Knowledgebase

Your WordPress site is acting weird. Maybe it's redirecting to sketchy pharmaceutical sites, or Google just slapped you with a malware warning. Your stomach drops. You've been hacked.

Take a breath. Yes, this is serious, but it's fixable. I've cleaned hundreds of infected WordPress sites over the years, and while each infection is slightly different, the cleanup process follows a predictable pattern.

This guide walks you through exactly how to identify, remove, and prevent WordPress malware. We'll cover the forensic work first (finding what's infected), then the cleanup process, and finally how to lock things down so it doesn't happen again.

How to Tell if Your WordPress Site is Infected

Malware isn't always obvious. Sure, sometimes your site redirects to viagra ads, but sophisticated infections hide in the shadows. Here are the red flags to watch for:

• Google Search Console warnings - Check your GSC dashboard for security issues. Google's pretty good at catching malware.
• Antivirus alerts - Visitors complaining their antivirus blocks your site? That's a bad sign.
• Strange admin users - New administrator accounts you didn't create are a dead giveaway.
• Modified core files - WordPress core files with recent modification dates (when you haven't updated).
• Weird files in uploads - PHP files in your /wp-content/uploads/ folder. Images don't need PHP.
• Slow performance - Crypto miners and spam bots eat server resources.
• Outbound spam - Your host suspended you for sending spam? Your site's probably compromised.

The tricky part? Some malware only activates for certain visitors. It might show clean pages to you (the logged-in admin) while serving malware to everyone else. This is called "conditional malware" and it's specifically designed to avoid detection.

Before You Start: Critical First Steps

Hold up. Before you start deleting files or changing passwords, you need to preserve evidence and protect yourself from making things worse.

1. Take Your Site Offline (Maybe)

This is a judgment call. If you're serving malware to visitors or sending spam, take the site offline immediately. Use a maintenance mode plugin or add this to your .htaccess file to show a maintenance page to everyone except you:

If it's a minor infection (like hidden spam links), you might keep the site live while you work. Just depends on the severity and your comfort level.

2. Backup Everything

I know it seems counterintuitive to backup an infected site, but you need a snapshot of the infection. Sometimes you'll accidentally delete something important during cleanup, and you'll need to reference the infected version.

Create a full backup including:

• All files (WordPress core, themes, plugins, uploads)
• Complete database export
• .htaccess file (malware loves hiding here)
• Any custom configuration files

Label this backup clearly as "INFECTED - DO NOT RESTORE" so you don't accidentally reinfect yourself later.

3. Check Your Hosting Environment

If you're on shared hosting, the infection might have spread to other sites in your account. Check all your domains. Also verify your hosting account hasn't been compromised - hackers sometimes add new domains or databases to your account for their own use.

This is where quality hosting matters. Our cloud hosting includes Imunify360 which catches most malware before it can execute, but no system is perfect.

Finding the Infection: Where Malware Hides

Malware has favorite hiding spots. Here's where to look first:

Theme Files

Check your active theme's functions.php file first. Then look for:

• New PHP files that don't belong to the original theme
• Legitimate theme files with recent modification dates
• Encoded or obfuscated code (base64_decode, eval, gzinflate)

Plugin Directories

Inactive plugins are prime targets because you're less likely to notice changes. Outdated plugins are especially vulnerable.

Look for:

• Plugins you don't recognize
• Legitimate plugins with extra files added
• Recently modified plugin files

WordPress Core Files

Compare your core files against fresh WordPress files from wordpress.org. These files should NEVER be modified:

• wp-config.php (except for your database credentials and salts)
• index.php
• wp-load.php
• wp-settings.php
• .htaccess (except for legitimate permalinks and caching rules)

Uploads Directory

The uploads folder should only contain media files. Be suspicious of:

• PHP files (any .php extension)
• Executable files (.exe, .sh, .cgi)
• Hidden files (starting with a dot)
• Files in weird directories like /uploads/2019/.temp/

Database Infections

Modern malware often hides in your database. Check for:

• Suspicious admin users
• Modified siteurl or home options
• Encoded content in posts/pages (especially base64 strings)
• Malicious code in theme options or widget areas

Cleaning Your Infected WordPress Site

Now for the actual cleanup. This isn't a quick process - budget at least 2-4 hours for a thorough cleaning.

Step 1: Replace Core WordPress Files

Download a fresh copy of WordPress (same version you're running) from wordpress.org. Delete these directories on your server and replace with fresh copies:

• /wp-admin/
• /wp-includes/

Also replace all files in your root directory EXCEPT wp-config.php. This instantly removes any malware hiding in core files.

Step 2: Reinstall Themes and Plugins

For themes and plugins from wordpress.org or reputable marketplaces:

1. Note your current versions
2. Delete the plugin/theme folders entirely
3. Reinstall fresh copies from the original source

For premium themes/plugins, download fresh copies from where you purchased them. If you can't access the original source, you'll need to manually inspect each file for malware.

Step 3: Clean the Database

Database cleanup requires precision. One wrong move can break your site.

First, remove suspicious admin users. Check your user list and delete any administrators you don't recognize. The malware probably created these for backdoor access.

Next, search for common malware signatures in your database:

• base64_decode
• eval(
• String.fromCharCode
• document.write(unescape

Export your database and search the SQL file with a text editor. When you find malicious code, carefully remove just the bad parts while preserving your actual content.

Step 4: Clean Uploaded Files

Manually review your uploads directory. Delete any PHP files unless you're 100% certain they belong (some backup plugins legitimately store PHP files here).

For a large media library, you can use command line tools to find suspicious files, but be careful with automated tools - they sometimes flag legitimate files.

Step 5: Update Everything

Once you've cleaned the infection, immediately update:

• WordPress to the latest version
• All themes (delete unused ones)
• All plugins (delete inactive ones)
• PHP version if you're running anything older than 8.0

Post-Cleanup Security Hardening

Cleaning malware without fixing the security hole is like bailing water from a boat without patching the leak. The hackers will be back.

Change All Passwords

Every. Single. Password. This includes:

• WordPress admin accounts
• FTP/SFTP accounts
• Hosting control panel
• Database users
• Email accounts associated with the site

Use a password manager to generate strong, unique passwords. And while you're at it, enable two-factor authentication on your WordPress admin accounts.

Regenerate WordPress Salts

WordPress salts help encrypt passwords and cookies. If hackers accessed your wp-config.php file, they have your salts. Generate new ones from the official WordPress salt generator and update your wp-config.php file.

Audit User Permissions

Most users don't need administrator access. Downgrade permissions where possible:

• Content creators: Editor or Author role
• Customer support: Shop Manager (for WooCommerce)
• Clients who "just want to look": Subscriber

Implement Security Headers

Add security headers to prevent common attacks. These go in your .htaccess file or server configuration. Key headers include:

• X-Content-Type-Options
• X-Frame-Options
• X-XSS-Protection
• Content-Security-Policy

Set Up Monitoring

You need to know immediately if you're hacked again. Set up:

• Google Search Console for malware warnings
• Uptime monitoring to alert you if the site goes down
• File integrity monitoring to detect changed files
• Security plugin scans (run weekly at minimum)

When to Call in the Pros

Sometimes DIY cleanup isn't the best option. Consider professional help if:

• The infection keeps coming back after cleaning
• You're dealing with a high-traffic ecommerce site
• You found malware on multiple sites in your hosting account
• The site contains sensitive customer data (especially relevant for law firms or sites handling payment information)
• You're not comfortable working with databases or server files

Professional cleanup typically runs several hundred to a few thousand dollars depending on infection severity. But compared to reputation damage from serving malware, it's often worth it.

Our WordPress maintenance plans include malware cleanup if you ever need it, plus proactive security measures to prevent infections in the first place.

Preventing Future Infections

The best malware removal is preventing infection entirely. Here's your ongoing security checklist:

Weekly Tasks

• Check for WordPress, theme, and plugin updates
• Review user accounts for suspicious additions
• Run a security scan
• Check Google Search Console for warnings

Monthly Tasks

• Full site backup (test the restore process quarterly)
• Review installed plugins - remove any you're not actively using
• Check file permissions (directories: 755, files: 644)
• Review security plugin logs for blocked attacks

Quarterly Tasks

• Security audit of user permissions
• Update PHP version if needed
• Review and update security headers
• Test your backup restoration process

Common Malware Types and Their Signatures

Different malware types leave different fingerprints. Recognizing these helps you clean more effectively:

SEO Spam

Injects hidden links to sketchy sites (pharma, casinos, essays). Look for:

• Display:none CSS in your theme
• Links with position:absolute pushed off-screen
• Conditional code that only shows spam to search engines

Backdoors

Gives hackers ongoing access after you've cleaned other malware. Common signatures:

• Files named like WordPress core but in wrong locations
• Base64 encoded PHP that decodes to file upload forms
• Code accepting POST parameters without authentication

Malicious Redirects

Sends visitors to malware or phishing sites. Check for:

• JavaScript redirects in theme files
• .htaccess rules redirecting specific user agents
• Database entries with encoded redirect scripts

Cryptocurrency Miners

Uses visitor browsers to mine cryptocurrency. Signs include:

• Coinhive or similar mining scripts
• High CPU usage complaints from visitors
• JavaScript that runs Web Assembly code

Special Considerations for Canadian Sites

Running a Canadian website adds some unique considerations to malware cleanup:

If you're collecting personal information from Canadians, a breach might trigger PIPEDA notification requirements. Document your cleanup process carefully in case you need to prove what data was potentially accessed.

For bilingual sites, malware often targets just one language version. Check both English and French versions of your pages, especially if you're using a multilingual plugin.

This article was written with the help of AI and reviewed by the Ambrite team. Pricing, features, and technical details may change — always verify with official sources before making decisions.

Photo by Pavel Danilyuk on Pexels