Shopping Cart

No products in the cart.

WordPress Malware Removal: 8 Important Steps You Need to Do

WordPress malware removal is essential for your small business website. Aside from website back-up, it should be among your priorities when you know you have a hacked WordPress site. Why? Because WordPress malware can pose a lot of security risks for your business.

WordPress Malware and Its Effect

It Drains Your Server Resources

Hackers don’t hesitate, nowadays and target small WordPress sites. They will do their best to create malware on your site. When your site is hacked, hackers can mine your database and server resources.

They use these resources to attack other small business websites, send spammy emails, slow down your site performance, and duplicate files. All of these are bad for business.

It Affects User Experience

Since website performance slows down due to malware, users and potential customers get frustrated. Your website bounce rate increases.

As a result, you lose visitors and eventually traffic that converts into sales. The worst scenario is when your site infected with malware is filled with unnecessary information where users are the victims of buying illegal products.

It Affects the Site’s SEO and Health

Often, hackers will do their best to downgrade your website with malware or worst be blacklisted by Google. Once your website gets blacklisting, your SEO rank decreases. Google de-index your small business website, and will not include it on the search result’s page.

WordPress Malware Removal: Your Next Steps

Your site is hacked and might contain malware if you experience one of these situations:

  • Google warns visitors when clicking on your WordPress site link through the SERP. It is still the fastest and free malware scanner.
  • Your hosting provider sends you an e-mail about a possible breach or malware infection.
  • You notice malicious activities and redirections that you didn’t put on your website.

When you suspect malware affecting the performance of your site, it’s time for your next steps on WordPress Malware removal.

WordPress Malware Removal: 8 Important Steps You Need to Do
WordPress malware removal through malware scanner (source)

Remove Malware Manually

Warning for beginners regarding malware removal! Don’t start these malware removal steps if you aren’t familiar with the terms.

You may want to hire an expert to this for you. If you really are sure about doing it on your own without any technical knowledge, here are the steps to remove malware.

1. Backup Your WordPress Database and Files

You need two things: database and files. Back up these using the snapshot feature. Alternatively, use a backup login for WordPress if you can use your log-in details.

Go to Tools in your WordPress and click export your files in XML, if you manage to get into your admin account.

Another alternative is using the file manager of your web host provider. Remember, the most important file is the wp-content folder because it contains all your content uploaded in the host server. This file is large depending on how often you publish content for your website.

Also, don’t forget to back up your htaccess file. This file is only accessible using an FTP app. It is important, so your current host can identify the PHP version and make your clean site work accordingly.

2. Examine the Downloaded Files

After backup, your next in WordPress malware removal is to download the WordPress files and examine them for possible malware infection on your computer. It will be in zip folders. The zip contains the following:

  • Core files. Match these zip core files with the ones you downloaded from WordPress. They should match. These files are important if you want to investigate how the hackers compromised your WordPress site.
  • wp config php file. This file contains your username and password to your database in WordPress. With this information, you can restore your website.
  • .htaccess file. You will need an FTP program or code app to view this invisible file.
  • wp-content folder. This folder has three WordPress files: uploads, plugins, and themes. If each file contains images of all your content, you have back-up your WordPress site successfully.
  • Database. It is an SQL export of your database. This export is important for future references.

3. Delete Infected Files

After examining the backup and ensuring you have all you need, delete hacked WordPress site files in the public_html folder except CGI-bin and server files.

These files are often free of malware and are not prone to hacking. You can delete these files with malware through the File Manager of your web host provider.

Check other sites hosted in the same provider and hosting account. Often, these might also be infected. Repeat this process of removing Malware from your WordPress to ensure all your sites are free of malware.

The important step is to create a back-up, so you can repeat the process in case something goes wrong along the restoration process.

WordPress Malware Removal: 8 Important Steps You Need to Do
WordPress malware removal by removing hacked files (source)

4. Reinstall WordPress

After deleting the files on your public Html, reinstall the WordPress app. Reconfigure the wp-config.php using the credentials on your database from the old and hacked website.

Don’t upload the old wp-config file. A new and clean slate has log-in encryption. This would make the hackers repeat the process of compromising your website.

5. Reset Your Passwords

Reset all your passwords after reinstallation of the WordPress app. Scrutinize your users to see if you recognize them. If one or more users are not familiar, you may want to hire a professional to examine your database for hacking or malicious code.

In WordPress malware removal, database deletion is another alternative. Database deletion needs a lot of work and takes time. But, it will ensure you start on a clean slate. Restore your htaccess file by going to the WordPress Settings and save changes on your Permalinks.

Password change also includes your hosting account, FTP programs, and other apps associated with the creation of your WordPress site.

6. Reinstall Plugins and Themes

Your next step is to reinstall themes and plugins. We recommend reinstallation of new copies of the downloaded app. Don’t use the old downloaded app. Moreover, refrain from reinstalling plug-ins that you can’t maintain.

If you aren’t sure which themes you used, revisit your backup file. Use these files as references in reinstalling your themes. Make changes using a freshly downloaded app, not the old plug-in.

7. Reupload Everything

This is the most challenging and trickiest part. Before you re-upload images, re-examine all back-up files. Make sure that these images don’t have JavaScript or PHP codes, just plain image or file extension associated with images.

It could take time to remove malware and malicious code but it’s worthy, especially if you have many important images that reflect your brand and your content.

8. Run WordPress Security Plugin

Run a WordPress security scan on your computer for any possible viruses, malware, and malicious code. Activate a reliable security plug-in or WordPress malware scanner that can monitor all site activities including brute force attacks.

WP Site Management: 10 Important Tasks for Small Business Owners
WordPress Malware Removal (source)

WordPress Malware Removal: Know the Reasons You’re Hacked

A hacked website isn’t a one-time issue. You get hacked today and it might happen again.

So, after the WordPress malware removal steps, investigate the causes of the hack. Knowing how the hackers compromised your WordPress website is an excellent way of planning preventive measures against cyberattacks.

Take note of all the infected files and open them in a code editor. Often, hacked and compromised files have many weird colored codes that shouldn’t be part of your files.

Perform a Google search on phrases you find on the codes. Then, examine access logs on your hosting panel. These logs contain IP addresses and help you discover the origin of the hacker. With this info, you can block the IP address.

Install WordPress malware removal plugins. These WordPress malware removal plugins will protect your site against future attacks. They may not be your ultimate protection but they will certainly help.

Be Vigilant

Even with security plug-ins in place and a thorough WordPress malware removal plan, remain vigilant. Every now and then, check your site for unusual activities. If you couldn’t spend a few hours every week to monitor your WordPress site, you can pass the burden to your developers or security teams.

There are affordable services out there that can ensure your WordPress site is monitored 24/7. Not only that, these WordPress maintenance support and services can back up your site without you telling them to do so.


Many hacked sites have origins from old plug-ins, themes, and unmonitored WordPress websites. These plug-in services are outdated and aren’t maintained by the developers anymore. So, make sure you’re implementing preventive measures.

WordPress Malware removal plugin isn’t enough to clean a hacked site, especially those compromised by sophisticated hackers. Remove malware from WordPress with sophisticated means, too.

Don’t have time for these tasks? Entrust your WordPress maintenance and site care to expert individuals.

Nathan Baldwin
Nathan Baldwin

Founder of and, providing business solutions to other WordPress site owners.

Articles: 278

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

30-Day Money-Back Guarantee **

We Know Trying A New Service Can Be Scary and Overwhelming. That’s Why We Offer A 30-Day Money-Back Guarantee. If You’re Not Happy With Our Service We’ll Gladly Refund You Every Penny!

Get Started

Best WordPress Partner We’ve Worked With

We couldn’t keep up with the daily upkeep of our website and SecurItPress was recommended by a fellow small business owner. They took over the maintenance and hosting of our site! Couldn’t be happier and a bonus was the site loaded faster than it ever had.
Sophia Bailey
Mad Mini’s

** Money-Back Guarantee is only available for our Annual Site Care Plans, not Monthly plans or Site Cleanup service.