Skip to content
Security
7 min read

How to Remove Malware From a WordPress Site

Malware on your WordPress site can tank your rankings, scare visitors, and get you blacklisted. Here’s how to find it and clean it up.

Your site is showing strange ads, Google is flagging it as dangerous, or your host just suspended your account. These are classic signs of a WordPress malware infection, and it's more common than you'd think. The good news: it's fixable. This guide walks you through exactly how to identify, remove, and prevent malware on a WordPress site — in plain language, no server expertise required.

How to Tell Your WordPress Site Has Malware

Malware doesn't always announce itself. Sometimes the only sign is a drop in search rankings or a complaint from a customer. Watch for these red flags:

  • Google Search Console shows a "This site may be hacked" warning
  • Visitors are redirected to spam or adult websites
  • Your hosting provider suspended your account for malicious activity
  • New admin users appear in WordPress that you didn't create
  • Pages contain links or text you never wrote
  • Your site loads extremely slowly or crashes without explanation
  • Antivirus software flags your site URL

Step 1 — Back Up What You Have (Even If It's Infected)

Before touching anything, take a full backup of your site including files and the database. This sounds counterintuitive when the site is infected, but you need a restore point in case something goes wrong during cleanup. Use your hosting control panel's backup tool, or a plugin like UpdraftPlus if you can still log in. Store the backup somewhere off your server, such as Google Drive or Dropbox.

Step 2, Scan Your Site for Malware

A WordPress website malware scanner compares your files against known-clean versions and flags suspicious code. Two reliable options:

  • Wordfence Security (free tier available), installs as a plugin and scans your WordPress files, themes, and plugins against its threat database. Find it at wordpress.org/plugins/wordfence.
  • Sucuri SiteCheck, a free remote scanner at sitecheck.sucuri.net that checks your publicly visible pages for known malware signatures and blacklist status. It won't catch everything hidden server-side, but it's a fast first check.

Run both. The remote scanner catches what's visible to visitors; the plugin-based scanner catches what's hidden in your files. Note every file the scanner flags before you change anything.

Step 3, Remove the Malware

Once you know what's infected, work through these steps in order.

  1. Delete suspicious plugins and themes. Go to Plugins > Installed Plugins and deactivate then delete anything you don't recognise or haven't used in months. Do the same under Appearance > Themes. Attackers frequently hide backdoors (hidden entry points) inside inactive themes.
  2. Reinstall WordPress core files. In your dashboard go to Dashboard > Updates and click Re-install version X.X.X. This overwrites core files with clean copies without touching your content or settings.
  3. Reinstall clean copies of your plugins and themes. Delete each plugin and reinstall it fresh from wordpress.org or your original purchase source. Do not reactivate them from the infected copies.
  4. Check your wp-config.php and .htaccess files. These are common targets. Download them via FTP or your host's file manager and open them in a text editor. Your wp-config.php should contain only database credentials and standard WordPress constants, delete any unfamiliar code blocks. Your .htaccess should match the standard WordPress .htaccess format.
  5. Remove unknown admin accounts. Go to Users > All Users, sort by Role, and delete any Administrator accounts you don't recognise. Change the passwords on all remaining admin accounts immediately.
  6. Update your secret keys. In wp-config.php, replace the AUTH_KEY, SECURE_AUTH_KEY, and related constants with fresh values from the WordPress secret key generator. This logs out any active attacker sessions.
  7. Scan again. Run Wordfence or your chosen scanner a second time to confirm the infection is gone.

Step 4, Request Removal From Blacklists

If Google, McAfee, or another service flagged your site, cleaning the files is only half the job. You need to request a review so the warning is lifted.

  • Google Search Console: Go to the Security Issues report, confirm the issues are fixed, and click Request Review.
  • Google Safe Browsing: Submit your URL at safebrowsing.google.com/safebrowsing/report_error after cleanup.
  • McAfee SiteAdvisor / Sucuri blacklist: Use the removal request forms on each provider's site, Sucuri's dashboard includes a one-click blacklist removal request if you're a paid subscriber.

Step 5, Harden Your Site to Prevent Reinfection

Cleaning up once is painful. Cleaning up twice is avoidable. These steps close the most common entry points:

Action Where to Do It Why It Matters
Update WordPress, plugins, and themes Dashboard > Updates Most infections exploit known vulnerabilities in outdated software
Use strong, unique passwords Users > Your Profile Brute-force attacks target weak admin passwords
Enable two-factor authentication Security plugin settings Stops attackers even if they have your password
Limit login attempts Security plugin settings Blocks automated brute-force scripts
Remove unused plugins and themes Plugins / Appearance menus Inactive code is still a target if left installed
Move to managed hosting Managed WordPress Hosting Server-level firewalls and automatic updates reduce risk significantly

When DIY Isn't the Right Call

Some infections are straightforward. Others involve obfuscated code (deliberately scrambled malicious scripts) injected across hundreds of files, database-level backdoors, or compromised server credentials that no plugin can fully address. If your scan keeps finding the same files re-infected after cleanup, if your host has suspended your account, or if you simply don't have time to work through this yourself, a professional wordpress malware cleanup is the faster and safer path. TheAppSense's WordPress Malware Removal service handles the full investigation, cleanup, and blacklist removal for you.

A malware infection feels alarming, but it has a clear fix: back up, scan, remove the infected files, update everything, and harden your setup so it doesn't happen again. Work through the steps above methodically and most infections can be resolved without touching a database. If the infection is deep or keeps coming back, don't keep fighting it alone, get it cleaned properly and move on.

How did malware get onto my WordPress site?

The most common entry points are outdated plugins or themes with known security vulnerabilities, weak admin passwords that were brute-forced, and nulled (pirated) plugins or themes that contain malicious code by design. Shared hosting environments where another site on the same server is compromised can also be a factor.

Will reinstalling WordPress delete my content?

No. Using the Re-install button in Dashboard > Updates only replaces the core WordPress files (the wp-admin and wp-includes folders, plus root-level files like index.php). Your database, uploads, plugins, and themes are not touched.

Can I use a free plugin to do a full wordpress malware removal?

Free tools like Wordfence can detect and remove many common infections. However, sophisticated or deeply embedded malware, especially database-level injections or server-side backdoors, often requires manual file inspection or a professional service. Free scanners are a good starting point, not a guaranteed complete solution.

How long does it take Google to remove the 'site hacked' warning after I clean up?

After you submit a review request in Google Search Console, Google typically processes it within a few days to a couple of weeks. The timeline depends on how quickly their crawlers re-index your site. Submitting the request promptly after cleanup is the only way to speed this up.

Do I need to change my passwords after a malware infection?

Yes, change every password associated with the site immediately: your WordPress admin account, your hosting control panel, your FTP/SFTP credentials, and your database password. Also update the secret keys in wp-config.php as described in Step 3. Assume any credential the site could access has been exposed.

Hand your WordPress site to people who'll keep it running

Move to fully managed hosting and we'll handle speed, security, backups, and updates for you, with free migration and no lock-in. A faster, safer site, and a real person a click away.

We reply to every enquiry within one business day.