WordPress Malware Removal: Step-by-Step Cleanup Guide

A hacked WordPress site can destroy your SEO rankings, infect your visitors, and get your domain blacklisted by Google. The good news: most WordPress malware infections can be cleaned manually if you follow a systematic approach.

This guide walks you through the complete cleanup process — from identifying the infection to hardening your site against future attacks.

Signs Your WordPress Site Is Hacked

• Unexpected redirects — visitors are sent to spam, pharma, or gambling sites
• Unknown admin users — new accounts you didn't create in wp-admin
• Google warnings — "This site may be hacked" or "Deceptive site ahead" in search results
• Spam content injected — hidden links or text in your pages (pharma hack)
• Modified files — core files like wp-login.php or index.php have been altered
• Unknown files — PHP files in wp-content/uploads/ or random directories
• Slow performance — server resources consumed by crypto miners or spam bots
• Email blacklisting — your server is sending spam emails

Step 1: Backup Everything

Before making any changes, create a full backup of your files and database:

# Backup all WordPress files
tar -czf ~/wp-backup-$(date +%Y%m%d).tar.gz /var/www/html/

# Backup the database
mysqldump -u root -p wordpress_db > ~/db-backup-$(date +%Y%m%d).sql

Step 2: Replace Core Files

Download a fresh copy of WordPress and replace all core files. Do not replace wp-content/ or wp-config.php.

# Download fresh WordPress
cd /tmp
wget https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gz

# Replace core files (NOT wp-content or wp-config.php)
rsync -a --exclude='wp-content' --exclude='wp-config.php' /tmp/wordpress/ /var/www/html/

# Verify file integrity
wp core verify-checksums --path=/var/www/html/

Step 3: Scan for Backdoors

Search for common malware patterns in your files:

# Find recently modified PHP files (last 7 days)
find /var/www/html/ -name "*.php" -mtime -7 -ls

# Search for common backdoor functions
grep -rn "base64_decode\|eval(\|exec(\|system(\|passthru(\|shell_exec(" \
  /var/www/html/wp-content/ --include="*.php"

# Find PHP files in uploads directory (should not exist)
find /var/www/html/wp-content/uploads/ -name "*.php" -ls

# Search for obfuscated code patterns
grep -rn "\\\\x[0-9a-f]\{2\}\|chr(\|gzinflate(\|str_rot13(" \
  /var/www/html/wp-content/ --include="*.php"

# Find files with suspicious permissions
find /var/www/html/ -type f -perm -o+w -ls

Delete any files that contain obfuscated code or don't belong to your theme/plugins.

Step 4: Clean Plugins & Themes

1. Delete all unused themes and plugins — even deactivated ones can contain backdoors
2. Reinstall active plugins from wordpress.org or the vendor's site
3. Reinstall your active theme from the original source
4. Check for nulled/pirated plugins — these are the #1 malware vector

# List all plugins and check for unknown ones
wp plugin list --path=/var/www/html/

# Reinstall a plugin from wordpress.org
wp plugin install akismet --force --path=/var/www/html/

# Delete an unknown plugin
wp plugin delete suspicious-plugin --path=/var/www/html/

Step 5: Clean the Database

Malware often injects scripts into post content, options, or creates rogue admin accounts:

# Find injected scripts in posts
SELECT ID, post_title FROM wp_posts
WHERE post_content LIKE '%<script%'
   OR post_content LIKE '%eval(%'
   OR post_content LIKE '%base64_decode%';

# Check for rogue admin users
SELECT * FROM wp_users
JOIN wp_usermeta ON wp_users.ID = wp_usermeta.user_id
WHERE wp_usermeta.meta_key = 'wp_capabilities'
  AND wp_usermeta.meta_value LIKE '%administrator%';

# Check for suspicious options (backdoor URLs, injected code)
SELECT option_name, option_value FROM wp_options
WHERE option_name LIKE '%widget%'
  AND option_value LIKE '%<script%';

# Remove spam links from post content
UPDATE wp_posts SET post_content =
  REPLACE(post_content, '<script src="http://malware-domain.com/evil.js"></script>', '')
WHERE post_content LIKE '%malware-domain.com%';

Step 6: Reset All Credentials

1. Change all WordPress admin passwords
2. Regenerate security keys in wp-config.php — get new keys from WordPress Salt Generator
3. Change database password and update wp-config.php
4. Change FTP/SSH passwords
5. Change hosting panel password
6. Revoke all active sessions

# Force all users to re-login (add to wp-config.php)
# Replace these with fresh values from https://api.wordpress.org/secret-key/1.1/salt/
define('AUTH_KEY',         'generate-new-key-here');
define('SECURE_AUTH_KEY',  'generate-new-key-here');
define('LOGGED_IN_KEY',    'generate-new-key-here');
define('NONCE_KEY',        'generate-new-key-here');
define('AUTH_SALT',        'generate-new-key-here');
define('SECURE_AUTH_SALT', 'generate-new-key-here');
define('LOGGED_IN_SALT',   'generate-new-key-here');
define('NONCE_SALT',       'generate-new-key-here');

Step 7: Harden Your Site

# Set correct file permissions
find /var/www/html/ -type f -exec chmod 644 {} \;
find /var/www/html/ -type d -exec chmod 755 {} \;
chmod 440 /var/www/html/wp-config.php

# Block PHP execution in uploads
cat > /var/www/html/wp-content/uploads/.htaccess << 'EOF'
<Files "*.php">
  Require all denied
</Files>
EOF

# Add security constants to wp-config.php
define('DISALLOW_FILE_EDIT', true);    // Disable theme/plugin editor
define('DISALLOW_FILE_MODS', true);    // Disable plugin/theme installs
define('WP_DEBUG', false);             // Disable debug output
define('WP_DEBUG_DISPLAY', false);     // Never display errors

Prevention Checklist

• Update everything — WordPress core, themes, and plugins immediately when updates are available
• Use strong passwords + 2FA — enforce for all admin accounts
• Remove unused plugins/themes — deactivated code is still exploitable
• Never use nulled plugins — they are the #1 malware infection vector
• Use a WAF — Cloudflare (free tier) or Sucuri blocks most automated attacks
• Limit login attempts — block brute-force attacks on wp-login.php
• Regular security scans — use AI QA Monkey WordPress Scanner to detect vulnerabilities before attackers do
• Automated backups — daily backups stored off-server

Frequently Asked Questions

How do I know if my WordPress site has malware?

Common signs include unexpected redirects, new admin users you didn't create, modified core files, unknown PHP files in uploads, Google Safe Browsing warnings, and spam links injected into your pages. Run a free WordPress security scan to detect malware indicators automatically.

How do I remove malware from WordPress?

Follow the 7-step process: backup, replace core files, scan for backdoors, clean plugins and themes, clean the database, reset all credentials, and harden your site. See the detailed steps above.

Can I clean a hacked WordPress site myself?

Yes, if you have SSH or FTP access. This guide provides all the commands you need. For complex infections involving rootkits or server-level compromise, consider professional cleanup services.

How do I prevent WordPress malware in the future?

Keep everything updated, use strong passwords with 2FA, remove unused plugins, never use nulled themes, use a WAF, and run regular security scans.