Finding out that your WordPress site has been hacked can make your stomach drop.
Not only could a hacker with access to your site steal information or make changes to your content, but they could also leave malware that gives them a backdoor into your website in the future.
That's why learning the skills of WordPress malware removal is so important if you own a WordPress-based website.
Today, I’ll walk you through how to remove malware manually from a hacked WordPress site so that you can be sure your site is clean and safe:
- Step 1: Backup your WordPress site
- Step 2: Check your computer for malware
- Step 3: Change your server password
- Step 4: Delete old WordPress files
- Step 5: Clean ‘wp-content’ and ‘wp-config.php’
- Step 6: Install a clean version of WordPress
- Step 7: Remove browser warnings
- Additional step: Scan your WordPress website for malware
Step 1: Backup Your WordPress Site
Hopefully, you already have a clean backup of your WordPress site from before your site was hacked. But in any case, it’s a good idea to make a new backup of your WordPress site once you know a hack has happened. Just be sure not to overwrite any existing backups.
The easiest way to backup your site is to use a WordPress backup plugin, such as Backup Buddy, Duplicator. Additionally, check out our tutorial on how to backup a WordPress database for more information. If you don’t have an existing backup and can’t login to your site, you can try to download a cached version of your site’s content from Google or the Internet Archive.
Step 2: Check Your Computer for Malware
One of the most common ways that WordPress sites get hacked is through your computer after downloading a virus or other malware elsewhere on the Internet. As long as your computer has malware on it, your website can repeatedly be hacked and removing malware from WordPress will be a wasted effort.
There are a huge variety of tools available to scan your computer for viruses and malware. Tools like Malwarebytes, Bitdefender, and others should catch any hacks that are leaking login information for your website’s server and allow you to remove them.
Often, it’s a good idea to use multiple scanners to be certain you’ve caught any locations on your computer where malware might be hidden.
Step 3: Change Your Server Password
The next step in WordPress malware removal is to change the password that you use to login to your site’s server. This can typically be done by visiting your host and accessing your profile information. Make sure that you choose a strong password that cannot be easily guessed by a potential attacker.
Step 4: Delete Old WordPress Files
Login to your host’s cPanel or connect to your site with an FTP client (using your new password) and navigate to the folder where you installed WordPress.
For most users, this will be the folder named ‘public_html’
Within this folder, you should see a variety of files related to WordPress. Delete all files and folders that start with ‘wp-‘, except for the folder named ‘wp-content’ and the file named ‘wp-config.php’. You should also delete the files named ‘index.php’, ‘license.txt’, ‘readme.html’, and ‘xmlrpc.php’.
Step 5: Clean ‘wp-content’ and ‘wp-config.php’
You now need to inspect the contents of the ‘wp-content’ folder and ‘wp-config.php’ file. Start with ‘wp-config.php’ by downloading it and opening it on your computer or editing it within your host’s cPanel.
Skim through the file to look for any lines of code that should not be there. Malware usually looks like senseless strings of letters and numbers, but it can also resemble real WordPress code. To be doubly sure your ‘wp-config.php’ file is clean, compare it to the ‘wp-config-sample.php’ file template.
When done, navigate to the ‘wp-content’ folder, which should contain ‘plugins’, ‘themes’, and ‘uploads’ folders as well as a file named ‘index.php’. Go into the ‘plugins’ folder and make a note of all plugins you had installed on your WordPress site. When finished, delete the entire ‘plugins’ folder as well as the ‘index.php’ file.
Next, do the same for the ‘themes’ folder. If you do not have a backup of the themes you were using and cannot download them from the developer anymore, you will need to check the theme files manually for malware code.
However, if this is not an issue, you can delete the entire ‘themes’ folder after noting which themes you had installed.
In the ‘uploads’ folder, you’ll need to check through the list of files to make sure that there is nothing that you did not upload. Files ending in ‘.php’ should be especially suspect. If you have a recent pre-hack backup of your site, the safest thing you can do is delete the entire ‘uploads’ folder and restore your uploaded content from the backup after re-installing WordPress.
Step 6: Install a Clean Version of WordPress
Next, you need to re-install WordPress on your website. Visit WordPress.org to download the latest version of WordPress and then upload it to your site’s server in the ‘public_html’ folder using an FTP client. Visit your website in your web browser to complete the WordPress installation.
You should now have a malware-free WordPress website again. The first thing you need to do to prevent your website from future attacks is to immediately change the password you use to access your WordPress dashboard.
To do this, go to your account name in the upper right corner, click ‘Edit my profile’, and find the ‘Account Management’ section at the bottom of the page. Create a strong new password that cannot be easily guessed, then click ‘Update Profile’.
Depending on what files you deleted from your ‘wp-content’ folder, you are likely missing most of your themes, plugins, and content. To remedy this, start by installing any themes and plugins that you deleted by navigating to ‘Appearance > Themes’ and ‘Plugins > Add New’ from your dashboard menu.
If you have any theme files from your WordPress backup, you can upload them directly to your site through your host’s cPanel.
Step 7: Remove Browser Warnings
Chances are that Google and other search engines or browsers detected the malware on your site and have been warning visitors to stay away. To remove these warnings, you’ll need to create an account on or log in to your account at Google Webmaster Tools. Find or add your website, and then navigate to ‘Health > Malware > Request a Review’.
How to Scan WordPress for Malware
It’s a good idea to frequently scan WordPress for malware so you can detect any problems early, as well as decide if a malware attack is localized enough that you don’t need to go through the full WordPress re-installation described above.
In addition, if Google or another search engine flagged your site for malware, you can use their tools to scan WordPress for malware.
For Google, visit its Transparency Report website and enter your site’s URL. The site will then display information about what files Google identified as containing malware.
WordPress Malware Removal: Prevention Is Easier
No website owner ever wants to find out that their website has been hacked and planted with malware. Thankfully, WordPress malware removal is relatively straightforward, especially if you have a recent clean backup of your website.
However, prevention is always easier - so make sure to regularly scan your WordPress site for malware.
Did this article help you learn how to remove malware manually from your WordPress site? Let me know in the comments below!