That sinking feeling in your stomach when you suspect your WordPress site has been hacked is something no website owner wants to experience. Take a deep breath. It's going to be okay. To properly remove malware from WordPress, the process involves spotting the infection, taking a secure backup, carefully cleaning out your files and database, and then beefing up your site's defences so it doesn’t happen again. We’ll walk you through it.
Recognising the First Signs of a Hacked WordPress Site
Discovering your site has been compromised can feel like a direct hit, but please know it's almost never personal. Most hacks are carried out by automated bots that are constantly scouring the internet for any website—big or small—with an easily exploitable weakness. The trick is to shift from that initial wave of panic to a calm, methodical approach.
Knowing what to look for is half the battle. An infection can show up in all sorts of ways; some are glaringly obvious, while others are frustratingly sneaky. Spotting these signs early on gives you a massive head start in regaining control.
Common Symptoms of a Malware Infection
The signs of a hack really depend on what the attacker is trying to achieve. They might be using your server to blast out spam emails, redirecting your hard-earned traffic to dodgy websites, or just vandalising your homepage for kicks. If your site is acting strangely, it’s time to investigate. For more general troubleshooting advice, our guide on how to tell if your website is broken and what to do is also a great resource.
Here are some of the most frequent red flags we see:
- Sudden Drop in Performance: Your site is suddenly slow as molasses. This often happens when malicious scripts are hogging all your server's resources.
- Strange Pop-ups or Ads: If you're seeing adverts for things you'd never endorse, you've likely got ad-injecting malware.
- Unfamiliar Admin Users: This one is a huge warning. Finding new administrator accounts you didn't create means someone else has the keys to your kingdom.
- Spammy Links or Content: Have links to sketchy pharmacies or gambling sites suddenly appeared in your header or footer? That's a classic sign of SEO spam malware.
- Website Redirects: Your visitors click on your site but end up somewhere completely different. This is a malicious redirect, and it's a sure-fire sign of a hack.
- Hosting Account Suspension: Often, the first time people realise they're hacked is when they get an email from their web host suspending their account to protect the server.
- Security Warnings from Google: The dreaded "This site may be hacked" message in Google search results is a clear signal that Google has found something nasty.
It's a harsh truth, but malware is the number one threat to WordPress. The latest data shows that a massive 72.72% of infected WordPress sites fall victim to malware, which typically gets in through plugin or theme vulnerabilities. Attackers love leaving backdoors, found in almost 70% of compromised sites, to ensure they can get back in later. You can dive into the full analysis on WordPress security statistics to see the full picture.
Pinpointing these symptoms is the crucial first step. Once you're sure there's a problem, you can start working through a clear plan to remove the malware from your WordPress site and lock it down for good.
Your Essential Pre-Cleanup Safety Protocol
Before you touch a single file or line of code, stop. I know the urge is to dive right in and start deleting things, but acting rashly can make a bad situation much, much worse. Trust me on this. Think of this next part as setting up your safety gear before a big job; it’s the professional way to handle a crisis and ensures you stay in control.
The first, absolutely non-negotiable step is to take a complete backup of your website exactly as it is right now—infection and all.
"Why would I back up a hacked site?" It's a fair question, and it feels counterintuitive. But this backup is your single most valuable forensic tool. It creates a contained copy of the infection you can analyse later without any risk to your live server. More importantly, it’s your ultimate safety net. If you accidentally delete a critical file during the cleanup, this backup is what lets you get it back.
Your Immediate Action Plan
With a full backup safely stored offline, it's time to lock the doors. You need to prevent the intruder from causing more damage or, worse, undoing all your hard work while you're trying to clean up. This means a full-scale password reset.
And I don't just mean your WordPress admin password. You have to assume every single credential linked to your site has been compromised.
- WordPress Admin Accounts: Change the password for every user, paying special attention to anyone with administrator privileges.
- FTP/SFTP Accounts: These credentials provide direct access to your website's files. Change them immediately.
- Hosting Control Panel (cPanel, Plesk, etc.): This is the master key to your kingdom. It absolutely must be changed.
- Database Password: This is one people often forget, but it's crucial. You’ll need to update this in both your
wp-config.phpfile and your hosting control panel.
Taking these steps helps contain the threat. It’s a simple but incredibly powerful move that cuts off the attacker’s access, giving you a clear field to work on removing the malware from WordPress.
A quick note from experience: Taking a moment to back up your infected site is one of the most reassuring steps you can take. It shifts the dynamic from panic to preparation, giving you a safe environment to examine the damage and a fallback if the cleaning process hits a snag, like a WordPress fatal error.
Communicating with Your Hosting Provider
Your web host can be a fantastic ally in this fight. They have server-level tools and logs that you simply can't access. Get in touch with their support team and let them know you’ve found malware.
Don't just send a vague message like, "My site is hacked." To get the best help, you need to be specific. When you contact them, ask these pointed questions:
- Could you please provide the server access logs for my account from the last 7-14 days?
- Have your systems detected any suspicious activity or malware from your end?
- Are you able to tell me the exact location of any malicious files you've found?
- Are there other websites on my shared server experiencing similar issues?
Their answers can provide vital clues, helping you pinpoint the source of the infection and when the breach happened. Any decent host will want to help you clean your site, as it protects their own infrastructure too.
Sometimes, the cleanup process itself can trigger unexpected issues. If you do run into trouble, knowing how to diagnose and resolve them is key. If you ever need it, our guide on how to fix a WordPress fatal error can help get things running smoothly again. Following this pre-cleanup protocol sets you up for a much smoother and more successful malware removal journey.
How to Pinpoint Malicious Code on Your Site
Right, you’ve secured the perimeter and have a clean backup on standby. Now it's time to put on your detective hat and find exactly where the malware is hiding. This might sound intimidating, but honestly, it’s a manageable process once you know what to look for.
We can tackle this in two ways: using trusted security plugins to do the heavy lifting, or rolling up our sleeves for a manual inspection. From my experience, a combination of both is usually the most effective strategy.
Using Security Plugins for a Fast Diagnosis
The fastest way to get a clear picture of what’s going on is to let a reputable WordPress security plugin do the work. Tools like Wordfence or Sucuri Security are brilliant at this. They run on massive, constantly updated databases of known malware signatures and can scan your entire website in just a few minutes.
A good scanner will check for several key red flags:
- Modified Core Files: It compares your core WordPress files against the official, clean versions from WordPress.org. Any discrepancies are flagged immediately.
- Known Malware Signatures: It hunts for specific patterns and bits of code that are known to be malicious.
- Hidden Backdoors: The scan searches for common functions and strangely named files that hackers use to create a secret entrance back into your site.
- Database Infections: It can also scan your database for spammy links or malicious scripts injected directly into your posts and pages.
Running a scan is your first-line-of-defence investigation. It will spit out a clear, actionable list of infected files, giving you a fantastic starting point for the cleanup.
Diving in for a Manual Inspection
While plugins are great, sometimes a manual check is the only way to find cleverly hidden malware. This means connecting to your site using an FTP client (like FileZilla) or your hosting provider's File Manager and doing a bit of sleuthing.
Don't worry, you don’t need to be a coding whizz for this. You're mainly looking for things that just seem… out of place.
Check File Modification Dates
This is one of the simplest yet most effective manual checks you can do. Sort all your files and folders by the 'Last Modified' date. Since you have a rough idea of when the hack happened (perhaps when you first noticed odd behaviour), you can zero in on files that were changed around that specific time.
If you see core files like wp-config.php or folders like /wp-includes/ were modified recently when you know you haven't touched them, that's a massive red flag. Attackers love to alter these to inject their code.
Key Insight: The
wp-content/uploadsfolder should only contain media files like images, PDFs, and videos. If you find any PHP files (.php) lurking in there, they are almost certainly malicious and need to be dealt with immediately.
Spotting Suspicious Code Snippets
When you open a file you suspect is compromised, you’re looking for code that seems odd or is deliberately hard to read. Attackers use obfuscation techniques to hide their malware from basic scans, making it look like gibberish.
Here are a few common things to watch for:
base64_decode: This is a function often used to decode long, nonsensical strings of characters into executable code. While not always malicious, its presence in an unexpected place is highly suspicious.eval(): This is a powerful PHP function that executes code passed to it. It’s frequently exploited by hackers. If you seeeval(base64_decode(...));, you have almost certainly found malware.- Strange File Names: Look for files with odd names that try to mimic legitimate ones, like
wp-config.bak.phporhell0.php(with a zero instead of an 'o'). - Large Gaps of Whitespace: Hackers sometimes add hundreds of blank lines to a file to push their malicious code way down the page, hoping you won't scroll far enough to find it.
This process transforms the vague problem of "being hacked" into a concrete list of files you need to address. The threat is very real; a UK Government survey found that 43% of UK businesses suffered a cyber breach in the last year, with malware being a significant vector. For anyone with a WordPress site, this really highlights the need for proactive detection and having a solid plan to remove malware from WordPress when the worst happens. You can read the full details on these UK cyber security trends to better understand the risks.
By combining an automated scan with a targeted manual check, you'll be in a strong position to identify every last trace of the infection. Once you have your list of compromised files, you're ready for the next phase: the cleanup.
The WordPress Malware Removal and Restoration Process
Alright, you’ve found the malicious code. Now the real work begins. This is where we shift from detective work to surgeon-like precision, carefully cleaning up the mess to get your site back to full health. Take a breath; this is a methodical process, not a race.
The golden rule here is simple: replace every compromised file with a brand-new, clean copy. I can't stress this enough – never, ever try to restore from your infected backup. That backup was just for analysis. We're only going to use official, untouched files straight from the source. This is the only way to be certain the infection is completely stamped out.
The infographic below gives you a solid visual of the detection workflow, which you should have completed before starting this removal phase.
Having this clear list of infected files is crucial. It’s our hit list for the cleanup.
Replacing WordPress Core Files
Let's start with the foundation of your website: the WordPress core files. Hackers love tucking nasty surprises in here, so we're going to replace the whole lot. It sounds a bit full-on, but it's the safest and quickest way to eliminate any malware hiding in these critical files.
First things first, head over to the official WordPress.org website and grab a fresh download of the latest version. Unzip that file on your computer.
Now, pay close attention to this next part. Inside the new wordpress folder you just created, you absolutely must delete the wp-content folder. This folder holds all your themes, plugins, and media uploads, and we don't want to wipe those out by mistake.
Next, connect to your site via an FTP client or your hosting provider’s File Manager. On your server, completely delete the wp-admin and wp-includes directories. Then, upload the new, clean wp-admin and wp-includes folders from the download. You'll also need to upload all the individual files (like index.php, wp-login.php, etc.) from the root of that new WordPress folder. This effectively replaces every core file while leaving your unique configuration and content untouched.
Key Takeaway: You're swapping out everything except for your
wp-contentfolder and thewp-config.phpfile. This single action is a massive step and often clears a huge chunk of the infection from the core software.
Cleaning Your Themes and Plugins
With the core sorted, we move on to the most common weak points: your themes and plugins. The game plan is exactly the same—delete the old ones and replace them with fresh copies.
Make a quick list of all the plugins you're using. Then, go into your wp-content directory and delete every single plugin folder. Don't panic! This won't erase your settings, as those are safely stored in your database. Head to your WordPress dashboard, go to Plugins > Add New, and simply reinstall clean versions of each one from the official WordPress repository.
Do the same for your theme. If you got it from the WordPress repository, delete and reinstall it. If it’s a premium theme, you’ll need to download a fresh copy from the developer you bought it from.
Scrutinising the wp-config.php File
Your wp-config.php file is the brain of your WordPress site; it holds the keys to your database. Naturally, it’s a prime target for attackers. You need to open this file and compare it, line by line, against the wp-config-sample.php file that came with your fresh WordPress download.
Be on the lookout for anything that seems out of place—long, garbled strings of text, strange characters, or any code that looks suspicious. Hackers are notorious for embedding malicious code here. If you see anything that isn't your database details or security keys, get rid of it.
Inspecting the wp-content Directory and Database
Even after all that, rogue files can still lurk in the wp-content directory, especially within the /uploads folder. Your mission here is to scan this folder specifically for any PHP files (files ending in .php). The /uploads folder is meant for media like images and videos, so a PHP file here is a massive red flag. In my experience, it’s almost always malware and should be deleted on sight.
The database itself can also be compromised, often with SEO spam or malicious redirects. Using a tool like phpMyAdmin (usually available in your hosting control panel), you can search tables like wp_posts and wp_options for spammy keywords or scripts. This is definitely a more advanced step, so tread carefully if you're not comfortable working directly with databases.
The threat landscape is constantly changing, and unfortunately, the UK has become a hotspot. Ransomware, in particular, is a growing problem. Recent analysis shows the UK is the second most targeted region globally, accounting for a staggering 6.7% of ransomware attacks. Even as some hacker collectives disband, the number of new groups has surged by over 41%, many of whom exploit known WordPress vulnerabilities. This really drives home the need for UK site owners to be vigilant with updates and have a solid plan to remove malware from WordPress the moment it appears. You can read more about these concerning ransomware trends and their impact on the UK.
While you can absolutely do this yourself, I know it can feel like a lot to handle. If you're feeling overwhelmed or just want the peace of mind that comes with a professional touch, getting an expert in is a smart move. Our WordPress malware removal services are designed to take this entire burden off your shoulders, ensuring every last trace of the infection is properly eliminated.
Ultimately, the restoration process is a test of patience and meticulousness. By methodically replacing every potentially compromised part with a clean one, you're not just cleaning your site—you're rebuilding it on a secure, trustworthy foundation.
Post-Cleanup: Fortifying Your WordPress Defences
You’ve done it. You’ve wrestled with malicious code, navigated the technical minefield, and finally booted the malware off your website. That’s a massive win, and you should absolutely take a moment to breathe.
But we’re not quite at the finish line yet.
Think of it this way: you've just kicked a burglar out of your house. The immediate danger is gone, but would you just go back to business as usual? Of course not. You’d change the locks, reinforce the doors, and maybe install an alarm system. That's exactly what we need to do for your website now. This is where we shift from frantic, reactive cleanup to building a smart, proactive defence.
Your Immediate Security Checklist
Before we dive into the long-term strategy, there are a few critical housekeeping tasks you need to tick off right now. These steps slam the door on any lingering access the attackers might still have.
-
Reset All Passwords. Again. I know, you probably just did this. But now that you're certain the site is clean, do it one last time. This means every single WordPress user, your FTP/SFTP accounts, your hosting control panel, and especially your database password. Any credentials scraped during the attack are now officially useless.
-
Generate New WordPress Security Keys. Often overlooked, these keys (or "salts") are what encrypt the login cookies stored in your users' browsers. By generating a fresh set, you instantly invalidate all existing login sessions across the board. This forces everyone to log in again under the new, secure environment, cutting off any hijacked sessions.
-
Run One Last Scan. This one is for your peace of mind as much as anything. Use your security plugin to run one final, deep scan of the entire site. This is your definitive check to confirm the cleanup was 100% successful and that no nasty remnants were left hiding in a forgotten corner.
Building Your Long-Term Defences
With the immediate threats neutralised, it’s time to think about the future. A one-off fix feels good, but it's a solid, ongoing security routine that will actually keep your site safe. The aim here is to make your website a much tougher target than the next one in line.
Implement a Web Application Firewall
A Web Application Firewall (WAF) is one of the single most effective security measures you can add. It’s like having a dedicated security guard standing between your website and the rest of the internet. A good WAF inspects every request coming to your site and intelligently blocks known threats—like SQL injections and cross-site scripting—before they ever get a chance to touch your WordPress files.
This is true proactive defence. It filters out the very attack patterns hackers use to exploit plugin vulnerabilities in the first place. Many premium security plugins include a powerful WAF as part of their service.
Enforce Two-Factor Authentication
If you only do one thing from this list, make it this. Two-Factor Authentication (2FA) adds a brilliantly simple, yet incredibly strong, layer of security to your login page. Even if a hacker steals your password, they're stopped in their tracks because they don't have the second piece of the puzzle—usually a time-sensitive code from an app on your phone.
This isn't just a nice-to-have; it's a game-changer. Data shows that simply enabling 2FA can block an astonishing 99.9% of automated cyberattacks. You’re effectively turning a simple lock into a bank vault door.
Establish a Non-Negotiable Update Routine
I can't stress this enough: outdated plugins and themes are the number one way hackers get in. They run automated bots 24/7 that do nothing but scan the web for sites running specific versions of software with known vulnerabilities. Keeping everything updated is your single best defence against this constant threat.
Set a recurring reminder in your calendar—weekly is best—to check and apply all available updates for:
- WordPress Core: The engine of your website.
- Plugins: The most common source of security holes.
- Themes: Another potential entry point if left neglected.
This simple habit of consistent maintenance is what separates secure sites from vulnerable ones. By shifting from a reactive panic to a proactive posture, you fundamentally change your security game. These steps are just as crucial as the work you did to remove malware from WordPress, ensuring all that hard effort wasn't in vain.
Got Questions About WordPress Malware Removal? We've Got Answers
Dealing with a hacked website is stressful, and it’s completely normal to have a ton of questions floating around, even after you think you've cleaned it up. Let's tackle some of the most common queries we hear from website owners to give you some much-needed clarity.
Can't I Just Restore an Old Backup to Get Rid of the Malware?
This is usually the first thought that pops into someone's head. On the surface, it seems like a quick fix—just roll back time to before the hack happened. The reality, however, is that this is a risky move that can easily backfire.
First off, you'll immediately lose any content or changes made since that backup was created. Think about all the new blog posts, customer orders, comments, or sign-ups that would simply vanish. That alone can be a huge blow.
But the bigger problem is that a backup rarely solves the root cause.
- You could restore the original vulnerability. If the hack happened because of an outdated plugin, that same vulnerable plugin will be right there in your backup, waiting for the next attack.
- The backup might already be infected. Malware often lies hidden for weeks or even months before you notice it. Restoring a backup from "before the hack" might just be restoring an earlier, dormant version of the same infection.
Restoring a backup is like putting a fresh coat of paint over a mouldy wall. It might look clean for a little while, but you haven't fixed the underlying damp that's causing the problem. A thorough, manual cleanup is the only way to be sure you’ve removed the malware and plugged the security hole it used.
Once the Malware Is Gone, Will Google Automatically Remove the Warning?
Unfortunately, no. Google doesn’t automatically know you've cleaned house. Once you are 100% certain your site is clean and secure, you have to proactively tell them.
This involves logging into your Google Search Console account, finding the "Security Issues" report, and officially requesting a review. It’s always a good idea to add a brief note explaining the steps you took to fix the problem. This review can take a few days, so get it submitted as soon as you're done to get that warning removed and start rebuilding trust.
Why Would Anyone Hack My Small Blog? It Gets No Traffic.
This is a question we hear all the time, and it's based on a common misunderstanding. Most hacks aren't personal attacks; they're automated. Hackers aren't sitting there picking your small blog out of a line-up. Instead, they use bots that relentlessly scan the web for any site with a known weakness, like a out-of-date plugin or a simple password.
Your site wasn't targeted for its content or its traffic. It was targeted because it was an easy opportunity.
These compromised sites become part of a larger network that hackers use to:
- Send out millions of spam emails.
- Host phishing pages designed to steal bank details or passwords.
- Carry out coordinated attacks on bigger, more secure websites.
To a hacker, every single unsecured site is a valuable resource. That’s why robust security is non-negotiable for every website owner, no matter how small you think your site is.
This whole process can feel a bit much, and that’s completely understandable. If you’d rather have an expert handle it for total peace of mind, our team is here to help. We live and breathe WordPress security and specialise in fast, effective malware removal. Contact us to learn more and let's get your site secured properly.