point and patch the vulnerability, not just remove the malware symptoms.

Prevent Future Infections

Once your site is clean, the last thing you want is to go through this nightmare again. The good news is that preventing WordPress malware is much easier than removing it. Keep WordPress core, plugins, and themes updated at all times — enable auto-updates for minor releases and check for updates weekly. Use strong, unique passwords for every account and enable two-factor authentication on all admin accounts (see my login security guide). Install a reputable security plugin with a firewall and automated scanning. Set up regular automated backups so you always have a clean copy to restore from. And follow the complete hardening checklist in my WordPress security guide — it covers everything from file permissions to database security to HTTP headers.

The single best piece of advice I can give you: treat security as ongoing maintenance, not a one-time setup. The WordPress ecosystem moves fast, new vulnerabilities are discovered regularly, and attackers are constantly evolving their methods. Spending 15 minutes a week checking for updates, reviewing your security logs, and verifying your backups is infinitely easier than spending an entire weekend cleaning up a malware infection. Trust me — I've done both more times than I'd like to admit.

Frequently Asked Questions

How much does it cost to remove malware from WordPress?

You can do it yourself for free using the steps in this guide and free tools like Wordfence and Sucuri SiteCheck. If you prefer professional help, expect to pay between $149-400 depending on the service. Sucuri charges $229/year which includes cleanup plus ongoing protection, MalCare offers automated removal starting at $149/year, and Wordfence has a one-time cleanup service. For most site owners with moderate technical confidence, the DIY route works perfectly well — the malware patterns are well-documented and the tools are excellent.

Will removing malware fix my Google rankings?

Yes, but not instantly. Once you clean your site and Google lifts the security warning (typically 1-3 business days after requesting review), your rankings should start recovering. However, if your site was flagged for an extended period, some ranking positions may take weeks to fully recover because Google reduces crawl frequency for flagged sites. The sooner you fix the infection and request a review, the faster the recovery. In my experience, most sites return to their pre-hack rankings within 2-4 weeks after cleanup.

Can malware spread from my WordPress site to visitors' computers?

It depends on the type of malware. Simple redirect malware just sends visitors to another site, which is annoying but doesn't directly infect their computers. However, some more sophisticated malware injects scripts that attempt to download malicious payloads to visitors' browsers through drive-by downloads. This is why putting your site in maintenance mode immediately is so important — you're not just protecting your reputation, you're protecting your visitors. It's also why Google takes hacked sites so seriously and shows those prominent warning pages.

Should I reinstall WordPress from scratch instead of cleaning the infection?

A complete reinstall is the nuclear option, and while it guarantees a clean starting point, it's usually overkill unless the infection is extremely severe or deeply embedded in the database. If you're considering it, make sure you export your content (posts, pages, comments) using WordPress's built-in export tool first, then do a fresh install and reimport. You'll lose your plugin settings and customizations, but your actual content will be preserved. For most infections, the step-by-step cleanup process I've outlined above is sufficient and preserves all your settings and configurations. I've only recommended a full reinstall maybe 5 times out of hundreds of cleanups.