How To Complete WordPress Malware Removal After Being Hacked


Dani Nolan


2019 February 20th


Finding out that your WordPress site has been hacked can make your stomach drop.

Not only could a hacker with access to your site steal information or make changes to your content, but they could also leave malware that gives them a backdoor into your website in the future.

That's why learning the skills of WordPress malware removal is so important if you own a WordPress-based website.

Today, I’ll walk you through how to remove malware manually from a hacked WordPress site so that you can be sure your site is clean and safe:

  • Step 1: Backup your WordPress site
  • Step 2: Check your computer for malware
  • Step 3: Change your server password
  • Step 4: Delete old WordPress files
  • Step 5: Clean ‘wp-content’ and ‘wp-config.php’
  • Step 6: Install a clean version of WordPress
  • Step 7: Remove browser warnings
  • Additional step: Scan your WordPress website for malware

Step 1: Backup Your WordPress Site

Hopefully, you already have a clean backup of your WordPress site from before your site was hacked. But in any case, it’s a good idea to make a new backup of your WordPress site once you know a hack has happened. Just be sure not to overwrite any existing backups.

wordpress malware removal backup

The easiest way to backup your site is to use a WordPress backup plugin, such as Backup Buddy, Duplicator. Additionally, check out our tutorial on how to backup a WordPress database for more information. If you don’t have an existing backup and can’t login to your site, you can try to download a cached version of your site’s content from Google or the Internet Archive.

Step 2: Check Your Computer for Malware

One of the most common ways that WordPress sites get hacked is through your computer after downloading a virus or other malware elsewhere on the Internet. As long as your computer has malware on it, your website can repeatedly be hacked and removing malware from WordPress will be a wasted effort.

There are a huge variety of tools available to scan your computer for viruses and malware. Tools like Malwarebytes, Bitdefender, and others should catch any hacks that are leaking login information for your website’s server and allow you to remove them.

Often, it’s a good idea to use multiple scanners to be certain you’ve caught any locations on your computer where malware might be hidden.

Step 3: Change Your Server Password

The next step in WordPress malware removal is to change the password that you use to login to your site’s server. This can typically be done by visiting your host and accessing your profile information. Make sure that you choose a strong password that cannot be easily guessed by a potential attacker.

WordPress remove malware Change host password

Step 4: Delete Old WordPress Files

WordPress Malware Removal Delete WordPress FilesAt this point, removing malware from WordPress requires deleting any WordPress files that are not essential to keeping your content intact.

Login to your host’s cPanel or connect to your site with an FTP client (using your new password) and navigate to the folder where you installed WordPress.

For most users, this will be the folder named ‘public_html’

Within this folder, you should see a variety of files related to WordPress. Delete all files and folders that start with ‘wp-‘, except for the folder named ‘wp-content’ and the file named ‘wp-config.php’. You should also delete the files named ‘index.php’, ‘license.txt’, ‘readme.html’, and ‘xmlrpc.php’.

Step 5: Clean ‘wp-content’ and ‘wp-config.php’

You now need to inspect the contents of the ‘wp-content’ folder and ‘wp-config.php’ file. Start with ‘wp-config.php’ by downloading it and opening it on your computer or editing it within your host’s cPanel.

Skim through the file to look for any lines of code that should not be there. Malware usually looks like senseless strings of letters and numbers, but it can also resemble real WordPress code. To be doubly sure your ‘wp-config.php’ file is clean, compare it to the ‘wp-config-sample.php’ file template.

When done, navigate to the ‘wp-content’ folder, which should contain ‘plugins’, ‘themes’, and ‘uploads’ folders as well as a file named ‘index.php’. Go into the ‘plugins’ folder and make a note of all plugins you had installed on your WordPress site. When finished, delete the entire ‘plugins’ folder as well as the ‘index.php’ file.

WordPress remove malware WPContent

Next, do the same for the ‘themes’ folder. If you do not have a backup of the themes you were using and cannot download them from the developer anymore, you will need to check the theme files manually for malware code.

However, if this is not an issue, you can delete the entire ‘themes’ folder after noting which themes you had installed.

In the ‘uploads’ folder, you’ll need to check through the list of files to make sure that there is nothing that you did not upload. Files ending in ‘.php’ should be especially suspect. If you have a recent pre-hack backup of your site, the safest thing you can do is delete the entire ‘uploads’ folder and restore your uploaded content from the backup after re-installing WordPress.

Step 6: Install a Clean Version of WordPress

Next, you need to re-install WordPress on your website. Visit to download the latest version of WordPress and then upload it to your site’s server in the ‘public_html’ folder using an FTP client. Visit your website in your web browser to complete the WordPress installation.

You should now have a malware-free WordPress website again. The first thing you need to do to prevent your website from future attacks is to immediately change the password you use to access your WordPress dashboard.

To do this, go to your account name in the upper right corner, click ‘Edit my profile’, and find the ‘Account Management’ section at the bottom of the page. Create a strong new password that cannot be easily guessed, then click ‘Update Profile’.

WordPress remove malware WordPress change password

Depending on what files you deleted from your ‘wp-content’ folder, you are likely missing most of your themes, plugins, and content. To remedy this, start by installing any themes and plugins that you deleted by navigating to ‘Appearance > Themes’ and ‘Plugins > Add New’ from your dashboard menu.

If you have any theme files from your WordPress backup, you can upload them directly to your site through your host’s cPanel.

Step 7: Remove Browser Warnings

Chances are that Google and other search engines or browsers detected the malware on your site and have been warning visitors to stay away. To remove these warnings, you’ll need to create an account on or log in to your account at Google Webmaster Tools. Find or add your website, and then navigate to ‘Health > Malware > Request a Review’.

How to Scan WordPress for Malware

It’s a good idea to frequently scan WordPress for malware so you can detect any problems early, as well as decide if a malware attack is localized enough that you don’t need to go through the full WordPress re-installation described above.

There are a number of tools, such as SiteCheck, that allows you to scan your website remotely, as well as WordPress plugins such as VaultPress, MalCare, and others that scan your website for malware.

WordPress remove malware Google transparency report

In addition, if Google or another search engine flagged your site for malware, you can use their tools to scan WordPress for malware.

For Google, visit its Transparency Report website and enter your site’s URL. The site will then display information about what files Google identified as containing malware.

WordPress Malware Removal: Prevention Is Easier

No website owner ever wants to find out that their website has been hacked and planted with malware. Thankfully, WordPress malware removal is relatively straightforward, especially if you have a recent clean backup of your website.

However, prevention is always easier - so make sure to regularly scan your WordPress site for malware.

Did this article help you learn how to remove malware manually from your WordPress site? Let me know in the comments below!

Leave a Comment

* your email will not be displayed