Latest Posts

What is instup.exe and is it safe? Hacking of black, white and gray hat defined What it is and how to use it? HDG explains: how does GPS work? How To Clean a TV or Monitor Screen (The Right Way) 5 Best Firefox Privacy Add-ons for Online Safety How To Build Your Own Laptop Google Chrome Content Settings: A Full Guide How to Send a Fax from an iPhone or Android Smartphone Automatically Move, Delete, or Copy Files in Windows How to Delete Only Old Emails in Gmail CPU Processor Comparison – Intel Core i9 vs i7 vs i5 vs i3 How to Delete Your Google Search History – A Modern Guide 8 AI Assistants and What They Can Do For You How to Take Screenshots on Nintendo Switch Everything You Should Know About Power Banks How to Record a WhatsApp Video or Audio Call Ryzen 3900X vs Intel i9-9900K – Which CPU Is Truly Better? How to Make Your Social Media Accounts Private Freeware Versus Shareware – What’s The Difference?

WordPress is one of the most popular website management systems in use worldwide. According to W3Techs, it powers 34% of all websites on the internet. WordPress’ popularity is partly due to the sheer number of plugins and templates available that can do almost anything on a website.

That wide range of functionalities also brings vulnerabilities. Hackers often access the code and infect WordPress sites with malware, just as they can place malware on a router.

Malware can infect and destroy your site, so it is important to act quickly to remove malware from your WordPress site.

Please contact your web host first

Please check with your hosting company first before trying any of the suggestions below. It is possible that the host server, especially if you are on a shared server, is spreading malicious code from another site to yours.

Ask them to run a scan of their server to make sure it isn’t the culprit before trying to remove the malware from your own site. In addition, they can offer less technical website owners suggestions on how to safely scan and remove malware from their site.

Some hosts may also offer services where they will remove it for you. And then back up your site, reducing the risk of the malware being carried over into your backup.

Web hosts have the expertise, tools, and options to deal with malware, so check with them before trying it yourself.

Take preventive measures

It is always better to try to prevent threats before they happen. The most crucial action that users should take is to ensure that they are always running the latest and most stable version of WordPress, even if they are only installing on a test version on their computers.

Newer versions are usually released to fix common vulnerabilities in earlier versions. The same goes for plugins and themes. Keep them up to date and delete the ones you don’t use.

Some of the many negative issues that malware can cause on a WordPress site include:

  • Web and MySQL increased the consumption of server resources.
  • Unwanted advertising.
  • Spam email sent in bulk.
  • Theft of personal data from customers and users.
  • Loss of information from your site.
  • Google fines.

What can you do if your website is infected or hacked? In this article, we describe the steps you can take to remove malware from a WordPress site.

Use WordPress Malware Removal Plugins

If you can login and access your WP admin area, you may not need to reload your entire site. Using a suitable WordPress plugin can help remove malware from your WordPress website.

MalCare Security

MalCare is a premium plugin that immediately removes malware from your WP installation. Not only will it clean up a hacked site, but it will also protect against future security breaches.

One of the many benefits of MalCare is that it scans your site on its own servers. Your website will not be taxed and will continue to run smoothly.

There are four pricing tiers from $99/year for one site (Personal) to a Custom Agency Plus plan for more than 20 sites.

Malcare is a comprehensive WP security plugin that includes many additional features such as:

  • Real-time email alerts.
  • Keeping track of minor file changes.
  • Minimize false alarms.


One of the most widely used WP security plugins is WordFence. It includes a malware scanner and an endpoint firewall.

From protection against brute force attacks to firewall blocks, the free version of WordFence is powerful enough for smaller websites.

If you want additional features like two-factor authentication, leaked password protection, and advanced manual blocking, you can purchase a premium license. Pricing is based on the number of licenses you purchase, starting at $99 for one.

All in one WP security and firewall

One of the free security plugins with the most features is All in One WP Security & Firewall. It provides a simple visual interface using gauges and graphs.

The plugin is designed for beginners and more advanced developers with its three categories: basic, intermediate and advanced.

All in One WP Security protects websites by:

  • Security of files and databases.
  • Improve user registration security.
  • Block forced login attempts.

Additional features include the ability to backup .wp-config and .htaccess files. Users can also restore these files if something goes wrong on their site.

For a complete list of all WordPress security plugins, visit† If you can’t log in, you may need to reinstall your entire site.

If you are more tech savvy and have a site on your own server, then carefully follow the steps below.

Keep in mind that backing up and deleting your site can be dangerous and should only be attempted by highly technical web owners.

Backup your database and all files

If you are infected and need to remove malware from your WordPress site, it is important to protect your content immediately. Before doing anything, make a full backup of your WordPress site so that you can restore it in case something goes wrong.

Make sure to backup a clean version of your MySQL database and FTP account. There are several ways to back up a site, including through cPanel, phpMyAdmin, and WordPress plugins (such as vault press

It is highly recommended that all WordPress users regularly backup their site. The steps below describe how to manually remove malware from your WordPress site.

Step 1: Examine your files

After you back up your entire WP site, download the backup zip file to your computer. Open it by double clicking on it with the left mouse button. You should see the following files:

  • All core WordPress files.
  • wp-config.php.
  • .htaccess: This is a hidden file and contains the name, username and password for your WordPress database. To make sure you’ve backed up this file, use a code-editing program or an FTP program that allows you to view hidden files. Be sure to check the Show hidden files choice.
  • The wp-content folder that contains themes, plugins, and uploads.
  • SQL database.

Step 2: Clear all files and folders from Public_html folder

If you are sure you have a full backup of your website, go to your web hosting file manager.

Find the public_html folder and delete the contents except for wp-config.php, wp-content, and cgi-bin directories.

Be sure to check out the invisible files as well, including .htaccess as it can be affected.

If you host multiple sites, you should assume that they are also compromised as cross-contamination is common. Follow the same process for all hosted sites on the same server.

Open the wp-config.php file and compare it with an example wp-config File. You can find this file in the WP GitHub repository

Also look through your file to see if anything suspicious looks like long strings of code. If you’re sure something isn’t allowed, delete it.

Now go to the wp-content folder and:

  • List all your installed plugins and remove them.
  • Remove all themes, including the ones you are using. You will reinstall it later.
  • Check your upload folder to see if it contains anything you didn’t put there.
  • remove index.php after you remove all plugins.

Step 3: Install a clean version of WordPress

Navigate to your web host’s control panel and reinstall WordPress in the same folder of its original location.

It will either de public_html directory or in a subdirectory if you have WordPress installed on an add-on domain. Use the one-click installer or Quick installation (depending on your hosting company) in your web hosting control panel.

Extract the tar or zip file and upload your files to your server. You need a new . to make wp-config.php file and enter your website backup details. You just need to enter the database name, password and prefix.

Step 4: Reset Permalinks and Passwords

Log in to your WP site and reset all usernames and passwords. If there are unrecognized users, it means that your database has been compromised.

You can hire a professional to clean your database and remove any malicious code.

Reset Permalinksgo to SettingsPermalinks and then Saving Changes† This process repairs the .htaccess file and restores your site URLs to work. Also reset all hosting accounts and FTP passwords.

Step 5: Reinstall Theme and Plugins

Do not install old versions of your theme or plugins. Instead, get new downloads from the WordPress repository or the premium plugin developer’s site. Do not use plugins that are no longer supported.

If you have any customizations to your old site theme, look at the backup files you downloaded to your computer and replicate the changes on the new copy.

Step 6: Scan and re-upload your images and documents from your backup

This step can be tedious, but it is necessary. Carefully review your images and uploaded files before copying them back to the new one wp-content > uploads folder in the file manager.

Use an up-to-date antivirus program to scan all files to see if they are infected. Upload the clean files back to your server using an FTP client or the file manager. Keep the folder structure the same so you don’t end up with broken links.

Step 7: Notify Google

If you find out that your site has been compromised by a warning from Google, you should let them know that you have removed the malware so they can ignore the notification on your account.

Go to Google Search Console and sign in if you already have an account. If you don’t, register your website.

Find Security and manual actions in the navigation on the left. Click the drop-down list and select Security issues

Here you will see a report on the security of your site. To elect Request a review and send it to google.

Leave a Reply

Your email address will not be published.