Blog

WordPress Malware Removal: Step by Step

WordPress Malware Removal: Step by Step

Your WordPress site is acting weird. Maybe it's redirecting to sketchy pharmaceutical sites, or Google just slapped you with a malware warning. Don't panic — I've cleaned hundreds of infected WordPress sites, and I'm going to walk you through exactly how to fix yours.

Before we dive in, here's the reality: malware removal can be complex. If your site generates revenue or contains sensitive data, consider hiring a professional. But if you're technical and have time, this guide will show you how to do it yourself.

Before You Start: Critical First Steps

Stop everything and do these three things right now:

  1. Take your site offline or enable maintenance mode. Every minute your infected site stays live, you're potentially infecting visitors or leaking data.
  2. Change all passwords immediately. WordPress admin, hosting account, database, FTP — everything. Use a password manager and generate new, complex passwords.
  3. Back up your infected site. Yes, back up the infected version. You might need it for forensics or to recover clean files later.

One more thing: if you're on cheap shared hosting, you're fighting an uphill battle. Reinfections are common when neighboring sites on the same server are compromised. This is one reason we use isolated cloud hosting with Imunify360 protection.

Step 1: Confirm You're Actually Infected

Not every weird behavior means malware. Before you tear your site apart, confirm the infection. Here are the telltale signs:

  • Google Search Console shows security warnings
  • Your site redirects to unrelated websites (especially on mobile)
  • Strange PHP files in your WordPress directories
  • New admin users you didn't create
  • Modified .htaccess or wp-config.php files
  • Visitors report antivirus warnings

For a deeper dive on identifying infections, check out our guide on how to tell if your WordPress site is hacked.

Step 2: Identify the Infection Type

Different malware requires different removal approaches. Here are the most common types I see in 2026:

Backdoor Scripts

These create hidden access points for hackers to return even after you clean the site. Look for PHP files with encoded content (base64_decode, eval, gzinflate functions) in unexpected places.

SEO Spam Injections

Invisible to you but visible to search engines. Your site might rank for viagra or casino keywords. Check your site's Google results using "site:yourdomain.com" to spot unusual pages.

Malicious Redirects

JavaScript or PHP code that sends visitors (especially mobile users) to scam sites. Often hidden in theme files or the database.

Cryptominers

JavaScript that uses visitor browsers to mine cryptocurrency. Slows down visitor devices and kills your reputation.

Step 3: Scan and Document Everything

Free scanning tools can find obvious infections, but they miss sophisticated malware. Here's a scanning strategy that actually works:

  1. Use multiple scanners. Each tool catches different things. Sucuri SiteCheck, VirusTotal, and Quttera offer free scans.
  2. Scan your local backup too. This helps identify when the infection started.
  3. Document everything. Screenshot infected files, note modification dates, save scan results. You'll need this if you file insurance claims or need to explain the breach to customers.

Pro tip: Scanners often miss database infections. You'll need to check manually (we'll cover that next).

Step 4: Clean Your Files

Now for the actual cleanup. This is where most people mess up by taking shortcuts.

The Nuclear Option (Recommended)

Delete everything except wp-content/uploads and rebuild from clean sources:

  1. Download fresh copies of WordPress core files from WordPress.org
  2. Download clean copies of your themes and plugins from original sources
  3. Delete all WordPress files except wp-content/uploads
  4. Upload the fresh files
  5. Reinstall themes and plugins from clean sources

This method guarantees clean files but takes time. It's worth it.

The Surgical Option (Risky)

If you absolutely can't rebuild, you'll need to clean files individually:

  • Compare file modification dates — anything changed recently is suspect
  • Search for common malware patterns (eval, base64_decode, assert)
  • Check all .htaccess files (not just the root)
  • Examine index.php files in every directory

Warning: This method often misses hidden infections. Reinfection rates are high.

Step 5: Clean Your Database

Malware loves databases. Here's where to look:

Common Database Infection Points

  • wp_options table: Check option_value fields for encoded scripts
  • wp_posts table: Look for spam posts with weird publish dates (often years in the future)
  • wp_users table: Find and remove unauthorized admin accounts
  • Widget areas: Text widgets often contain malicious JavaScript

Search your database for these red flags:

  • <script tags where they shouldn't be
  • base64 encoded strings
  • iframe tags pointing to external sites
  • eval( functions

Use phpMyAdmin or WP-CLI to search. Replace infected content with clean versions from your backup.

Step 6: Harden Your Site

Cleaning malware without fixing vulnerabilities is like mopping with a leaky roof. Here's your hardening checklist:

Immediate Hardening Steps

  1. Update everything. WordPress core, themes, plugins, PHP version. Outdated plugins are the #1 infection vector.
  2. Delete unused themes and plugins. Inactive doesn't mean safe — if it's installed, it's a potential vulnerability.
  3. Implement two-factor authentication. See our guide on setting up 2FA for WordPress.
  4. Change security keys. Add fresh keys to wp-config.php (WordPress.org provides a generator).
  5. Restrict file permissions. Directories should be 755, files should be 644.

Advanced Hardening

  • Disable file editing in wp-config.php
  • Move wp-config.php above the web root
  • Implement a Web Application Firewall (WAF)
  • Disable XML-RPC if not needed
  • Limit login attempts

Step 7: Monitor for Reinfection

Here's the harsh truth: 68% of cleaned sites get reinfected within 6 months. Why? Because they stop monitoring after cleanup.

Set up these monitoring systems:

  1. File integrity monitoring: Get alerts when core files change unexpectedly
  2. Uptime monitoring: Detect if your site starts redirecting
  3. Security plugin logs: Review weekly for suspicious activity
  4. Google Search Console: Watch for security warnings

This is exactly what our WordPress maintenance plans include — continuous monitoring catches reinfections early.

Special Considerations for Canadian Sites

If you're running a Canadian business site, you have extra cleanup responsibilities:

Privacy Breach Notification

Under PIPEDA, if the malware accessed customer data, you might need to notify affected individuals and report to the Privacy Commissioner. This is especially critical for healthcare and legal sites.

Payment Data

If you process payments through your site, immediately notify your payment processor. They'll guide you through PCI compliance requirements for breach response.

When to Call Professionals

Be honest about your limits. Call professionals if:

  • You store sensitive customer data (health records, legal documents, payment info)
  • The infection returns after cleaning
  • You can't afford downtime for trial and error
  • You find rootkits or server-level infections
  • Multiple sites on your hosting account are infected

Professional cleanup typically runs $500-2000 CAD depending on infection severity. Compare that to lost revenue and reputation damage from a botched DIY cleanup.

Preventing Future Infections

After spending hours cleaning malware, you never want to repeat the experience. Here's how to stay clean:

Technical Prevention

  • Automate updates for minor releases
  • Use a staging site for testing major updates
  • Implement a WAF (Cloudflare, Sucuri, or Wordfence)
  • Regular malware scans (weekly minimum)
  • Daily automated backups stored off-site

Process Prevention

  • Limit admin access to essential personnel
  • Audit user permissions quarterly
  • Train staff on security best practices
  • Document all site changes
  • Review security logs weekly

The Hidden Costs of Malware

Beyond cleanup time, malware carries serious business costs:

  • SEO penalties: Google blacklisting can take months to recover from
  • Legal liability: Especially for law firms and healthcare sites
  • Customer trust: One malware warning can destroy years of reputation building
  • Compliance fines: PIPEDA violations can result in significant penalties

Recovery Timeline

Set realistic expectations for recovery:

  • Day 1-2: Malware removal and hardening
  • Day 3-7: Monitor for reinfection, submit review requests to Google
  • Week 2-4: Google blacklist removal (if applicable)
  • Month 2-3: SEO rankings begin recovering
  • Month 3-6: Full reputation recovery

Final Thoughts

Malware removal is stressful, time-consuming, and often frustrating. But with methodical cleanup and proper hardening, you can recover fully. The key is being thorough — shortcuts during cleanup almost always lead to reinfection.

Remember: prevention is infinitely easier than cleanup. Invest in quality hosting, maintain your site properly, and monitor continuously. Your future self will thank you.

Need help? Our team has cleaned hundreds of infected WordPress sites for Canadian businesses. Contact us for professional malware removal or to discuss prevention through our maintenance plans.

Quick Tip: Bookmark this guide now. If you ever face malware, you won't want to search for help while panicking. Having a plan ready makes all the difference.

This article was written with the help of AI and reviewed by the Ambrite team. Pricing, features, and technical details may change — always verify with official sources before making decisions.

Photo by Dan Nelson on Pexels

Was this article useful?

Related Articles

How to Comply with PIPEDA: Essential Privacy Policy Requirements for Canadian Websites
Your website collects personal information from visitors — even just their IP address counts....
How to Set Up Two-Factor Authentication for WordPress Admin Access
Two-factor authentication (2FA) is like adding a deadbolt to your WordPress admin door — and in...
How Hackers Exploit Outdated WordPress Plugins
That outdated WooCommerce shipping plugin you've been meaning to update? It's probably already...
How a Hacked Website Damages Your Firm's Reputation
Your website just got hacked. The sinking feeling in your stomach is real — and it should be. A...
WordPress Security Best Practices for Law Firms
Your law firm's website handles sensitive client data every single day. One security breach...