Steps To Remove Malware From Your WordPress Website

For creating a website, WordPress is one of the most preferred tools by people. Approximately, 35% of the websites are made using WordPress. This widespread use of WordPress was possible due to its user-friendly features. In addition, WordPress offers a large number of templates and plugins, which simplifies creating websites.

But every coin has two sides. With the widespread use of WordPress, websites are prone to malware attacks. The vulnerabilities in the code enable the hackers to damage your WordPress website with Malware.

After these attacks, there are no other options left for you except to sit down and work to solve the problem. Security of your website should be a priority. We understand that anyone can get hacked. Therefore, in this article, we give you step by step guide to remove malware from your WordPress website WordPress Support Maintenance Services protect your website from trojans and malware

Remove Malware from WordPress Website

The easy steps to remove Malware from your WordPress Website are:

  1. Run an Anti-Virus Scan

If your website is infected, then Detection should be your first step. You must detect what type of malware has infected your site and the files which are infected. Running an anti-virus scan on your computer helps in detection.

Download the entire site with the help of an FTP program. After the download, we can run a scan on each file to identify the malicious code. Usually, when the files are downloading, the anti-virus analyzes them. You can see the potentially dangerous files in the generated report.

  1. Run online website Malware ScanYou can run your WordPress website’s malware scan online. There are many sites available online which will help you.WP Hacked Help is one such site. It enables you to run an online malware scan on your website for free. After the scan, it generates a well-detailed report. You can then easily analyze the files which are infected. This tool also helps you to remove Malware.To know about the type of threat you are suffering, you can activate the Google Webmaster tool. After activating it, you have to go to its ‘Security problems’ section.
    1. List files by Modification Date

    You can detect potentially dangerous files by accessing via FTP. Then, you can sort them by modification date. The recently changed files will appear at the top.

    If you have not changed anything in those recently modified files, then these files may contain some malicious code. However, this type of detection is very tedious.

    1. Scan your downloads Folder

    To detect malware, you must scan your downloads folder. Usually, the downloads folder do not have any PHP files. Therefore, delete all the PHP files in a wp-content folder.

    1. Back up your WordPress site regularly

    It is always recommended to back up your site. You should do it regularly and completely. You should save the following items:

    • MySQL database
    • FTP account

    Tip: You can have access to a full backup system with the help of cPanel from your host. You can get a complete ZIP file of your site.

    1. Deactivate Plugins and Clean WP theme

    A vulnerable theme or plugin can lead to your website getting hacked. You can face the same risk from a free theme or plugin.

    Follow these simple steps to remove the malicious code:

    • Scan and Detect Malware in WordPress themes. Always download themes from a genuine and original source. Replace the files in the folder with the name of the template in /wp-content/themes/
    • Always use a child theme. This way, you will not lose any changes made to these files.
    • In the next step, you have to repeat this entire process for the folders containing the plugins. Download clean plugins and replace them.
    • Copy new files and delete the path /wp-content/plugins/ in the folder.


    1. Change passwords

    It is always advisable to change all the passwords that are related to your website. You should change password to your hosting panel, FTP, user database and password of all users with administrator level.

    Moreover, always use strong passwords for your WordPress website. Your password must contain at least eight characters and should include numbers and special characters. You should use unique passwords for your different accounts.

    1. Find Malicious User

    Hackers can register on your WordPress website. Then they run and execute malicious scripts. Thus, exploiting any vulnerability in your themes and plugins. Stop Spammers is one of the tools which help you to detect malicious users and delete them.

Lock WP Login to Limit Login Attempts in WordPress login to your WordPress administrator, you can test as many possible login ID pairs as you want. But to limit these login attempts, you can use the Login LockDown plugin. This plugin records the IP address and period of every failed login attempt.  It disables login function after certainly failed login attempts. This way, our site is saved from brute force password hacking. You can yourself select Maximum Login Retries.

  1. Install Security Plugins

Installing Security Plugins is always essential for your WordPress website. There are a number of Security plugins like Wordfence, Bulletproof Security, iThemes Security and much more. They help keep your site safe and secure.

  1. Change Hosting Provider

Sometimes, the malware can infect your site due to poor security of the hosting provider. A good server and hosting provider ensures that your site is secure from any malware from their side. If you feel that your current hosting provider lacks security, then change it. You can go for a hosting provider with good security and customer service.

  1. Restore Your backup

After all the malware removal, you have to restore your site from a backup. You should use the same plugin for restoring which you have used to take back up from the site. After restoring, re-scan your entire website again.

  1. Inform Google that You are Clean

If you have a hacked website, Google detects it and puts an ‘infected poster’ on your site.

Once the cleanup of Malware is complete, you can ask Google to reconsider the website using the Request a Review tool. You have to submit a report. The report will include the measures taken by you to clean up the malware. They will check it and will inform you via an email.

Current post: Social media marketing tool




Removing Malware from your hacked WordPress website is not a complicated process. Follow the above-written steps carefully and patiently. Eventually, you will be able to fix this issue. Your website will be clean and operating again. If you are still facing some issues, you can take WordPress support services and Backup services by professionals.


I want to conclude this article by emphasizing that always take the right precautions related to security. Always use plugins and themes from genuine sources, use good server and strong passwords.

Leave a Reply

Your email address will not be published. Required fields are marked *