How to Remove Malware From WordPress Site [Definitive Guide 2021]?


WordPress database is a repository which stores complete information of a website. It uses MySQL database management software to handle the data.

But, the WordPress database is the preferred territory for malware attacks. These attacks infect your database with malware and discreetly uses your server resources.

Malware is dangerous to a website for the following reasons:

  1. Google blacklists sites infected with malware. It leads to a significant reduction in organic traffic.
  2. Decreased brand reputation
  3. Reader privacy is uncertain. Hackers may exploit personal data of readers.
  4. Loss of reliable readers.

According to google’s transparency report, the number of phishing sites increased by 18 times from 2015 to 2021. So it’s recommended to scan your WordPress site periodically for malware.

Number of phishing sites found by google from January 2015 to January 2021
Number of Phishing sites detected by Google

Types of Malware Attacks

There are a dozen ways to hack into a website, from DDoS attacks to exploiting WordPress core vulnerabilities. But, the most common ones are SQL injection and Brute force attack.

SQL injection – Cyber Criminals take advantage of the improper input field configuration in the comment box. They inject malicious code into the comments. It helps them gain access to the WordPress database.

Brute force attack – A trial and error method, Hackers use various string combinations to gain access to your website. It is why you should set strong passwords. Weak passwords are the access keys for your site. 

Here is a list of weak passwords you should avoid.

These aren’t the only form of attacks.

Hackers also inject code into WordPress site files. It aids them to use your server resources for as long as they can, without raising suspicion.

A hacked wordpress site is dangerous to visitors and SEO. Remove malware as soon as possible.

In this tutorial, I’ll show you

  • How to scan your WordPress for Malware
  • How to remove Malware from WordPress core and Database


1.Backup your website – Many hosting providers suspend or even delete your website as soon as they detect malware. It prevents cross-infection of websites that run on the same server. So, take a backup at all costs.

I recommend UpdraftPlus for backup.

If you cannot login to your site, take a backup using your FTP client or CPanel account. To use your Cpanel for backup, login to 

2.Scan your computer – If your computer is malware-infected, your backups might get affected too. Scan your computer with an antivirus program to prevent infection of your backup files. 

Use an antivirus program to scan local files. If you don’t use one, I recommend kaspersky cloud security(Not an Affiliate). It’s free to download and use.

3.Google search console account(Optional) – Helps in scanning your site for malware. It also aids in monitoring website performance in combination with several SEO tools. You can sign up for an account here.

Scanning Your WordPress Database for Malware

There are multiple ways to check malware infection of a website. Here are a few of them. (Listed in the order of high efficiency and reliability to low efficiency)

1.Using Search Console by Google

Note: You need a search console account to scan your website. Skip this one if you do not wish to register for one.

a.Login to your account.

b.Scroll down to find Security and Manual Actions to the left side of your dashboard.

c.Click Security Issues.

Security issues option from Google Search Console
Click Security Issues

d.If no issues detected message is displayed, your website is free of malware.

2.Using Google Safe Browsing Tool

a.Visit Google Safe Browsing tool.

b.Type your URL in the search box and click Search.

c.You will receive one of the following messages

No unsafe content found – A positive indication that your website is free of malware

Safe website detected by Google Safe Browsing Tool
Example of a safe website

This site is unsafe – This message indicates the presence of malware.

Unsafe website detected by Google Safe Browsing Tool
Example of unsafe website

3.Using Malware Scanner by Sucuri

a.Visit Site scanner

b.Enter your URL

c.Click Scan Website

d.If your website is not infected, results are displayed as no malware found

Safe website detected by Sucuri site scanner
Example of safe website

e.A hacked WordPress site will receive a message similar to the one below. 

Unsafe website detected by Sucuri site scanner
Example of unsafe website

f. In some cases, the warning pointer is in the middle. It is not an indication of a hacked website. It may be caused due to technical issues or other reasons.

For instance, in the following case, the error pops up due to server issues.

A safe website marked suspicious by sucuri site scanner
Example of a safe website marked suspicious

The same site passes Google Safe Browsing test.

A website that passes google safe browsing tool
A safe website marked suspicious by sucuri site scanner

If that’s your case, solving those technical issues will eliminate the error.

4. Check for Emails From Your Hosting Provider

Hackers can inject malicious code into less frequent parts of the WordPress repository. Ex: WordPress core files. It aids the hacker in discreet use of your server resources and leads to bandwidth exhaustion. (especially in shared hosting environments)

Due to this, your hosting provider may temporarily suspend your website. Check your inbox for suspension and bandwidth over-use messages.

These are subtle signs of malware infection.

Note: Significant spike in server resources in a short period may be a sign of malware attack. Bandwidth overuse doesn’t always equal malware attack. 

5.The Incognito Tab Method.

Make sure you are logged out of your wordpress site while attempting this. 

a. Open the incognito tab of your browser

b. Type in ””

c. You will receive one of the following messages,

This site may be hacked.

This site may harm your computer.

Hacked website that shows up in SERP
Example of a hacked website

Both of these messages are signs of malware infection.

6.Manual Investigation of Critical Files (Not Recommended)

Skip this step if you have little to no technical expertise in dealing with the WordPress database. Improper changes to WordPress database could break your site. 

Moreover, the process is time-consuming and difficult despite sufficient technical expertise. If you have least experience and still wish to examine your website code, I recommend you to use the reqbin tool. It is safer than using your file manager.

Hackers make changes to the WordPress database as soon as they take control of it. They place malicious code in places where you are less likely to look, like core WordPress files.

Common places to look for malware are,

  1. .htaccess file
  2. Wp config file
  3. Plugin and theme files

Use your site file manager to examine your website code. Carefully search the code for suspicious texts like names of pharmaceutical drugs, adult content etc. Here are examples of hacked html content, htaccess, theme and index files.

Look for words like ‘eval’ and ‘base64_decode’.

Note: The problem with this technique is that few genuine plugins also use these strings. So it’s hard to differentiate between the two.

Absence of suspicious text is not always a sign of malware-free website. I always recommend you use at least two methods to confirm if your site is infected.

WordPress Malware Removal

1.Asking a Professional to Do the Job for You.

If you are running a professional blog or online business, it is better to provide the job to an expert. This is because most malware scanners find only shallow issues.

Moreover, WordPress malware removal process is time-consuming, and residues may remain even after cleanup.

Without addressing the root issues, cybercriminals hack over and over again. 

Security professionals help you with this. I recommend Hack Repair Guy (Not an affiliate). 

He repairs websites and is a security professional for over 20 years. For $79, he provides a complete security audit for your wordpress site in less than 2 hours. The pricing is much less than premium plugin subscriptions, and the response time is high. It is the cheapest and best wordpress malware removal service you can adopt.

You can also contact professionals at Sucuri and Malware who will help you clean your website’s malware. But their pricing options are expensive compared to the Hack Repair Guy.

2. Remove Malware From WordPress Site Using Plugins

Note: The following method works if you can login to your WordPress dashboard. 

Malware Removal Plugin 1 – Wordfence Security – Firewall and Malware Scan

a. Install and activate Wordfence security.

b. After activation, scroll to the bottom of dashboard and click Wordfence. 

c. Now click manage scan.

Wordfence malware removal dashboard

d. There are four options in Wordfence scanner.

  • Limited Scan – Choose this option if your server resources are limited. You can also choose limited scan if standard, high sensitivity scans end abruptly without completion. 
  • Standard Scan – The recommended option for most sites. It performs several tests to ensure the safety of a website.

But, before choosing standard scan, enable scan themes and plugins.

You can do this by navigating to General Options. Click scan theme files against repository versions for changes and scan plugin files against repository versions for changes.

wordfence plugin and themes file scan
Turn on both those settings
  • High Sensitivity Scan – Use this scan if you think your site is compromised. 

This scan takes up a lot of server resources and may trigger false alarms. So caution is advised while using this.

  • Custom Scan (Not recommended if you have little technical expertise) – Go to general options and select the types of tests you wish to perform on your site. The time and server resources used depends on the options you have selected.

Note: Regardless of the scan type you use, you can choose to reduce the load of your server resources. Navigate to performance options in the same window and click use low resource scanning.

This reduces the server load, by increasing the scan duration.

Wordfence performance options

e. After making the desired changes, click Save changes.

f. Navigate back to the bottom of the wordpress dashboard and click Scan from wordfence.

wordfence options from wordpress dashboard

g. Click start new scan.

wordpress malware scanner - wordfence start scan button

h. Wait for the scan to complete. Your site is put through a variety of tests depending upon the type of scan. A blue tick indicates a passed test.

i. Wordfence lists the results of the scan. In this case, three plugins are not updated to the latest versions. These unupdated plugins act as vulnerabilities that hackers could use. Updating them would solve the issues.

You can click on ignore to remove the suggestion from the list or click on details to get further info.


There are places where WordFence functionality lacks. Moreover, it can overload a WordPress site and bloat the database. You can read more about it here.

Malware Removal Plugin 2 – Anti – Malware and Brute-Force Firewall Security Plugin

a.Install and activate the plugin.

b.After activation, find the plugin you just installed from your plugin dashboard. Click scan settings.

wordpress malware scanner plugin in plugin dashboard

c.Fill the requested details and click register now. Now, login to your email inbox.

registration in anti malware plugin

d.You will find a set of login details. Use those credentials to log in to the given website.

e.Now navigate back to the scan settings page. Refresh it from the sidebar. It updates the rest of the modules.

Download new definitions button in anti-malware plugin

f.Click run complete scan and wait for the scan to complete.

g.If your site is free of malware, the plugin will not list any issues. However, if any issues pop up, select the ones you wish to optimize. Then click Automatically Fix_Selected Files now.

Note: You don’t need to make all the suggested changes.

malware from your wordpress found by Anti-Security plugin

Check out the following example.

remove malware from wordpress

In this case, other plugins are present to prevent these attacks. So always remember, DO NOT clear all issues. Only resolve issues which are required. This is one of the best wordpress malware removal plugin that allows you to eliminate basic malware free of cost.


1. You need to pay an additional $29 to scan for malware in core WordPress files. 

2. Security definitions are not updated in the past 9 months.

3. Even after paying the donation, you have to make decisions on solving the issues. This becomes frustrating if you have little to no technical expertise.

Plugin 3 – Malcare Security – Free Malware Scanner, Protection and Security for WordPress

1. Install and activate the Malcare Security Plugin.

2. On activation, you need to enter your email ID, accept the terms and click Go. The scanning process will begin. You are notified via email once the scan is complete.

Wordpress malware removal

If your site is malware-infected, you need to pay $99 to clean them up. 


Malware detection is free, but malware cleaning is blocked by a payment gateway. 

3. Manual method (Not Recommended if You Have Little to No Technical Expertise and Highly Risky)

Open your site backup. Check for all the essential files. The backup file must include,

  1. WordPress core files 
  • wp-admin
  • wp-content (Contains themes, plugins and uploads of your website)
  • wp- includes
  • Other miscellaneous files

You can even download a copy of WordPress core and cross-check it with your backup.

2. The Database

3. .htaccess file 

Note: By default the htaccess file is hidden. You need to change your file manager settings to view it.

Here are the generalized instructions to remove malware from WordPress. You can find step-by-step instructions at the bottom.

1.Reset all your passwords – If you can log in to the admin dashboard, reset all your passwords. Ex: WordPress account, Webmail, CPanel, etc.

To reset your wordpress password navigate to WordPress Dashboard>Users>Edit>Scroll down to Account Management section>Set New Password.

account management options wordpress

2.Check for suspicious admins/ users – Remove if any.

3.Check posts and comments for blacklisted URLs – Check for suspicious uploads. (Posts, Media, Pages, Themes, Plugins) Delete hacked files if any.

4.Export content, settings and widget settings 

  • Go to Tools>Export all your content as an XML file.

5.Delete everything in the public_html folder. (except cgi-bin folder-check for hacked files here)

6.Reinstall WordPress – You could do this from your hosting CPanel.

7.Reinstall Themes and Plugins – Do not reupload old, unsupported plugins. 

8.Upload your content folder – Make sure to check for infected files before uploading.

Here is a step-by-step guide on WordPress malware removal.

Best WordPress Security Practices

Follow the best security practices to decrease your odds of being hacked.

1.Update everything – Unsupported themes and plugins have vulnerabilities which serve as opportunities for hackers to crack into your database. 

Always update themes, plugin and WordPress to the latest version to be secure.

2.Remove Weak Passwords – Set strong passwords to reduce the odds of being hacked by a brute force attack. Here is a guide that helps you set strong passwords.

3.Review who has access – Delete unknown/ old users. 

4.Backup your site regularly – Backups are lifeguards for websites. Let us assume you managed to find out that your website was hacked on Friday morning. What if you had a backup from Wednesday? 

Wipe everything and replace it with the backup(without vulnerable plugins). Apply WordPress best security practices. That is it. This makes the process much easier.

5.Remove unnecessary files – Remove unused plugins, site backups and themes. Deactivated plugins and themes also serve as opportunities for hackers.

6.Use a double login system – Root server admins can add a layer of login to your default login page. To login to your page, you need to enter two credentials to reach your dashboard.

first login page wordpress dashboard

The first login page

Your normal wordpress login page can be accessed only if you pass the first login

While this may seem like more work, it improves your website security. It also decreases the odds of hacking your website.

7.Harden your WordPress site using security plugins – Website hardening is the process of adding more layers of security to your site. It decreases your chances of being pawned. 

You can use Malcare or other security plugins like Sucuri to harden your website.


You have scanned and removed malware from your website. You also have implemented WordPress best practices to make your website more secure.

What next?

Update PHP on wordpress to make your website more secure.


1. How many WordPress sites are hacked daily?

Though it’s hard to estimate the exact number of hacked sites, wordfence estimates that 90,000 attacks are performed on WordPress sites every minute.

2. How do WordPress site get infected with malware?

Using weak passwords, outdated themes and plugins are common causes of WordPress attacks. Hackers take advantage of these vulnerabilities and inject malicious code into some part of WordPress. This infects the entire site.

3. How do I check for malware?

You can use Sucuri Site Scanner, Google Safe Browsing Tool or other wordpress malware scanner websites to find malware.

Leave a Comment

Share via
Copy link
Powered by Social Snap