WordPress Malware Cleanup: Step-by-Step Guide

[ins_single_breadcrumb]
[ins_single_header]
[ins_single_thumb]

WordPress Malware Cleanup: Step-by-Step Guide

Cleaning malware from a WordPress site is straightforward when you know what to look for, and disastrous when you don’t. The single biggest mistake is partial cleanup — removing visible infected files while leaving the backdoor that put them there, which produces a reinfection within days. This guide covers the working process, the specific cases where DIY is the right move, and where it isn’t.

Before You Do Anything

1. Take the site offline if possible. A maintenance-mode plugin or a .htaccess redirect to a static “we’re working on it” page prevents the malware from infecting visitors while you clean. Google Safe Browsing and Chrome will flag your site if it’s actively serving malware to users.

2. Change all passwords now. Hosting control panel, FTP, SFTP, MySQL, WordPress admin, and any third-party services with API keys stored in the site. Assume the attacker has these.

3. Document what you find. Screenshots, file paths, timestamps. If the attack is severe enough to involve insurance, customer notification, or law enforcement, the documentation matters later.

4. Make a forensic backup. A full snapshot of the compromised site, stored separately. Don’t restore from this; just keep it as evidence and as a reference when something seems off later.

The Step-by-Step Cleanup

Step 1: Identify the infection.

Run a malware scanner. Free options that work:

  • Wordfence (plugin) — comprehensive, includes file integrity check against WordPress.org versions.
  • Sucuri SiteCheck (online tool) — external scan, catches anything served to visitors.
  • Hosting-provided scanner if available — many hosts run their own scans and may have already flagged things.

The scanner output should list specific files flagged as infected, suspicious files that don’t belong, and any modified core files.

Step 2: Compare against a clean WordPress install.

Download a fresh copy of WordPress matching your installed version from wordpress.org. Compare the /wp-admin/, /wp-includes/, and root / files to your site’s files. Any extra files in the core directories are suspicious. Any modified core files are infected.

For themes and plugins, do the same: download fresh copies from the source and diff against what’s on your site.

Step 3: Remove obvious infection vectors.

In priority order:

  • Replace all WordPress core files with fresh copies from wordpress.org (don’t replace wp-config.php or the /wp-content/ directory).
  • Replace all theme files with fresh downloads from the theme author. If you have customizations, reapply them from your own records.
  • Replace all plugin files with fresh downloads from the WordPress.org repository.
  • Delete any plugins or themes that aren’t from a verifiable source — nulled (pirated) plugins and themes are the #1 source of WordPress malware.

Step 4: Hunt for backdoors.

This is the step most DIY cleanups skip. The attacker installed something that lets them regain access even after you remove the visible malware. Common locations:

  • /wp-content/uploads/ — should contain only media files. Any .php file in uploads is almost certainly malicious.
  • /wp-content/mu-plugins/ — “must-use” plugins that run automatically. Often used as a hiding spot.
  • Modified .htaccess files in unexpected locations.
  • Hidden admin users — check Users → All Users and remove any account you don’t recognize.
  • Modified scheduled tasks — check wp_options for cron and look for unfamiliar hooks.
  • Database-injected malware — search the wp_posts table for
    Scroll to Top