Remove malware from WordPress

7 steps to remove malware from your WordPress website

With 75,000,000 websites powered by WordPress, it’s hard to avoid the attention of cybercriminals who spread malware. Here’s why WordPress maintenance is important. It helps prevent, detect, and clean up hacked WP sites.

If you see signs of malware infection, keep calm and contact our WordPress team so we can clean it up. Here are the steps to help you remove malware from your WordPress website.

Signs your WordPress website has malware

Symptoms that show your WP website could be infected with some malicious software are numerous. Here are a few of them to consider:

  • links of unknown origin on the site
  • links are hidden with color
  • unexplainable website traffic spikes
  • unexplainable losses in website performance
  • unknown pop-ups or advertisements
  • changes in the look of the homepage and content
  • visitors are redirected to another website
  • spam messages sent from the site
  • different website details in Google search shows
  • no access the website’s admin dashboard

How to remove malware from WordPress

The following steps will help you remove malware from your WordPress website. Please keep in mind that they will require some technical expertise. Alternatively, instead of going through them all, you could with just one step — contact our WordPress team.

1. Do a complete WordPress site backup

Before you begin to remove malware from WordPress, make a complete backup of your site and databases. As an efficient option, you could use one of the numerous WP backup plugins.

Some useful WordPress backup plugins

BackWPup plugin dashboard

2. Scan your website for malware

Now it’s time to discover the malware that is harming your website. If your WP admin dashboard is available to you, WP malware scanning plugins could very helpful. They will carefully scan your website and list all infected files.

Some useful malware scanning WordPress plugins

Wordfence WordPress plugin to scan for malware

Malware scanners are very handy and efficient but may not always be 100% accurate. To be on the safe side, it is necessary to check all the most important files manually.

3. Install the latest version of the WordPress core

As part of steps to remove malware, go to, get the latest version of the core, and install the wp-includes and wp-admin instead of the old ones on your website.

Get the latest version of WordPress core

4. Reinstall your WordPress plugins and themes

Now you need to install all contributed plugins your website is using from Reinstall the custom plugins from the backups in WP-content once they are carefully checked. We strongly recommend that you contact our WordPress team for checking the custom plugins.

Install the latest default WP theme Twenty Nineteen and see if the website is OK. Then you can get back your usual theme from the backups if no malware was found in it.

5. Change your WP passwords

Change the admin password of your WordPress website to something you have never used before. The safest way is to do it through your database.

The passwords of all users also have to be reset. In addition, change the passwords for cPanel, FTP access, and anything of this kind that you are using.

In this blog post about preventing WordPress brute-force attacks, our colleagues list weak passwords that should be avoided.

6. Check the content again

Your WP-content folder contains all the content. It can stay there if no malware has been found. You can look through it again to make sure there are no strange file extensions. For example, there have been cases of WP malware infection through .ico files.

7. Tell Google your website is clean again

You can use your Google Webmaster Tools to submit your site to Google and let the search engine know it’s time to remove any warnings about your website.

Let our team remove malware from your WordPress site

Please remember that the above-listed steps to remove malware from your WP site are just an introduction and you may have numerous complications.

Contact our web developers who will carefully remove malware from your WordPress website and also take care it does not appear again.

They will recommend and install the most relevant WordPress security plugins, make sure you have the right security settings, and remind you of security practices. A good security audit will do your website a lot of good even if you have no malware.

Your site will appreciate the work of our WordPress support team!


Don't miss out on our future blog posts


Check out our Privacy Policy for more information.

Join our newsletter to get blog updates straight to your inbox.


Don't miss out on our future blog posts


Check out our Privacy Policy for more information.