The WP Support

WordPress malware removal guide

A step-by-step overview of how to spot WordPress malware, remove infected files, close the entry point, and harden the site afterward.

Malware on a WordPress site can show up as spam links, redirect loops, strange admin users, hacked files, or security warnings from browsers and search engines. Sometimes the site still looks normal to visitors, which makes the infection easy to miss.

A real cleanup needs more than deleting one suspicious file. You have to find what was infected, figure out how the attacker got in, remove the malicious code, and close the hole so it does not come back.

Common signs of infection

  • Unexpected redirects to unrelated sites.
  • New admin accounts you did not create.
  • Spam links or hidden text in posts and pages.
  • Warnings from Google Safe Browsing, your browser, or your host.
  • Files changing even though nobody on your team edited them.

Immediate first steps

If the site is live and clearly compromised, take a backup first so you have a record of what was there. Then change passwords for WordPress, hosting, FTP/SFTP, database access, and any connected email accounts.

If you can, put the site into maintenance mode while you investigate. That reduces the chance that visitors get redirected or that the infection spreads through forms, comments, or admin accounts.

How the cleanup usually works

Start by comparing the site files against a clean copy or a known-good backup. Suspicious changes often live in plugin folders, theme files, uploads, or custom code snippets.

Look for obfuscated code, base64 strings, extra eval() calls, or unfamiliar files with recent modification dates. Those are not proof by themselves, but they are good places to investigate.

Do not forget the database

Malware does not always live in PHP files. Attackers also hide code, links, or redirect behavior in the database, especially inside posts, widgets, options, and page builder data.

If you only clean the filesystem and skip the database, the site can still keep serving malicious content after the visible files look normal.

Find the entry point

The most important part of a cleanup is figuring out how the attacker got in. Common entry points include outdated plugins, weak passwords, stolen admin sessions, vulnerable themes, and exposed file upload forms.

If you skip this step, the malware may come back a day or a week later. Removing the symptom is not the same as removing the cause.

After the site is clean

  • Update WordPress core, plugins, and themes.
  • Remove anything unused or abandoned.
  • Rotate passwords and security keys.
  • Review admin users and file permissions.
  • Set up backups and monitoring so you can spot trouble earlier next time.

When a rescue team helps

If the infection is active, the hosting account is also affected, or the site is an important revenue channel, a careful cleanup is usually faster and safer than trying random fixes.

A good rescue process should tell you what was infected, what was removed, how the attacker likely got in, and what was changed to keep it from happening again.

Quick recap

  • Malware can hide in files, the database, or both.
  • Cleaning the visible infection is not enough if you do not close the entry point.
  • Rotate passwords, update everything, and review access after cleanup.
  • If the site is business-critical, get help quickly instead of piecing together guesses.

← Back to all posts

When something breaks, we’re ready to step in.

Sign up in under a minute, hand off the fix, and watch it happen in real time.

Get Started Now