How to Remove Malware From a Hacked WordPress Site
If your WordPress site has been hacked, the removal process involves four steps: scan every file and database table to identify all malware, remove every piece of malicious code including hidden backdoors, close the vulnerability that allowed the breach, and request removal from any blacklists. Skipping any step — especially closing the entry point — means the attackers will be back, often within hours.
WordPress malware is not always obvious. Some infections redirect visitors to spam sites. Others inject hidden links for SEO spam. Some install cryptocurrency miners that consume your server resources. And the most sophisticated infections sit quietly, stealing customer data or sending spam from your domain without any visible sign on your front end. This guide covers how to detect and remove all types.
If you need this handled by professionals immediately, our malware removal service starts at $199 — or it is included free for all care plan subscribers. Call (901) 249-0909 for 24/7 assistance.
Step 1: Confirm Your Site Is Actually Hacked
Before starting a cleanup, confirm the infection. Common signs include Google showing “This site may be hacked” or “Deceptive site ahead” warnings in search results, your site redirecting visitors to unrelated websites (often only on mobile or when coming from search engines), unknown administrator accounts in your WordPress Users panel, your hosting provider suspending your account for malware or spam activity, unfamiliar PHP files appearing in your WordPress directories (especially in wp-content, wp-includes, or uploads), hidden content visible only in page source code — spam links, doorway pages, or injected JavaScript, and your site sending spam emails you did not authorise.
If you are seeing any of these signs, proceed with the cleanup. For a more detailed diagnostic checklist, read our guide on how to check if your WordPress site has been hacked.
Step 2: Take a Backup Before Cleaning
This sounds counterintuitive — why back up an infected site? Because cleanup can go wrong. You might accidentally delete a legitimate file. A database repair might corrupt data. Having a backup of the infected state gives you a rollback point if the cleanup process causes additional problems.
Back up your complete WordPress installation — files and database — using FTP (for files) and phpMyAdmin (for the database). Store this backup separately from your clean backups. Label it clearly as “infected backup — do not restore.”
Step 3: Scan All Files for Malware
Use a Security Plugin Scanner
Install and run a security plugin scanner. If Wordfence is not already installed, install it temporarily for the scan — its free scanner is one of the most thorough available. Run a full scan from Wordfence → Scan → Start New Scan. The scanner will compare your WordPress core files against the official WordPress repository (flagging any modified core files), check plugin and theme files for known malware signatures, scan for suspicious PHP files outside of normal WordPress directories, and identify files with obfuscated code, base64-encoded payloads, and other malware indicators.
Alternative scanners include Sucuri SiteCheck (a free online scanner at sitecheck.sucuri.net that checks from outside your server — useful for detecting redirects and injected scripts that visitors see) and MalCare (cloud-based scanning that does not consume your server’s resources).
Manual File Inspection
Automated scanners catch most malware, but sophisticated infections can evade signature-based detection. Manually check these common hiding spots:
WordPress root directory. Look for PHP files that should not be there. Legitimate root files include wp-config.php, wp-login.php, wp-cron.php, xmlrpc.php, index.php, and wp-settings.php. Any other PHP file — especially one with a random name like wp-tmp.php, db_cache.php, or class-wp.php — is suspicious.
The uploads directory. /wp-content/uploads/ should contain only media files (images, PDFs, videos) and subdirectories. PHP files in the uploads directory are almost always malware — legitimate WordPress functionality never places PHP files here.
Theme files. Check your active theme’s functions.php, header.php, and footer.php for injected code — particularly base64-encoded strings, eval() functions, and code blocks that look obfuscated or out of place compared to the rest of the file.
Plugin directories. Check for plugins you do not recognise. Some malware installs itself as a fake plugin with a legitimate-sounding name like “WordPress Health Check” or “DB Cache Manager” — names designed to avoid suspicion during a casual review.
Step 4: Remove the Malware
Replace WordPress Core Files
Download a fresh copy of your WordPress version from wordpress.org. Extract it. Upload the wp-admin and wp-includes folders to your server via FTP, overwriting the existing ones. This replaces all core files with verified clean copies. Do NOT overwrite wp-content (your themes, plugins, and uploads) or wp-config.php (your database configuration).
Clean or Replace Infected Plugins
For plugins available from wordpress.org or their official vendor, delete the infected plugin folder entirely and reinstall a fresh copy from the official source. Do not try to clean individual files — download a clean copy and replace the entire plugin. For premium plugins, re-download from the vendor using your license.
Critical warning about nulled plugins: If you are using any “nulled” (pirated) premium plugins or themes, delete them immediately. Nulled software is the single most common vector for WordPress malware. It frequently contains built-in backdoors that give the distributor persistent access to your site. Replace with legitimate licensed versions or reputable free alternatives.
Clean Your Theme
If your theme is from wordpress.org or a reputable vendor, delete it and reinstall from the official source. If you have a custom theme with modifications you cannot easily re-download, you need to manually inspect and clean every file. Compare each file against a known clean version if possible. Look for any code that was not there before — injected scripts in header.php and footer.php, obfuscated code blocks in functions.php, and PHP files that do not belong.
Clean Your Database
Malware often injects malicious content into database tables. Open phpMyAdmin and check the wp_posts table for injected JavaScript or iframe tags in post content (search for <script and <iframe), the wp_options table for unfamiliar entries (especially in siteurl, home, and any suspicious autoloaded options), and the wp_users table for administrator accounts you did not create — delete any unknown admin accounts immediately.
Remove Backdoors
Backdoors are the most critical thing to find and remove. If you clean the visible malware but miss a backdoor, the attacker will return and reinfect your site — often within hours. Common backdoor patterns include PHP files with names designed to look legitimate (wp-tmp.php, class-cache.php, db-safe.php), code using eval(base64_decode(...)) or eval(gzinflate(base64_decode(...))), files with @ini_set('error_log', '/dev/null') at the top (hiding error output), and code that checks for a specific GET or POST parameter and executes arbitrary code when it is present.
Search your entire WordPress installation for these patterns. In SSH, you can use: grep -r "eval(base64_decode" /path/to/wordpress/ and grep -r "eval(gzinflate" /path/to/wordpress/
Step 5: Close the Vulnerability
This step is non-negotiable. If you clean the malware but do not close the entry point, reinfection is not a matter of if — it is a matter of when.
The most common entry points are outdated plugins with known vulnerabilities (update everything immediately), weak passwords (reset all administrator passwords to strong, unique passwords and enable two-factor authentication), nulled themes or plugins (delete and replace with legitimate versions), exposed wp-config.php (verify file permissions are set to 600), and an unchanged default “admin” username (create a new admin account and delete the old one).
After closing the vulnerability, implement the hardening measures from our complete WordPress security guide — firewall, login protection, file permission hardening, and security headers.
Step 6: Request Blacklist Removal
If Google has flagged your site with a “This site may be hacked” warning, you need to request a review after cleanup.
Log in to Google Search Console. Go to Security & Manual Actions → Security Issues. You should see the specific issues Google detected. After cleaning your site, click “Request a review.” Describe the malware you found, what you removed, and what steps you took to prevent reinfection. Google’s review typically takes 24–72 hours.
If your site is also listed on other blacklists — McAfee SiteAdvisor, Norton Safe Web, PhishTank — submit removal requests to each service individually. Most have automated review processes that take 1–3 business days.
Step 7: Verify and Monitor
After cleanup, verify that your site is clean. Run another full Wordfence scan. Check your site from an incognito browser to verify no redirects occur. Test from a mobile device (some malware only activates on mobile). Check Google Search Console for any remaining security issues.
Monitor closely for the next 2–4 weeks. If the malware returns, you missed a backdoor or did not fully close the entry point. A recurrence means repeating the cleanup with more thorough scanning — or engaging a professional malware removal service to ensure nothing is missed.
Frequently Asked Questions
How did my site get hacked?
The vast majority of WordPress hacks exploit known vulnerabilities in outdated plugins. The second most common cause is weak passwords compromised through brute force attacks or credential stuffing from data breaches on other services. Nulled themes and plugins with built-in backdoors are the third most common vector. Server-level exploits and zero-day vulnerabilities are rare but possible.
Should I just delete everything and start over?
For severely compromised sites with extensive malware, restoring from a known clean backup is often faster than manual cleanup. If you have a clean backup from before the infection, restoring it and then updating everything is a valid approach. If you do not have a clean backup, methodical manual cleanup is necessary.
Can I prevent this from happening again?
No security measure provides 100% protection, but the combination of keeping all software updated, using strong passwords with 2FA, running a firewall, maintaining daily backups, and monitoring for malware continuously reduces your risk to near zero. Our security service implements all of these measures as part of every care plan.
How long does malware removal take?
A straightforward cleanup — single infection vector, limited file damage, no database injection — can be completed in 2–4 hours. Extensive compromises with multiple backdoors, deep database injections, and thousands of infected files can take 12–48 hours. Our professional malware removal service handles the full process and communicates timeline expectations based on what we find during the initial scan.
Need Expert Help? Let WP Ministry Handle It
Malware removal requires thoroughness. Missing a single backdoor means the attacker returns. Missing database-level injection means your visitors continue to see spam. And if the entry point is not closed, the entire cleanup is wasted effort.
Our malware removal service handles the complete process — scan, removal, vulnerability patching, hardening, and blacklist removal — starting at $199. For care plan subscribers, malware removal is included at no additional cost.
Call (901) 249-0909 for immediate 24/7 assistance.
Related Articles
The Ultimate WordPress Security Guide (2026)