...

How to Remove Malware from a WordPress Website

Malware Removal

Learn how to remove malware from a WordPress website using plugins, fix file permissions, and enhance security with simple step-by-step methods.

How to Remove Malware from a WordPress Website

Malware can damage your website’s reputation, reduce traffic, and even lead to search engine blacklisting. If you’re wondering how to remove malware from a WordPress website, you’re not alone. Thousands of WordPress sites are hacked daily due to weak file permissions, outdated plugins, and poor security practices.

In this detailed guide, we’ll explain step-by-step how to detect, clean, and secure your WordPress site from malware. You’ll also learn how to fix file and folder permissions, scan and remove malware using the Wordfence plugin, and tighten your website’s security with the All in One Security plugin.

Understanding How WordPress Malware Works

Malware (malicious software) is code injected into your website’s files or database without permission. It can redirect visitors, steal data, send spam emails, or display unwanted ads. Common reasons malware enters a WordPress site include:

  • Weak admin passwords

  • Outdated plugins or themes

  • Poorly configured file permissions

  • Using nulled (pirated) themes or plugins

  • Lack of a security firewall

Before you start cleaning, it’s crucial to identify the root cause so that malware doesn’t return after removal.

Step 1: Back Up Your Website Before Cleaning

Before making any changes, create a complete backup of your website, including files and the database.

You can use plugins like:

  • UpdraftPlus

  • BackupBuddy

  • Jetpack Backup

This ensures that if something goes wrong during the malware removal process, you can restore your site safely.

Step 2: Identify Malware and Suspicious Files

The first sign of malware might be a sudden drop in website traffic, strange redirects, or a warning from Google Safe Browsing.

You can detect malware in multiple ways:

  1. Check your WordPress files via FTP or File Manager.
    Look for unusual files like wp-content.old, wp-admin1, or unknown PHP scripts.

  2. Use a malware scanner plugin.
    Plugins such as Wordfence, MalCare, or Sucuri Security automatically scan for malicious code and suspicious activity.

  3. Inspect recently modified files.
    In your cPanel’s File Manager, sort files by “Last Modified.” Suspiciously modified core files often indicate a hack.

Step 3: Fix Files and Folders Permissions

Incorrect file and folder permissions can make it easy for attackers to inject malicious code. Fixing them is essential for proper WordPress security.

Recommended WordPress File Permissions

Type Location Permission Description
Folders /wp-content/, /wp-includes/, etc. 755 Read & execute access for everyone, write access only for owner
Files .php, .html, .css files 644 Read for everyone, write only for owner
wp-config.php Root directory 600 Restrict access to the configuration file

How to Fix File Permissions Using cPanel:

  1. Login to your cPanel.

  2. Go to File Manager → public_html (your WordPress directory).

  3. Select all files and choose Change Permissions.

  4. Set:

    • Folders: 755

    • Files: 644

    • wp-config.php: 600

This ensures hackers cannot modify your files without authorization.

How to Fix Using FTP (FileZilla):

  1. Connect your site via FileZilla.

  2. Right-click on folders → “File permissions…”

  3. Enter 755 for directories and check “Recurse into subdirectories.”

  4. Do the same for files, entering 644.

Step 4: Scan and Remove Malware Using Wordfence Plugin

The Wordfence Security Plugin is one of the most powerful tools to detect and remove malware from your WordPress website.

How to Install and Scan with Wordfence:

  1. Go to your WordPress Dashboard → Plugins → Add New.

  2. Search for “Wordfence Security” and install it.

  3. Activate the plugin and navigate to Wordfence → Scan.

  4. Click Start New Scan.

Wordfence will check all your files, themes, and plugins for malware or malicious code.

When the scan is complete, it will display a list of infected files and security warnings.

Removing Malware with Wordfence:

  • For each infected file, click Repair File, which restores the original version from the WordPress repository.

  • If Wordfence cannot fix it automatically, download a fresh copy of the theme or plugin and manually replace the infected one.

  • Delete any unfamiliar admin users created during the hack (under Users → All Users).

Bonus Tip:
Enable the Wordfence Firewall to block suspicious IPs and brute-force login attempts automatically.

Step 5: Tighten Security Using All in One Security Plugin

Once your site is clean, it’s essential to strengthen your defenses to prevent future attacks.

The All in One WP Security & Firewall Plugin (AIOS) is a comprehensive security solution that helps harden WordPress against common threats.

Steps to Secure Your Site with All in One Security:

  1. Install and Activate the Plugin:
    Go to Plugins → Add New, search for “All in One WP Security & Firewall,” install, and activate.

  2. Run the Security Strength Meter:
    The dashboard shows your site’s security level. Try to reach a score of 80 or above.

  3. Basic Security Measures:

    • Change the default admin username if it’s still “admin.”

    • Enable login lockdown to prevent brute-force attacks.

    • Set strong passwords for all user accounts.

  4. File System Security:

    • Navigate to WP Security → File System Security.

    • Ensure all key files (like wp-config.php and .htaccess) have correct permissions (as explained earlier).

  5. Firewall Settings:

    • Enable Basic Firewall Protection and Brute Force Prevention.

    • Block fake crawlers and suspicious bots.

  6. Database Security:

    • Change your WordPress database table prefix from “wp_” to something unique (like “jk_” or “secure_”).

    • Schedule automatic database backups.

  7. Prevent Hotlinking and iFrame Injections:

    • Go to Firewall → Prevent Hotlinks and enable this option to stop other sites from using your images or content.

By configuring these settings, your website becomes significantly harder to attack.

Step 6: Update Everything Regularly

Keeping WordPress core, plugins, and themes updated is the easiest yet most effective way to prevent malware.

  • Always install updates from trusted developers.

  • Delete unused plugins and themes.

  • Avoid “nulled” or cracked versions — they almost always contain malicious code.

Use ManageWP or MainWP if you handle multiple websites, as these tools make bulk updates easier.

Step 7: Change All Passwords and Secure User Accounts

After malware removal, it’s critical to reset all your passwords to prevent hackers from regaining access.

Change the following immediately:

  • WordPress admin password

  • Hosting/cPanel password

  • FTP/SFTP credentials

  • Database password (update it in wp-config.php as well)

Encourage all users with admin roles to use strong, unique passwords.

Step 8: Verify Cleanup and Request Google Review (if blacklisted)

If your site was flagged by Google for malware, you need to request a review after cleanup.

  • Log in to Google Search Console.

  • Go to Security Issues → “Request Review.”

  • Explain the actions you’ve taken to remove malware.

Once Google verifies your site is clean, the “Deceptive site ahead” warning will disappear.

Additional Tips to Prevent Future Malware Infections

  • Use a reliable hosting provider with strong security policies (like SiteGround, Kinsta, or WP Engine).

  • Install a web application firewall (WAF) — plugins like Wordfence or Sucuri offer this.

  • Limit login attempts and enable 2-factor authentication (2FA).

  • Regularly monitor your site’s performance and traffic for unusual activity.

  • Schedule automatic backups at least weekly.

H2: How to Remove Malware from a WordPress Website (Recap)

To summarize, removing malware from your WordPress website involves:

  1. Backing up your site.

  2. Identifying infected files.

  3. Fixing file and folder permissions.

  4. Scanning and removing malware using Wordfence.

  5. Strengthening security with the All in One Security plugin.

  6. Updating everything regularly.

  7. Changing all passwords.

  8. Requesting a Google review (if needed).

Following these steps will not only help you clean your site but also safeguard it against future attacks.

Helpful External Resources

Here are some useful references to help you with malware removal and WordPress security:

  1. Wordfence Official Guide
  2. All in One WP Security Plugin Docs
  3. Sucuri WordPress Security Guide
  4. WordPress.org Hardening Guidelines
  5. Google Safe Browsing Check

Final Thoughts

Dealing with malware can be stressful, but by learning how to remove malware from a WordPress website and following a structured approach, you can quickly restore your site’s health and reputation.

Regular updates, strong passwords, and security plugins like Wordfence and All in One Security are your best allies. Stay proactive — prevention is always easier than recovery.

Leave a Comment

Your email address will not be published. Required fields are marked *