WordPress Malware Removal: Complete Guide
By WP Vanguard Team
Your WordPress site is infected. Maybe your host suspended your account, visitors are getting redirected to scam pages, or your security scanner found malicious code. Whatever tipped you off, you need to act fast.
This guide walks through the full malware removal process, from identifying what you are dealing with to verifying the cleanup is complete.
Before You Start
Back up your site first. Even a hacked backup is better than no backup. If something goes wrong during cleanup, you need a fallback. Use wp db export via WP-CLI or download a full backup from your hosting control panel.
Do not just reinstall WordPress and hope for the best. Malware typically lives in plugin files, theme files, the uploads directory, and the database. A fresh WordPress install only replaces core files and misses most infections.
Step 1: Identify the Type of Infection
Different malware requires different cleanup approaches. Here are the most common types found in WordPress sites:
Backdoors
Hidden PHP files that give attackers remote access. They often look like legitimate WordPress files with names like wp-xmlrpc.php, class-wp-cache.php, or sunrise.php. Inside, you will find obfuscated code using functions like base64_decode, gzinflate, str_rot13, and preg_replace with the /e modifier to execute encoded payloads.
Web Shells
Full-featured admin panels uploaded by attackers. They provide file management, database access, and command execution through a browser interface. Common filenames include c99.php, r57.php, wso.php, or random names like cache_2f8a.php.
SEO Spam Injections
Thousands of spam pages injected into your database targeting pharmaceutical, gambling, or Japanese keywords. These pages are often invisible to logged-in admins but show up in Google search results.
Malicious Redirects
Code that sends your visitors to scam sites, but only under certain conditions: mobile users, visitors from search engines, or first-time visitors. This makes it hard to reproduce when you check your own site.
Cryptominers
JavaScript injected into your pages that uses your visitors' CPU to mine cryptocurrency. Your site slows down, visitors' fans spin up, and you get the blame.
Step 2: Scan Everything
A thorough scan is the difference between a clean site and one that gets reinfected next week.
External scan: Run a free surface scan at WP Vanguard to check for blacklisting, known vulnerabilities, and visible malware.
Server-level scan: The $1 deep scan examines every file on your server via SSH. It checks:
- File integrity against known clean versions of WordPress core, plugins, and themes
- PHP files in uploads directories (these should never exist)
- Obfuscated code patterns across all directories
- Database injections in posts, pages, options, and user tables
- Suspicious user accounts and application passwords
- Modified .htaccess files and cron jobs
Keep the scan results open. You will reference them throughout the cleanup.
Step 3: Clean the Files
Work through these in order:
3a. Reinstall WordPress Core
Download a fresh copy of your WordPress version and replace all core files. Do not touch wp-content or wp-config.php. Run wp core download --force --skip-content via WP-CLI to replace any modified core files with clean originals.
3b. Check wp-config.php
Open wp-config.php and look for anything that should not be there. Legitimate wp-config.php contains database credentials, salts, table prefix, debug settings, and ABSPATH. Anything else is suspicious.
Watch for:
require_onceorincludestatements loading unknown files- Obfuscated function calls (encoded strings being decoded and executed)
- Unfamiliar
define()constants - Code before the opening
<?phptag or after the closing section
3c. Clean wp-content
This is where most malware lives.
Plugins: Delete all plugins and reinstall them from wordpress.org or the vendor. Do not try to clean infected plugin files manually. A fresh copy is always safer. Use wp plugin delete followed by wp plugin install for each plugin.
Themes: Same approach. Delete and reinstall. If you have a custom theme, compare every file against your version control or a known clean backup.
Uploads: Scan wp-content/uploads/ for PHP files. There should never be PHP files in your uploads directory. Delete any PHP files found. Also check for files with double extensions like image.jpg.php or suspicious names like wp-tmp.php.
mu-plugins: Check wp-content/mu-plugins/. Must-use plugins load automatically on every page. Attackers use this directory because the plugins cannot be deactivated from the admin panel.
3d. Check for Hidden Files
Look for recently modified PHP files (last 7 days), hidden .htaccess files in subdirectories, and files with 777 permissions. All of these are common indicators of compromise.
All the shell commands and database queries for this guide are available in well-commented gists:
Step 4: Clean the Database
File cleanup is not enough. Many infections store payloads in the database.
4a. Check wp_options
Look for encoded payloads, injected scripts, and iframes in the options table. Also verify that siteurl and home values are correct. Attackers sometimes change these to redirect your entire site.
4b. Check wp_posts
Search for injected scripts, iframes, and hidden elements in your post content. For SEO spam, look for published posts created by user accounts you did not create.
4c. Check wp_users
Look for user accounts created in the last 30 days that you do not recognize. Delete any admin accounts you did not create.
All the SQL queries for these checks are available with detailed comments in our database inspection gist.
Step 5: Reset Credentials
After cleanup, reset everything:
- All WordPress user passwords - especially admins
- Database password - update in wp-config.php
- FTP/SSH passwords and keys
- Hosting control panel password
- Security salts - generate new ones at api.wordpress.org/secret-key/1.1/salt/
Step 6: Verify the Cleanup
Run another scan to confirm the site is clean. The same scan that found the malware should now come back clean.
Check these manually:
- Visit your site as a logged-out user
- Visit from a mobile device (mobile-only redirects are common)
- Search
site:yourdomain.comin Google and look for spam pages - Check Google Search Console for security warnings
When to Call for Help
DIY cleanup works for simple infections. But if you are dealing with:
- Persistent reinfection (malware keeps coming back)
- Obfuscated code you cannot decipher
- Database injections mixed with legitimate content
- Multiple backdoors across many directories
The WP Vanguard cleanup service handles the full process for $49. First cleanup is free. The team has cleaned thousands of WordPress sites and knows where attackers hide payloads that DIY methods miss.
Preventing Reinfection
Cleanup means nothing if you do not close the door.
- Update everything immediately and keep it updated going forward
- Remove unused plugins and themes - every inactive plugin is still an attack surface
- Use strong, unique passwords with two-factor authentication
- Scan regularly - a monthly free scan catches new vulnerabilities before attackers find them
- Keep backups - daily database backups and weekly full-site backups stored off-server
The majority of reinfections happen because the original entry point was never identified and closed. Know how you were hacked, fix that specific issue, and your risk drops dramatically.
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.