The Easiest Guide to WordPress Malware Removal

This is literally the easiest malware removal guide for WordPress on the internet. This is as easy as it gets.

Malware removal is covered in 5 steps:

  1. Inspection: Ascertaining that your website actually has malware.
  2. Lock-up & Lock-down: Update the website credentials.
  3. Clean Up: Detect and clean or remove the infected files.
  4. Root Cause Analysis: Review the infected files to get rid of root cause of malware infection.
  5. Securing: Harden security of the your WordPress website.

1. Ascertaining that your website actually has malware

Is your website redirecting to unwanted URLs? Or is it broken in some manner? You can use the following tools to analyse your website and verify that the problem is actually malware and not an unintentional .htaccess or plugin issue.

  1. Google Safe Browsing Diagnostic
  2. Sucuri Website Malware Scanner
  3. VirusTotal Analyzer
  4. Geek Flare Screenshot Checker
  5. GeoPeeker Peek Results

It’s quite possible that you’d have faced one or more of the following:

  1. Your website host blocks your hosting citing malware on the site.
  2. You got a mail from Google Search Console that your site is infected.
  3. You got a mail from Google Ads that your site is infected.
  4. You find that your site is redirecting to some malicious URL or a visitor reports this to you.

Other symptoms can include site-slowness, information from website access-logs / error-logs etc.

2. Website Lock-Up & Lock-Down

In this step we need to prepare for malware removal. Before we start the cleanup, we need to make sure no one else has access to the site else they’ll keep re-infecting the website and we’ll be in an endless loop.

  1. Put your website in maintenance mode.
  2. Remove admin access for other users.
  3. Change your WordPress password.
  4. Change your CPanel / FTP / MySQL passwords.

This is also a good time to do the following whilst you’re in the process of removing malware:

  1. Facebook Ads (You should suspend your ads when your site is infected).
  2. Google Adwords (Turn Adwords off you’re just bringing potential first and only 1 time clients to bad user experience).
  3. Put up a notice on your Facebook, Instagram, etc notifying that your website is experiencing a problem and that you have someone looking into it.
  4. Put your website into maintenance and put up a notice that your website is being worked upon.

3. Malware CleanUp

The worst thing you can ever do with a hacked site is just restore a backup. Here’s why.

The top 5 reasons why restoring a backup first is wrong:

  • Erases proof of the entry point.
  • The backup usually contains the same vulnerability.
  • Loses leads and sales made since last backup.
  • Removes any logging plugins recorded leading up to the detection.
  • In the event of criminal activities you damage evidence.

With our website in maintenance mode and no access to anyone else, let’s start the process.

  1. Download and install malCure Malware Removal plugin. The malCure plugin is used by web-security agencies and professionals to find out the most troublesome malware. It checks the core WordPress files as well as plugins installed from the WordPress repo for integrity. If a file has changed, it will report it as suspicious. The plugin will also scan all files for malware barring none.
  2. Register the plugin for free to get the latest malware definitions. If you don’t have the latest malware definitions, the plugin will not be able to detect the malware.


  3. Time to run the scan. Set the number of files to scan per request to a reasonable number. The higher number the faster the scan but the higher the website load. A sensible number is 20 files per request. Open the advanced settings box and check the box that says “Don’t show content matches”. Click the “Start Scan” button. If it hangs, try a smaller number like 10 or lower.
    Click on the Start Scan button to initiate scan. The scan may take a while but will report the progress.
  4. Once the scan completes, it will report the results:
  5. The “Inspect” button will allow you to review the files (if the file is readable / accessible).
  6. Finally we get to the cleanup part. On your website, there are several types of files:
    1. WordPress Core files: Files in the WordPress installation root and files inside wp-content and wp-includes directories.
    2. Plugin & Theme files
    3. Uploads: Files inside wp-content/uploads
    4. Other miscellaneous files.

    If a WordPress code file is infected, you need to replace it with the original. To do you, you need to download the exact WordPress release, extract and upload the clean file to overwrite the infected one. The same goes for themes and plugins.

    If anything else in uploads or any other file is infected, you need to decide if it can be cleaned up or can be removed. Do backup your files before you execute any irreversible action.

4. Root Cause Analysis

Before we lock-up and cock-up, we really need to identify how the malware got into the website at the first place. Most of the time it is due to software misconfiguration — outdated software. Check that your server software is secure, WordPress, plugins and themes are up-to-date. Check out https://wpvulndb.com/ to see if there’s any recent vulnerability issue detected with any plugin or theme.

5. Securing your WordPress Site

Finally, inspect all WordPress users. Verify that no account has been hacked. Reassess accounts and privileges.

The malware could have easily resulted in a data leak. It can read wp-config.php and could have leaked your database password. It’s a challenge to fathom the spread of breach. It’s time to update all your passwords: CPanel, FTP, MySQL, WordPress and any other applicable.

Once this is done, you need to watch out for reinfection. When you lock out the bad guys, they get peeved off. Also they know that your site was vulnerable and they will test this. There are good chances that the amount of spam and bot requests will increase. If you feel that you need professional help with this, feel free to reach out to us.