My Website is Infected with Malware: 3 step How to Clean and Secure Your WordPress Site

Discovering malware on your WordPress site can be terrifying for any business owner. Malicious code can break features and ruin your reputation and expose customer data, triggering legal duties like notifying the UK’s Information Commissioner (ICO) within 72 hours if personal data is involved.

This guide explains how to identify, remove and prevent malware on WordPress. We’ll cover the key steps for website malware removal, recommend top security plugins, and explain how to reinforce your site for the future.

Recognising a Hacked WordPress Site

First, look for signs of infection. Common indicators include unexpected site behaviour, warnings, or errors. For example:

• Unexpected Redirects or Content Changes: Hackers often insert malicious redirects or spammy content. If pages or menus suddenly link to unfamiliar sites, or you see strange pop-ups/ads you didn’t add, your site is likely compromised.
• Login Problems and Unknown Users: If you can’t log in, or if you notice unfamiliar admin accounts or logins from unknown IP addresses in your dashboard, that’s a red flag.
  • Check Users > All Users for any accounts you didn’t create, and delete them.
• Performance Issues: A hacked site may become very slow, show a blank page, or intermittently go down. Malware can consume resources or break functionality, causing “404” or “500” errors. Sudden slowdowns or frequent crashes often accompany infections.
• Security Warnings: Browsers like Chrome may show a big red warning (“This site may be hacked”), and Google Search Console can flag your site as unsafe. Tools like Google’s Transparency Report or Google Search Console can confirm if Google has blacklisted your site.

If you see any of these symptoms, act fast. First, put your site in maintenance mode (using a WP maintenance plugin or .htaccess) to prevent further damage.

Immediately make a complete backup of your site and database before attempting fixes. Even a hacked site is safer than losing all data.

Step 1: Scan Your Site for Malware

With a backup in hand, the next step is to find the malware. Use reputable scanning tools and plugins to identify infections:

• Online Scanners: Free tools like Sucuri SiteCheck can remotely scan your public pages for known malware, blacklist status and compromised URLs. Enter your URL and let it check for suspicious code or known bad domains.
• Security Plugins: Install a WP security/malware scanner plugin. For example, Wordfence and Sucuri Security offer malware scanning and firewall protection. —
  • Wordfence’s scanner checks core files, themes and plugins for malicious code, bad URLS, backdoors and SEO spam.
  • Sucuri Security plugin uses the SiteCheck engine for remote malware scanning and also monitors file integrity.
  • We also recommend Jetpack Scan (part of Jetpack Security) or MalCare – these can automatically detect malware in files and databases. (Jetpack explicitly recommends its Scan feature to clean infections.)
• Manual Checks: Review your site files (via FTP or hosting File Manager). Sort files by “last modified” date and look for recently changed PHP files.
  • Common hackers’ code includes functions like eval(), base64_decode(), gzinflate(), etc. Also, check your database (using phpMyAdmin) for any suspicious entries in the wp_options or wp_posts tables.

Scanning helps you pinpoint the infection. As Sucuri explains, “the first step to removing malware… is to identify the type of hack” using tools that scan for malicious payloads.

A thorough scan (remote and server-side) will highlight the files and pages affected, guiding you on what to clean next.

Step 2: How to Perform Effective WordPress Malware Removal

Once you’ve located the infection, proceed with cleaning. There are two main approaches:

• (A) Automatic Cleanup with a Plugin: The easiest way is to use a trusted security plugin’s cleanup feature. For example, MalCare lets you auto-clean your site with one click: you scan the site, then hit “Clean” to remove malware and backdoors. It even provides a firewall to block future attacks.
• (B) Manual Cleanup (advanced): If you prefer to clean by hand, follow these steps carefully:
  1. Backup Your Site – again, ensure you have a fresh backup of both files and database.
  2. Download Clean WordPress Core and Plugins – obtain fresh copies of the WordPress version, themes and plugins you use (from WordPress.org or developer sites).
  3. Reinstall Core Files – using FTP or your host’s file manager, replace the wp-admin files, and wp-includes folders with the clean versions. These contain no user data, so it’s safe to swap them out.
  4. Scan Core Files – manually inspect important files like index.php, wp-config.php, wp-settings.php, and .htaccess for unfamiliar code. Delete any malicious snippets (commonly injected via eval(), base64_decode(), etc.). Also, look in wp-content/uploads – It should rarely have PHP files, so delete any you didn’t place there.
  5. Clean Themes and Plugins – go through wp-content/themes and wp-content/plugins. Compare each file to a known good copy (from your downloaded backups) and remove any added malware. Pay attention to recently modified files. (If you used pirated “nulled” plugins/themes, they often hide malware – it’s best to delete those entirely.)
  6. Clean the Database – malware can hide in your database. In phpMyAdmin, check wp_options, wp_posts, and other tables for suspicious content (malicious links or iframes). Manually delete any rogue entries. Jetpack’s guide notes that if tables are infected, you can either clean them manually or use a database optimisation tool (though WP-Optimise mainly cleans spam, not specifically malware).
  7. Remove Backdoors – hackers often leave hidden “backdoor” scripts so they can re-enter. Search your files for common malware functions (eval, exec, str_rot13, etc.) in odd locations (e.g. in wp-content/plugins or uploads).
     • Delete any files that match backdoor patterns. (Be careful: these functions are also used legitimately, so if in doubt, consult a pro.)
  8. Reupload Clean Files – once you’re sure everything’s clean, upload the fixed files back to the server, replacing the compromised ones. Clear any caches (WordPress cache plugins, CDN or server caches) so that visitors see the clean versions.

After manual cleanup, your site should load normally again. It’s wise to re-scan with your security plugins or Sucuri SiteCheck to confirm no malware remains.

Then immediately change all passwords: WordPress admin accounts, hosting control panel, FTP/SFTP, database, and any API keys. As Wordfence recommends, treat password changes as a must-do after a breach.

Step 3: Strengthen WordPress Security (Prevention)

Cleaning up is only half the battle – you must harden your site to prevent reinfection. Hackers exploit vulnerabilities or weak credentials, so follow these best practices:

• Keep Everything Updated: Always run the latest WordPress core version, theme versions and plugin updates. Updates often patch security holes. As MalCare advises, “[d]evelopers spot vulnerabilities … and release patches… so it is extremely important to update your website regularly”. Site owners should enable auto-updates or check daily for updates in the dashboard.
• Use Strong Passwords and 2fa: Switch to complex passwords for all accounts (admins, FTP, hosting). Implement two-factor authentication for WordPress logins and hosting control panels whenever possible. Remember to also update your security keys and salts (in wp-config.php) after a breach – this forces all cookies to expire. As MalCare notes, resetting all passwords and salts is essential because “Bad passwords are a big reason why websites get hacked”.
• Limit Admin Users: Only grant administrator rights to users who absolutely need it. Check Users > All Users regularly to remove any inactive or suspicious accounts. Use the principle of least privilege; editors can do site content, while full admins are tightly controlled.
• Install a Security Plugin/Firewall: Use a reputable security plugin to continuously monitor and block threats. Wordfence and Sucuri Security both include firewalls (WAF) to block malicious traffic. MalCare’s firewall can “keep unwanted requests at bay” automatically (For UK-based sites, you might also consider a UK-hosted WAF or a service like Cloudflare for an added layer.)
• Scan Regularly: Schedule daily or weekly malware scans. Don’t wait until you suspect an infection. Jetpack’s advice is to scan proactively; if you only scan after a problem appears, the malware may have already done damage. Plugins like Wordfence and Sucuri can auto-scan and email you if anything suspicious is found.
• Take Frequent Backups: Maintain regular, off-site backups (daily, or real-time for e-commerce sites). If things go wrong, a clean backup lets you restore quickly. Tools like BlogVault or UpdraftPlus store backups off your server.
• Harden WordPress: Follow WordPress’s official hardening guide (set correct file permissions, disable file editing in the dashboard, etc.). Many security plugins (including Sucuri and Wordfence) offer “hardening” options. MalCare recommends using their one-click hardening or doing manual fixes to secure areas like .htaccess wp-config.php. For instance, restrict wp-config.php permissions to 440 or 400.
• Secure Your Computer and Network: Ensure the PC you use to manage the site is malware-free (scan it with an antivirus). Don’t log into your site from insecure public Wi-Fi. If a hacker got your credentials from a keylogger on your computer, they can just reinfect your site.
• Follow UK Security Guidelines: As a business, consider security frameworks like the Government’s Cyber Essentials. It covers basics like firewall setup and secure configurations. Also, keep in mind GDPR: if malware led to a data breach, you must report it to the ICO within 72 hours of discovery. Good security isn’t just about tech—it’s also about policies and awareness.

By combining these practices—regular updates, limited access, strong passwords, scanning and backups—you greatly reduce the chance of a new hack. Sucuri summarises this as post-hack hardening: “patch outdated software, change passwords, [and install] a firewall” to lock down a fixed site.

Recommended Tools and Plugins

Here are some reputable tools to consider in your cleanup and security arsenal:

• Wordfence Security (Free & Premium) – Includes a malware scanner, firewall and login security (2fa, CAPTCHA). It scans core/theme/plugin files for malware and live traffic for attacks. Millions of sites use Wordfence.
• Sucuri Security (Free) + Sucuri Firewall (Paid) – The free plugin audits security events and does remote SiteCheck scans. The paid WAF (from a UK-based company) blocks attacks at the DNS level.
• MalCare Security – A cloud-based scanner with one-click malware removal and a firewall. MalCare’s auto-clean feature is known to handle tough infections. It’s great for non-techies (just press “Clean Site”).
• Jetpack Security (Jetpack Scan) – Jetpack’s premium version includes daily auto-scans and automated fixes for known vulnerabilities. It’s tightly integrated with WordPress.com and easy to use. Jetpack explicitly recommends its Scan tool to detect database malware.
• Backup Plugins: BlogVault, UpdraftPlus or BackWPup to automate offsite backups.

Choose a combination, such as one scanning/firewall plugin (Wordfence or Sucuri) plus a strong backup system. After cleaning, review and remove any security plugin conflicts, as two firewalls can clash.

What if It’s Too Much? Get Expert Help

Tackling malware can be technically demanding. If you feel out of depth or time-pressed, professional help is available. We offer dedicated WordPress malware removal services for website owners.

We can quickly clean your site (97% success rate in hours) and advise on tougher cases. We also provide ongoing WordPress support and security monitoring, so you can focus on your business.