WordPress malware removal is one of the most stressful situations a website owner can face. Your site is redirecting visitors to spam pages, Google is showing security warnings, your hosting provider is threatening to shut you down, and every hour the infection persists means more damage to your business reputation and revenue.
At WP Support Lab, our Team to the Rescue handles WordPress malware emergencies every week. This guide walks you through the complete recovery process โ from detecting the infection to cleaning every trace of malicious code to hardening your site so it does not happen again.
How to Know If Your WordPress Site Has Malware
Malware infections are not always obvious. Some run silently for weeks, stealing data or using your server resources without any visible symptoms. Here are the most common signs that indicate your site has been compromised.
Browser or Google warnings are the most visible sign. If visitors see a red screen saying “Deceptive site ahead” or “This site may harm your computer,” Google has already detected malware on your site. Check Google Search Console for Security Issues alerts โ this confirms the infection and shows which pages are affected.
Unexpected redirects that send your visitors to spam sites, pharmaceutical pages, or gambling sites indicate a redirect injection โ one of the most common WordPress malware types. These redirects often only trigger for new visitors or mobile users, making them hard to detect if you visit your own site regularly.
Unknown admin accounts appearing in your WordPress dashboard mean an attacker has created backdoor access. Check Users โ All Users immediately for any accounts you did not create.
Modified files that you did not change, especially in wp-includes, wp-admin, or your theme files. Malware often injects code at the top or bottom of PHP files, particularly functions.php, wp-config.php, and index.php.
Unusual server behavior including sudden spikes in CPU usage, excessive outbound email (your server sending spam), or your hosting provider contacting you about Terms of Service violations.
SEO spam injected into your pages โ hidden links or content visible only to search engines. Check Google by searching site:yourdomain.com and looking for pages or titles you did not create, especially related to pharmaceuticals, gambling, or counterfeit products.
Step 1: Contain the Infection
Before cleaning anything, prevent the malware from causing further damage.
Take the site offline by enabling maintenance mode or temporarily password-protecting the entire site through your hosting panel. This protects visitors from being exposed to malware and prevents search engines from crawling infected pages.
Change all passwords immediately โ WordPress admin, database, FTP/SFTP, hosting control panel, and any connected service accounts. Use a password manager to generate unique 20+ character passwords for each. If the attacker has your credentials, changing them locks them out even if backdoors exist.
Revoke all active sessions in WordPress by going to Users โ your profile โ Log Out Everywhere Else. This forces any attacker currently logged into your dashboard to re-authenticate with the new password.
Step 2: Identify the Infection
Understanding what type of malware you are dealing with determines the cleanup approach.
Run a comprehensive malware scan using Wordfence, MalCare, or Sucuri SiteCheck. These tools scan every file against known malware signatures and detect suspicious code patterns. Pay attention to the scan results โ they tell you which files are infected and what type of malware was found.
Check file modification dates via FTP or your hosting file manager. Sort files by date modified and look for files changed on dates when you did not make any updates. Malware typically modifies multiple files on the same date when the initial infection occurs.
Review the database for injected content. Malware frequently injects malicious JavaScript into the wp_posts table (your page and post content) and the wp_options table (your site settings). Search for suspicious strings like eval(, base64_decode(, iframe src=, and unfamiliar URLs.
Step 3: Clean the Malware
This is where professional expertise matters most. Incomplete cleanup is the primary reason sites get re-infected within days.
Replace WordPress core files by downloading a fresh copy of your exact WordPress version from wordpress.org and replacing all files in wp-admin and wp-includes directories. Do not replace wp-content (that contains your themes, plugins, and uploads).
Clean or replace plugins by comparing each plugin’s files against the original from the WordPress repository or the developer’s site. Any file that differs from the original contains injected code. For widely-used plugins, it is often faster to delete and reinstall from scratch.
Clean theme files carefully, especially functions.php, header.php, footer.php, and index.php. If you are using a child theme, compare every file against the parent theme original. Look for code blocks that are obfuscated with base64 encoding or contain eval() functions โ these are almost always malicious.
Clean the database by searching for and removing injected content in wp_posts and wp_options. This requires careful SQL queries โ removing the wrong content can break your site. If you find malicious JavaScript injected into hundreds of posts, a targeted search-and-replace query is needed rather than manual editing.
Remove backdoors โ this is the step most DIY cleanups miss. Attackers almost always install hidden backdoor files that let them regain access even after you clean the visible malware. Common backdoor locations include files with random names in wp-content/uploads, modified .htaccess files, files disguised as legitimate WordPress files but in wrong directories, and code injected into wp-config.php above the database credentials.
Check the uploads directory thoroughly. The wp-content/uploads folder should contain only media files (images, PDFs, videos). Any PHP file in this directory is almost certainly malicious and should be deleted.
Step 4: Verify the Cleanup
After cleaning, verify that all malware has been removed before bringing the site back online.
Run another full scan with your security plugin. The scan should come back clean with zero detections. If it still finds malware, you missed something โ go back to Step 3.
Check the site manually by visiting key pages, testing forms, verifying WooCommerce checkout (if applicable), and checking that no redirects occur. Test from a different device and network than your usual ones, as some malware targets only new visitors.
Verify with external scanners using Sucuri SiteCheck, VirusTotal, and Google Safe Browsing to confirm the site is clean from an external perspective.
Step 5: Harden Your Site Against Re-Infection
Cleaning the malware solves the immediate problem. Hardening prevents it from happening again.
Update everything โ WordPress core, every plugin, and every theme to the latest version. The vulnerability that allowed the initial infection is likely in an outdated component.
Install a Web Application Firewall with real-time threat intelligence. The firewall blocks known attack patterns before they reach your WordPress installation.
Enable file integrity monitoring so any future unauthorized file changes trigger an immediate alert. This catches re-infection attempts within minutes rather than weeks.
Implement daily automated backups stored offsite with at least 30 days of history. If malware does get through again, you can restore to a clean backup quickly.
Set correct file permissions โ directories at 755, files at 644, and wp-config.php at 440 or 400. Disable PHP execution in the uploads directory.
Step 6: Request Review from Google
If Google flagged your site with a security warning, you need to request a review after cleaning the malware.
Go to Google Search Console โ Security Issues โ Request Review. Describe what happened, what you cleaned, and what security measures you implemented. Google typically reviews within 1-3 business days. If the review passes, the security warning is removed from search results.
When to Call Professionals
DIY malware removal works for simple infections caught early. But many infections are complex โ multiple backdoors, database injections, cross-site contamination on shared hosting, or infections that persist after multiple cleanup attempts.
Our Team to the Rescue handles WordPress malware emergencies with typical resolution within 24-72 hours. We identify every trace of infection, clean all files and database entries, close the vulnerability that allowed entry, install enterprise-grade protection, and monitor for re-infection for 30 days after cleanup.
For ongoing protection that prevents malware in the first place, our maintenance plans include daily malware scanning, Web Application Firewall, automated updates, and verified backups โ starting at $59/month.
Frequently Asked Questions
How much does WordPress malware removal cost?
Professional malware removal typically costs $500-$5,000 depending on infection severity and site complexity. Ongoing maintenance plans that include malware protection and removal start at $59/month โ significantly more cost-effective than emergency cleanup.
How long does malware removal take?
Simple infections can be cleaned in 2-4 hours. Complex infections with database injection and multiple backdoors may take 24-72 hours. Our Team to the Rescue prioritizes all emergency requests and keeps you updated throughout the process.
Can malware come back after removal?
Yes, if the original vulnerability is not patched and backdoors are not completely removed. Professional removal includes identifying the entry point, patching the vulnerability, removing all backdoors, and implementing ongoing monitoring to catch any re-infection attempts.
Will I lose my Google rankings after a malware infection?
Temporarily, yes. Google may show security warnings and reduce your rankings while the infection is active. After cleanup and a successful Google review, rankings typically recover within 2-4 weeks. The faster you clean the infection, the less impact on your long-term SEO.
