January 22, 2020

How to Remove Malware from Your WordPress Website

It’s just a regular morning, you have your mug of strong coffee brewing and you even woke up in a good mood! And then you open up your website, and you immediately know that something’s not right. The worst has happened, your site has malware!

I know, it’s extremely frustrating and kinda makes you feel like this,

And also a little bit like this

But, there’s no use crying over spilt milk.  All you can do is clean up the mess. So, let’s focus on getting your site up and running again!

Here’s a step-by-step of how to remove malware from your WordPress site and make it brand new again. Let’s begin!

 Step 0: Check if you have a backup

Most hosting services have automatically-scheduled backups. So, check to see if you have a backup of the clean version of your website.

If you do, that’s great news!

Restore your website from the backup and check if it works correctly. Just to be extra careful, run a malware scan too.

If everything seems to be good, congratulations! Your job here is done and we can just focus on hardening your security now.

Skip to step 7, please.

Epitrove’s tip: If your hosting provider doesn’t offer backups, we suggest for future use you switch to a hosting provider like LiquidWeb or Siteground that offers daily backups and one-click restores. 

Step 1: Take a full backup of your website

Before making any changes at all, be sure to take a complete backup of your website. If things don’t go according to plan we need to have a safety net. It is very important that you take a backup; I cannot stress this point enough.

To do this manually, open up your public_html folder using the File Manager on your hosting account. Select all the files and put them in a zip folder. Now download this to your computer.

Another good way to take a full backup without a lot of hassle is to use a plugin. UpdraftPlus is a competent free plugin that you can use to do so.

You can also schedule backups for future use, but for now, we’ll take one by clicking the ‘Backup Now’ button. You’ll also see a ‘Restore’ button. We can use it if things go haywire.

Save the backup to your Google Drive for safekeeping. You can also choose to upload it to Dropbox or your email. Whichever is convenient for you.

Epitroves tip: If you’re looking for good backup plugins to take regular backups. The UpdraftPlus pro version comes with some advanced features. Alternatively, BackupBuddy and VaultPress are also good options.

Step 2: Put your website on maintenance mode

While your site is down, and if it hasn’t been blacklisted, you need to put up an ‘under maintenance’ page. You can redirect users to this page if they try to visit your website and meanwhile you can work on fixing your website.

Coming Soon Page, Under Construction or Maintenance Mode Page by SeedProd is a good plugin that can help you set it all up, with minimal hassle.

Step 2: Scan your website

Once we have our backup in place, we can start working to remove malware from our WordPress website.

The first thing to do is to scan your website for malware. Sucuri Sitecheck is a free scanning tool you can use. It scans your website for malware and viruses, out-of-date software and plugins. In addition to that, it also checks if your website has been blacklisted by Google.

The scan will generate a report that will give you an insight into the severity of your problem. It will also let you know if it can detect and remove malware on your WordPress website and how high the risk to your website is. You can run this scan at regular intervals after making changes to check if the issues have been eliminated.

Note that Sucuri scan is a remote scanner and only runs on your online web pages, and doesn’t run a server-side scan.

Alternatively, you can install a security plugin like WordFence. It’s a popular plugin you can find for free on the WordPress repository.  Be sure to run a high-sensitivity scan using the manage scan option. Once complete it should give you a list of all the files that need your attention.

Step 3: Fix modified files / delete malicious files to eliminate malware

We will go through two ways of fixing your files so that you can remove all malware from your WordPress installation.

One of them you can use if you’ve installed WordFence in the previous step. And one if you haven’t.

Step 3 a) – The manual method

The first one we go over is the ‘manual method’.

If you aren’t familiar with what WordPress core files are supposed to look like, you can go to the WordPress repository and download a new version of WordPress to your computer. Now, you can use these files as a reference.

Open up your public_html folder using File Manager. A big indicator that a file is not supposed to be in there or has been modified is that its size is unusually large.

If you open up these files and see a bunch of functions that look like gibberish with no coherent variable names indicating what they do, it’s probably malicious code. This is what clean code looks like:

Once you find a malicious or modified file, be sure to check the date it was last modified. This will help you easily find other files that probably need your attention.

Using the clean files as a reference, remove all malicious code. If you see a file that is not supposed to be there and is full of malicious code, remove it altogether.

If you can’t seem to locate the problem or don’t want to comb through the whole folder –  you can just replace core files.

Do not touch your Wp-content or Wp-config.php file. These files are important and unique to your website. 

Apart from those, delete all the files in your public_html folder. Take a deep breath, I know it’s scary, but that’s why we have our backup.

Now open up the public_html folder of the new WordPress version we downloaded earlier. Now, put everything but the wp-content folder and the wp-config-sample.php in a zip file.  Upload it to your website’s public_html folder and extract files.

Step 3 b) Using a security plugin

Remember the results we got after running the WordFence scan in the last step? We will be using those to guide us when fixing our website.

If a file has been flagged as containing malware, you’ll see the option to ‘view differences’. This option allows you to view how the files have been changed.

 You can now go and edit your files accordingly. The Pro version of WordFence will even fix the files for you.

Recommended for you: 8 most effective malware removal plugins

Step 4: Clean wp-config.php file and wp-content folder

Cleaning wp-config.php

If you’re not familiar with WordPress files, the wp-config.php file is a core file that holds database information. Including name, host, usernames, and passwords. Which is why we can’t just replace this file like other core files. But we do need to make sure that it’s clean.

Remember the wp-config-sample.php file on your computer that we didn’t upload before? Let’s open that up.


Now compare this file with your wp-config.php file line by line. It’s pesky work but there’s no way around it. Remove any piece of code that is out of place.

If you’re using WordFence you can see the differences if the file shows up in the scan. Otherwise, consider your wp-config file to be clean.

Cleaning wp-content folder

Now, coming to the wp-content folder.

If you open it up you’ll see that the folder contains all your plugin, themes, and uploaded media.

The first thing to do is to check your index.php file. This is what it should look like:

If everything seems good here we can move on and look at the plugins and themes folder.

Now, you could follow the method of going through files to see what has been changed. But there are a lot of files and chances are that you would miss something. It would easier to reinstall new, clean versions of the plugins.

So make a list of all plugins and the theme you’re using. Double-check it to make sure you haven’t missed out on anything.

Now delete everything in your plugins folder.

As for the theme folder, delete everything but your current theme. You will need to inspect it manually to ensure that you have removed malware from your WordPress website. Otherwise, just delete the theme and redo any customizations. 

As for your uploads folder. Go through all the files one by one. If you see anything you haven’t uploaded, remove it.

Step 5: Reinstall plugins and themes

Now, referring to the list we made, reinstall clean, updated versions of the plugins from the WordPress.org repository.

Don’t install any plugins that don’t seem to be active or haven’t been updated in a while.

Configure all your plugin settings and redo any theme customizations you previously had on your website. 

Also, make sure you’re using the current version of WordPress. If not, update that as well.

Step 6: Scan your website, again

Hopefully, at this point, your site should be up and running again. But just to be sure we got everything run a scan on it once again. If nothing major shows up, we are good to go!

Congratulations! You have successfully removed all malware from your WordPress website!

Step 7: Harden your website security

Now that we have our site all cleaned up, we need to protect it from any further attacks. There are a few things you can do to beef up your website security.

An obvious one is for you to reset all your user and database passwords. There are also a lot of other do-it-yourself tips you can follow to ensure your website is secure.

Alternatively, you can get a strong security plugin. The plugin can put up a firewall and regularly scan your website for threats. You can pick one from this list of security plugins.

Step 8: Disable maintenance mode and remove site from Google blacklist

You can now go ahead and disable maintenance mode and make your website accessible to the public again.

Now, if your initial scan showed that you had been blacklisted by Google, we need to take care of that as well.

Open up Google Search console. After adding your website, open the security issues report and Request a Review.

Once the warning has been removed, Google will index your website again and it will start showing up in search results again.

Last Word

At the end of it all, I am going to leave you with a 3-step mantra on how to remove malware from your WordPress website:

First and foremost, take regular backups of your website! WordPress websites get hacked all the time and nothing beats the convenience of just restoring it from a backup.

Secondly, keep your WordPress version and all your plugins and themes updated. And do not use plugins that haven’t been updated in a while.

And finally, definitely consider installing a good security plugin so you can avoid security issues and be alerted of any potential threats or vulnerabilities on your website.

Hopefully, this article helped you get your site clean and back up again. Definitely let us know if you have any tips or hacks to easily clean up your website; or your own experience cleaning up a hacked site. Write to us in the comments!

Disclosure: Some of the links in this blog post might be affiliate links. When you purchase through a link on our website, we receive a small commission, at no added cost to you, which helps us run Epitrove and keep producing great content. This does not influence our recommendations; we only recommend products we work with or love. Thank you for your support!

Lavanya Deshmukh
Lavanya Deshmukh

Computer Engineer, food enthusiast and die-hard Harry Potter fan that now writes content full time for Epitrove


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.