How to Find and Remove Malware From WordPress (Step-by-Step)

Key Takeaways

  • Malware usually shows up as spam redirects, a Google warning, unknown admin users, or your host suspending the account. Confirm the infection with a scan before you start deleting things.
  • Before cleaning, put the site in maintenance mode, back up the infected files, and change every password: WordPress, database, FTP, hosting, and email.
  • A free scanner such as Wordfence, Sucuri, MalCare, or Jetpack Protect will find most infections. Removal is either manual (reinstall core, refresh plugins and themes, inspect wp-config, .htaccess, and the database) or a paid one-click clean.
  • If you have a recent clean backup from before the hack, restoring it is often faster and safer than hand-cleaning file by file.
  • The cleanup only sticks if you harden afterward: updates, limited login attempts, two-factor login, and a smaller attack surface. Nexter Extension bundles several of these controls.

 

There is a specific kind of stomach-drop that comes with opening your own website and watching it redirect to a sketchy online-pharmacy page. Or getting the email from Google that calls your site “deceptive.” Or a host quietly suspending the account with a one-line note about “malicious activity.”

A hacked WordPress site feels like an emergency, and it is one. But the cleanup follows a predictable order, and most infections are fixable in an afternoon if you work through the steps calmly instead of deleting files at random.

This guide walks through how to find and remove malware from WordPress: how to confirm you are actually infected, how to contain the damage, how to scan and clean, and how to make sure it does not come back.

Table of Contents

How to Tell if Your WordPress Site Actually Has Malware

Before you touch a single file, confirm that malware is really the problem. A few symptoms are almost always a real infection:

  • Unexpected redirects. Visitors (or you) land on spam, gambling, or pharmacy pages instead of your content.
  • A Google warning. Search Console shows a “Security Issues” report, or browsers display a red “Deceptive site ahead” screen from Google Safe Browsing.
  • Your host suspended the site. Many hosts scan automatically and take a site offline the moment they detect malicious files.
  • Unknown admin users. A user you never created appears in Users, often with a random name and admin role.
  • Strange files or spam pages. New PHP files you did not add, or hundreds of spammy pages showing up in Google when you search site:yourdomain.com.

Not every problem is a hack. A white screen or a broken layout is often just a plugin conflict. That is why the first real step is a scan, not a panic-delete. If your issue turns out to be a plugin clash instead, our roundup of common WordPress mistakes to avoid covers the usual suspects.

First 15 Minutes: Contain the Damage

Malware can spread and can also be used to steal data while you work. Lock things down first:

  1. Put the site in maintenance mode or take it offline so visitors are not served malicious code while you clean.
  2. Back up the infected site anyway. Yes, it contains malware, but you need a copy of the evidence, and you can extract clean uploads from it later. A dedicated plugin makes this quick; see our picks for the best WordPress backup plugins.
  3. Change every password. WordPress admin, the database user in wp-config.php, FTP/SFTP, your hosting panel, and the email tied to the admin account.
  4. Regenerate your security keys. Replacing the secret keys and salts in wp-config.php logs out every session, which kills any stolen login cookies an attacker is still using.

Step 1: Scan and Find the Malware

Start with a free remote scan that needs no install: Sucuri’s SiteCheck or Google’s Safe Browsing status page will tell you quickly whether your site is flagged and where the obvious problems are. Remote scanners only see public pages, though, so follow up with a server-side scanner plugin that can read your actual files.

Here is how the four most common free scanners compare (install counts and versions verified on WordPress.org, July 2026):

ScannerActive installsFree scanRemoval
Wordfence5M+Yes: core, themes, plugins for malware, backdoors, redirects, SEO spamManual (you act on the findings)
MalCare200,000+Yes: cloud-based deep scanOne-click removal is paid
Sucuri Security600,000+Yes: remote scan, file integrity, activity auditRemoval is a paid service
Jetpack Protect100,000+Vulnerability scan via WPScan (53,500+ known issues)Malware scan and removal are paid (Jetpack Scan)

A good scan report tells you which core files were modified, where injected PHP or backdoors are hiding, and which redirects or spam links were added. Save that report. It is your cleanup checklist.

Step 2: Remove the Malware

One warning before you edit anything: you already backed up in the last section, so if a step goes wrong you can restore. If you are not comfortable editing PHP or running SQL, use a one-click removal tool or hire a cleanup service instead of guessing. With that said, here is the manual path:

  1. Reinstall WordPress core. In the dashboard go to Updates and click “Re-install Now.” This overwrites every core file with a fresh copy without touching your database or wp-content. If the dashboard is locked, upload fresh core files over FTP (keep your own wp-config.php and wp-content).
  2. Refresh plugins and themes. Delete every plugin and theme, then reinstall clean copies from WordPress.org or the developer. Remove anything you do not actively use, and delete any plugin or theme you do not recognize.
  3. Check the common injection points. Inspect wp-config.php, .htaccess, and index.php for code you did not add, and look inside wp-content/uploads: there should be no .php files in there at all.
  4. Clean the database. In phpMyAdmin, review wp_users for rogue admins, wp_options for suspicious autoloaded scripts, and wp_posts for injected spam links. Remove any scheduled tasks (cron events) you do not recognize.
  5. Compare against a clean copy. Download a fresh WordPress ZIP of the same version and diff it against your files to spot anything that was modified.
  6. Re-scan until clean. Run the scanner again and repeat until it reports nothing.

Step 3: Get Your Site off Google’s Blocklist

A clean site can still be flagged for days until you ask for a re-check. Once your scans come back empty:

  • Open Google Search Console, go to Security Issues, and click Request Review after confirming the site is clean.
  • Check your status on Google Safe Browsing so browsers stop showing the red warning.
  • If your host suspended the account, reply to their ticket and ask them to re-scan and restore the site.

How long recovery takes comes down to one thing: a clean, recent backup. Sites that have one are usually back within an hour. Sites cleaning file by file without one can spend 24 to 72 hours on it.

Should You Clean It Yourself, Restore a Backup, or Pay a Service?

There is no single right answer. Match the route to your situation:

RouteBest whenCost and speed
Clean it manuallyYou are comfortable with FTP and the database, and you have no clean backupFree, but slow and detail-heavy
Restore a backupYou have a recent backup from before the infectionFree and fastest, if the backup predates the hack
Pay a removal serviceThe site is business-critical, keeps getting reinfected, or you are not technicalRoughly $50 to $300, usually same-day

Harden WordPress So It Does Not Happen Again

Removing the malware fixes the symptom. Hardening closes the door it came through. If you skip this part, reinfection is common within weeks.

  • Update everything. Outdated core, plugins, and themes are the number one entry point. Update on a schedule and remove abandoned plugins entirely.
  • Lock down logins. Limit login attempts, add two-factor authentication, put a CAPTCHA on the login form, and change the default login URL.
  • Disable file editing. Add define('DISALLOW_FILE_EDIT', true); to wp-config.php so a stolen login cannot edit theme or plugin code from the dashboard.
  • Set correct permissions. Files at 644 and folders at 755, with wp-config.php locked down tighter.
  • Keep a firewall and scanner running, and keep automated off-site backups.
  • Shrink your attack surface. Fewer plugins and a lightweight theme mean fewer things that can be exploited.
Nexter Extension security settings panel in the WordPress dashboard
Nexter Extension gathers common WordPress hardening controls into one settings panel.

This is where a hardening tool earns its keep. Nexter Extension bundles several of these controls in one place, so you are not stacking five single-purpose plugins: Limit Login Attempts, 2 Factor Authentication, Captcha Spam Protection, a Custom Login URL, Login Email Notification, and Content Protections. To be clear, Nexter Extension is not a malware scanner and will not clean an infected site, that is what the scanners above are for. What it does is close the login and access holes that let malware in, which is exactly where most WordPress hacks start.

Login security options including two-factor authentication and limit login attempts
Limiting login attempts and enabling two-factor login shuts down brute-force attacks.

Pair that with the lightweight Nexter Theme to keep your footprint small, and lean on a proper security plugin for continuous scanning. For more ways to keep content and access under control, see our guide on ways to protect content in WordPress.

Suggested Reading

Stay updated with Helpful WordPress Tips, Insider Insights, and Exclusive Updates – Subscribe now to keep up with Everything Happening on WordPress!

Have Feedback or Questions?

Join our WordPress Community on Facebook!