WordPress Malware Cleanup: Step-by-Step Guide
Cleaning malware from a WordPress site is straightforward when you know what to look for, and disastrous when you don’t. The single biggest mistake is partial cleanup — removing visible infected files while leaving the backdoor that put them there, which produces a reinfection within days. This guide covers the working process, the specific cases where DIY is the right move, and where it isn’t.
Before You Do Anything
1. Take the site offline if possible. A maintenance-mode plugin or a .htaccess redirect to a static “we’re working on it” page prevents the malware from infecting visitors while you clean. Google Safe Browsing and Chrome will flag your site if it’s actively serving malware to users.
2. Change all passwords now. Hosting control panel, FTP, SFTP, MySQL, WordPress admin, and any third-party services with API keys stored in the site. Assume the attacker has these.
3. Document what you find. Screenshots, file paths, timestamps. If the attack is severe enough to involve insurance, customer notification, or law enforcement, the documentation matters later.
4. Make a forensic backup. A full snapshot of the compromised site, stored separately. Don’t restore from this; just keep it as evidence and as a reference when something seems off later.
The Step-by-Step Cleanup
Step 1: Identify the infection.
Run a malware scanner. Free options that work:
- Wordfence (plugin) — comprehensive, includes file integrity check against WordPress.org versions.
- Sucuri SiteCheck (online tool) — external scan, catches anything served to visitors.
- Hosting-provided scanner if available — many hosts run their own scans and may have already flagged things.
The scanner output should list specific files flagged as infected, suspicious files that don’t belong, and any modified core files.
Step 2: Compare against a clean WordPress install.
Download a fresh copy of WordPress matching your installed version from wordpress.org. Compare the /wp-admin/, /wp-includes/, and root / files to your site’s files. Any extra files in the core directories are suspicious. Any modified core files are infected.
For themes and plugins, do the same: download fresh copies from the source and diff against what’s on your site.
Step 3: Remove obvious infection vectors.
In priority order:
- Replace all WordPress core files with fresh copies from wordpress.org (don’t replace
wp-config.phpor the/wp-content/directory). - Replace all theme files with fresh downloads from the theme author. If you have customizations, reapply them from your own records.
- Replace all plugin files with fresh downloads from the WordPress.org repository.
- Delete any plugins or themes that aren’t from a verifiable source — nulled (pirated) plugins and themes are the #1 source of WordPress malware.
Step 4: Hunt for backdoors.
This is the step most DIY cleanups skip. The attacker installed something that lets them regain access even after you remove the visible malware. Common locations:
/wp-content/uploads/— should contain only media files. Any.phpfile in uploads is almost certainly malicious./wp-content/mu-plugins/— “must-use” plugins that run automatically. Often used as a hiding spot.- Modified
.htaccessfiles in unexpected locations. - Hidden admin users — check Users → All Users and remove any account you don’t recognize.
- Modified scheduled tasks — check
wp_optionsforcronand look for unfamiliar hooks. - Database-injected malware — search the
wp_poststable fortags with external src URLs in post content.
The Sucuri "Hacked Site Cleanup" documentation and Wordfence's "Malware Cleanup" guide both have more comprehensive checklists. Read at least one of them before declaring the site clean.
Step 5: Force all user passwords to reset.
Even if you cleaned the database, any user could have had their password compromised. Force a reset for all users. For sites with WooCommerce customers, decide whether to communicate (the legal threshold varies by jurisdiction and what data was potentially exposed).
Step 6: Re-scan.
Run the same scanner from Step 1 again. The site should come back clean. If it doesn't, the infection isn't fully removed — repeat the previous steps.
Step 7: Re-secure.
- Install or verify a security plugin (Wordfence, Sucuri).
- Enable two-factor authentication for all admin accounts.
- Implement file integrity monitoring going forward.
- Review user roles and remove unused admin accounts.
- Set up regular backups stored off-server.
Step 8: Resubmit to Google Safe Browsing.
If your site was flagged by Google, after cleanup you need to request a review through Google Search Console → Security Issues. Until you do, browsers will continue showing the warning.
When DIY Cleanup Fails
The patterns where DIY consistently leaves the site reinfected:
- Database-injected JavaScript. Cleaning files isn't enough; the database itself contains malware that re-injects itself into pages on load. Requires identifying the specific injected content and removing it from
wp_posts,wp_options, and sometimes other tables. - Modified core files in non-obvious locations. WordPress core has hundreds of files; checking each one against a clean install by hand is tedious and easy to skip.
- Persistent backdoors via cron jobs. Even after cleanup, the cron-scheduled malicious script re-creates the infection. You have to find and remove the cron entry, not just the file it triggers.
- Server-level infection. If multiple sites on a shared host are infected, the issue may be at the server level, not just one site. Cleanup of one site without addressing the root cause produces immediate reinfection.
If you've cleaned the site twice and it keeps coming back, the cleanup is incomplete. At that point a professional service is the right call.
When to Call a Professional From the Start
- The site processes payment or customer data and the cleanup needs to be defensible.
- The site is on a managed host that suspended you for the infection — you need to get back online quickly.
- You've already tried DIY cleanup and the infection returned.
- The infection includes credit card skimming code (Magecart-style) — these require very careful removal and a security audit afterward.
- You don't have the time and the site is generating revenue right now.
Synergetic's Security & Malware Cleanup service is the productized cleanup option: fixed price, work begins after a paid diagnostic confirms the scope, and includes both removal and hardening to prevent immediate reinfection. The Services page lists current pricing and what's included.
After the Cleanup: Prevent the Next One
Cleanup without prevention guarantees a repeat. The defensive layer:
- Monthly malware scans (Wordfence, Sucuri).
- File integrity monitoring (alerts on unexpected file changes).
- Plugin and theme updates on a weekly cadence — most WordPress hacks exploit known vulnerabilities in outdated plugins.
- Limit admin accounts and require 2FA on all of them.
- Backups stored off-server with verified restorability.
- Avoid nulled plugins and themes entirely.
A WordPress care plan handles the monitoring and update layer continuously. For sites already through one infection, the math on preventive monitoring vs another cleanup cycle is usually obvious.
For more on identifying infection before it gets severe, see Signs Your WordPress Site Has Been Hacked.
