Knowing how to remove malware from a WordPress site is a skill that every webmaster should have. Malware stands for malware, a general term for harmful programs and files that can compromise a system. It can damage computers, servers, networks, and websites. In this article, you will learn how to remove malware from a WordPress site.

What Can a Malware Do to Your Site?

Although WordPress is well-maintained and secure, it has several vulnerabilities that can expose your site and your visitors to malware threats. Therefore, paying attention to the security of your site is absolutely essential.

Here are some of the risks that malware poses:

  • Unwanted changes to your content or site, whether something is added or removed without your permission.
  • Compromised sensitive data, such as users’ personal information.
  • Spam, either in the form of suspicious emails or links sent from your site.
  • Your URL is redirected to untrustworthy websites that promote scams, inappropriate content, or malicious ads.
  • A sudden increase in the consumption of server resources.
  • Google marks your site as unsafe in the browser and in search results.
  • Negative impact on SEO (linked to the previous point).

How to Remove Malware from a WordPress Site Manually?

The manual method can be time consuming and requires more technical knowledge, but it can give you information on where the violation occurred. If you prefer to use a simpler alternative to remove malware from a WordPress site, probably with a security plugin.

  1. Make a backup of your site
    Always make a backup of your site before modifying your main files. There are two ways to do this, depending on whether your site is blocked or not.

If you can’t log in, you can save a copy of your site’s public_html folder via your hosting file manager or FTP. That is how:

  • File manager: right-click on the public_html directory and select compress. Once done, save it to your computer by right-clicking on the file and downloading it.
  • FTP: go to Site Manager -> Connect and then download the folder using the same method you used previously. The only difference is that you will need to use an FTP client like FileZilla.
  • In the meantime, if you still have access to your site, you can use plugins like UpdraftPlus, Backup Buddy, or VaultPress to save time.

Last but not least, keep a backup of your locally stored database as well.

2. Run a Scan on Your Computer

We suggest that you upload your backup using an FTP client or with the file manager and then run a scan of the backup locally.

Use an antivirus system and a malware scanner such as Kaspersky or MalwareBytes to diagnose and fix potential file problems on your site. If the scan is successful and helps to locate and eliminate problems, change your FTP password and upload the site files again.

how to remove malware form wordpress site

3. Remove the Malware Infection

There are a few steps you can take to remove malware from your WordPress site. First, you will need to access the site files via FTP or a file manager.

Delete all files and folders from your site directory except wp-config.php and wp-content.

Then open wp-config.php and compare its content with the same file from a fresh installation or wp-config-sample.php found in the WordPress GitHub repository. Look for strange or oddly long code strings and remove them. It is also a good idea to change the password for your databases after you have finished inspecting the file.

Then go to the wp-content directory and act on these folders:

  • Plugins – List all installed plugins and delete the subfolder. Later, you can re-download and reinstall them.
  • Themes – Remove everything except your current theme and look for suspicious code, or just remove it entirely if you’ve saved a clean backup or don’t mind reinstalling.
  • Downloads – Check to see if there is anything you haven’t downloaded.
  • index.php – After removing plugins, remove this file.

4. Download a Fresh WordPress Copy to Install

Download WordPress again and upload the content to your website again via FTP or a file manager.

Go to your file manager, click Upload Files, and find the WordPress zip file. When the download is complete, right-click or hit the Extract button and enter a directory name to set the storage location. Copy everything else except the zip file to public_html.

Alternatively, you can use hPanel’s one-click installer and change the database credentials in the wp-config.php file to point to your new installation.

5. Reset WordPress Password

If multiple users are running a website, the violation may have occurred through one of their accounts. It is recommended that you reset each user’s password, log out of all accounts, and check for any inactive or suspicious user accounts that need to be removed.

Replace passwords with long, random strings that cannot be violated by brute force attacks. It is a great idea to use a password generator.

6. Re-Install Plugins and Themes

Now that you’ve removed the malware from your WordPress site, reinstall the removed plugins and themes that you had. However, make sure to ignore plugins that are out of date and no longer maintained.

While you’re at it, we recommend that you install security plugins that can protect your WordPress site and easily remove malware in the future. Use one with a proven track record like MalCare, WordFence, or Sucuri.

How to Remove Malware from WordPress Using a Plugin?

For this article, we are going to show how to remove malware from a WordPress site using Sucuri. But first, let’s take a look at what it offers:

  • Server-side analysis (premium) and remote analysis (free). The latter only detects malicious code on the site and while the former also searches for it on the back-end.
  • It detects compromised WordPress files on your system and replaces infected files with their original copies.
  • Run an antivirus software and search engine database check to see if your site is blacklisted.
  • Strengthen the security of your site to prevent malware attacks.
  • Alerts you whenever signs of malicious activity are detected.
  • Install a firewall on your website (premium).

You can get Sucuri from the WordPress plugin repository.

This image shows the process of generating Sucuri's API key

Once your site is integrated with the Sucuri API service, go to Control Panel -> Update Malware Scan. It will display a log file with all reported suspects. For this tutorial, we added some suspicious code to the index.php file on our test site.

This displays the file log of Sucuri, showing a suspicious file as flagged

After running the scan, the file was flagged. You can select it and perform whichever action you prefer.

Removing the Warning Label on Google SERP

Although the malware has been removed from your WordPress site, you still need to ask Google to remove the warning tag from the site:

  • Go to Google Search Console and register your website. Go to step three if you have an account.
  • After that, check it using domain prefix or URL.
  • Scroll down to find Security and Manual Actions on the left tab. Click to display a drop-down list and select Security Issues.
  • You will see the security report for your site, where you can choose Request a review.
  • You should check if you have successfully removed the malware from your WordPress site before submitting a request. Otherwise, you will be marked as a repeat offender and you will not be able to request another review for 30 days.

You should check if you have successfully removed the malware from your WordPress site before submitting a request. Otherwise, you will be marked as a repeat offender and you will not be able to request another review for 30 days.


Malware can be a major problem that robs your WordPress site of credibility and trust while compromising you and your users. While we were looking at how to remove malware from a WordPress site, we showed you two methods:

Manual removal, which requires:

  • Take a backup of your site.
  • Use malware scanning and antivirus software to perform a local backup.
  • Remove malware by modifying your WordPress files and deleting old or suspicious ones.
  • Reset all user passwords and check for suspicious users.
  • Reinstall plugins and themes.

Or you can use plugins to troubleshoot and improve the security of your site. Additionally, we have also learned how to remove the warning label that Google may place on your website.

+ posts

Similar Posts