WordPress Malware Removal: Manual & Automatic Methods

WordPress is the most widespread website platform, which makes it a common target for malware attacks. Malware can enter your WordPress site through outdated plugins, insecure themes, or weak passwords. Once malware infects your site, it can lead to harmful consequences like data breaches, website defacement, or blacklisting by search engines.

This is why you must remove malware from WordPress to avoid further damage. If left unchecked, malware can spread to other areas of your site, cause downtime, and negatively impact your site’s performance and reputation. Additionally, a site with malware can harm user experience and result in search engines blocking your site, leading to a loss of traffic and revenue.

Here, we show you what WordPress malware is and the types. Then, we explore how to detect malware on your WordPress site. After that, we’ll go through the manual and automatic methods for WordPress malware removal to secure your site and prevent future attacks.

KEY TAKEAWAYS

1. WordPress malware removal is important because it can severely affect your site’s performance, security, and reputation, so timely removal is crucial.
2. Malware can enter your WordPress site through outdated plugins, themes, or weak security measures.
3. Manual WordPress malware removal involves inspecting core files, databases, and user accounts for suspicious activity and code.
4. Automatic WordPress malware removal tools and plugins, such as security plugins, can help detect and clean malicious code with minimal technical effort.
5. Always back up your WordPress site before attempting any WordPress malware removal process to avoid losing important data.
6. Regular site maintenance, including updates and security scans, is essential to prevent future malware attacks.
7. Google may flag your website if malware is detected, so once you’re done with WordPress malware removal, request a review through Google Search Console to restore your site’s SEO performance.
8. Combining manual and automatic WordPress malware removal methods ensures thorough cleaning and strengthens your site’s overall security.
9. Regularly monitor your website for unusual activity or unauthorized access to minimize the chances of reinfection.

What is WordPress Malware?

WordPress malware refers to any malicious software or code injected into a WordPress website to harm, exploit, or gain unauthorized access to the site. It can affect a site’s performance, security, and reputation by compromising data, redirecting visitors, or even gaining control over the site itself.

Malware typically finds its way into WordPress sites through vulnerabilities, including:

• Insecure Hosting: Some malware infections happen when the server or hosting environment is insecure, allowing attackers to target multiple sites on the same server.
• Outdated Plugins & Themes: Many attacks exploit known vulnerabilities in outdated themes and plugins. If these are not updated regularly, hackers can inject malicious code.
• Weak Login Credentials: Using weak passwords or failing to implement two-factor authentication can lead to brute-force attacks, allowing hackers to inject malware.
• File Permissions Misconfiguration: Improper file permissions can allow unauthorized users to access and modify critical files, leading to a malware infection.
• Infected File Uploads: Malicious files use contact forms or other upload functionalities that can be uploaded directly into the website’s file structure.
• Database Injections: Attackers can insert malicious SQL queries that modify your database. This is often seen in cross-site scripting (XSS) (see below) and SQL injection attacks.
• Cross-Site Scripting (XSS): This type of attack inserts malicious JavaScript into the front end of your website, affecting users who visit the site.

Types of WordPress Malware

Here are some common malware types specifically targeting WordPress sites:

Backdoors

Backdoors are malicious scripts or code inserted into a website allowing attackers to bypass normal authentication processes. This means that even if your website’s admin login is secured, hackers can still get unauthorized access to your site through these backdoors.

Once inside, attackers can modify files, steal sensitive information, or plant more harmful malware. Backdoors often target core WordPress files, plugins, or themes and can be difficult to detect without thorough scanning. Regular updates and security monitoring are essential to prevent backdoor exploits.

SEO Spam

SEO spam involves injecting hidden links or keywords into a WordPress site to boost the search engine rankings of unrelated or harmful websites. This kind of malware is often inserted through insecure or incompatible plugins or themes and can go unnoticed for long periods.

These injected links are usually invisible to site owners but visible to search engines, harming your site’s SEO. Not only does SEO spam damage your site’s credibility, but it can also lead to search engines blacklisting your website. Regular scans and updates help detect and remove SEO spam.

Phishing

Phishing attacks in WordPress typically involve creating fake login pages or redirects that trick users into entering sensitive information like usernames, passwords, or even credit card details. These pages closely mimic legitimate sites, making it difficult for users to identify the fraud.

Once attackers collect the information, they can use it for identity theft or unauthorized access. It is essential to use SSL certificates, two-factor authentication, and other security measures to prevent phishing attempts on your WordPress site.

Malicious Redirects

Malicious redirects occur when code is inserted into a website that automatically redirects visitors to potentially harmful or irrelevant websites. This damages your site’s user experience and risks harming visitors’ devices or leading them to phishing websites.

Compromised themes, plugins, or weak security measures result in redirects. Regular security audits and plugin updates can help identify and remove malicious redirect codes.

Trojan Horses

Trojan Horses are malicious codes that disguise themselves as legitimate plugins, themes, or files. When installed, they give attackers unauthorized access to your website without your knowledge. This type of malware is dangerous because it appears to be a useful tool, making it hard to detect.

Once activated, trojan horses can allow hackers to alter your website, steal data, or install more malicious software. Therefore, we recommend downloading plugins and themes only from trusted sources to prevent trojan horse infections.

Denial of Service (DoS) Scripts

Denial of Service (DoS) scripts are designed to overwhelm a server with traffic or requests, causing it to slow down or crash entirely. This malware type disrupts your site’s availability, making it inaccessible to legitimate users.

DoS attacks can also affect the overall performance of your server and potentially harm other sites hosted on the same server. To protect against these attacks, it is important to have strong firewall rules, monitoring tools, and traffic filtering systems in place.

How Malware Impacts WordPress Sites

Malware can significantly impact WordPress sites, disrupting performance, data security, and overall functionality. Website performance is one of the first noticeable effects.

Malware can cause a site to slow down dramatically, leading to a poor user experience and higher bounce rates, as site visitors are likely to leave a slow or unresponsive site. This performance hit also strains server resources, potentially causing the site to crash or experience frequent downtime, which can be destructive to businesses.

Beyond performance issues, malware can result in data breaches. Attackers can access sensitive information such as customer details, personal data, and financial information. This poses a privacy risk and can lead to legal consequences for the website owner.

Moreover, once a data breach is detected, the trust between the website and its users is compromised, which can take years to rebuild.

Another serious consequence is blacklisting by search engines. If search engines such as Google detect malware on your site, they may blacklist it to protect users.

When this happens, your website’s traffic drops significantly because users are warned not to visit the site. Also, your SEO rankings will suffer, making it harder for people to locate your website through search engines.

Finally, the presence of malware can lead to reputation damage. Users who encounter malicious content, such as unwanted redirects or phishing attempts, can have a negative impression of your brand.

All this can hurt your credibility and result in fewer return visitors, affecting long-term business growth. So keeping your WordPress site secure will protect how it works and help maintain a positive brand image.

How to Detect WordPress Malware

There are many ways to detect malware on a WordPress site:

You can use security plugins. Tools like Wordfence, Sucuri, and iThemes Security offer malware-scanning capabilities. These tools check core files, themes, and plugins for suspicious changes.

Some plugins track any changes made to core WordPress files, which can indicate that malware has been injected. You can also manually review the WordPress file structure for unusual files, especially in directories like /wp-content/uploads/ or /wp-includes/.

You should follow the following best practices to minimize the risk of malware infecting your WordPress site:

• Regular updates ensure you’re protected against known vulnerabilities.
• Ensure you limit the number of users with admin privileges and set the correct file permissions to prevent unauthorized changes.
• Strengthen the security of your login page to reduce the risk of brute-force attacks.
• Use reliable security plugins that scan for malware, enforce strong password policies, and monitor site activity.
• A Web Application Firewall (WAF) can block malicious traffic before it reaches your website.

By understanding what malware is and how it targets WordPress sites, you can implement effective security measures to protect your site and minimize risks. However, if malware does infect your site, removing it quickly and securely is critical to restore your site’s functionality and protect your visitors.

In this case, you can either continue with a manual approach to remove malware from a WordPress website or use an automatic process. However, before exploring these, we will look at the pre-removal steps below.

Pre-removal Steps for WordPress Malware

Before you go into the process of WordPress malware removal, it’s important to take a few steps:

Restrict Website Access

The first step for managing a malware infection is to prevent further spread by limiting access to your site. You can temporarily disable access to visitors by placing the site in maintenance mode or restricting access via your hosting control panel or firewall. This ensures that the malware doesn’t affect more users or cause additional damage while you work on resolving the issue.

Furthermore, restricting WordPress access ensures only administrators can track changes and resolve this issue. It also blocks all IP addresses except your computer’s IP address via the .htaccess file. Here’s how you can do this on the Hosted.com hosting plan:

Log into your web hosting account’s control panel, also called cPanel.

Then, navigate to Tools → Files → File Manager.

Now, go to your website’s root directory ( /public_html/) and find the .htaccess file in your root directory. If you don’t see it, ensure hidden files are visible by clicking Settings at the top of the File Manager and selecting Show Hidden Files.

Select the .htaccess file and click Edit to open this file in an editor.

Then add the following lines to the .htaccess file to restrict access to all except specific IP addresses:

Order Deny,Allow
Deny from all
Allow from YOUR_IP_ADDRESS

Replace YOUR_IP_ADDRESS with your IP address and click Save Changes to save the file. This will block access for everyone except you.

Important: Ensure your computer is configured with a static IP address. If you skip this step, you may need to update the .htaccess file regularly, as your IP address may change periodically.

Backup Website

Before going through the WordPress malware removal, create a full backup of your website that includes both the files and the database. This is a good safety measure in case important data is lost during the WordPress malware removal process.

Tools like UpdraftPlus or manually downloading files via FTP can help create secure backups. We’ve already covered how to back up your WordPress site; you can find it at the following link: How to Backup Your WordPress Site: A Comprehensive Guide

Check Recent Changes

Review your site’s activity logs to identify recent changes that may be suspicious. Check your logs (such as WordPress activity logs, WordPress error logs, or server logs) to spot unauthorized file changes or login attempts. This information will be useful in pinpointing the source of the malware and understanding the extent of the breach.

To view WordPress activity logs, you can install a plugin. We installed the WP Activity Log for this tutorial. Here’s how you can do the same:

Go to WordPress Dashboard → Plugins → Add New Plugin. Then, search for the “wp activity log” plugin. Once it appears, click Install Now.

Then, click Activate.

You will now see a new option – WP Activity Log, in the left-hand menu. Click on it, then click on Log viewer to view the WordPress activity log.

To examine in-depth, use a command to list recently modified files. Connect to your WordPress server through SSH using a terminal or an SSH client such as PuTTY. Once connected, execute the following command:

find . -type f -name '*.your_file_extension' -ctime n

Don’t forget to replace your_file_extension with the type of file you want to examine, such as PHP or JS files, which are often targeted in malware attacks. The n represents the number of previous days you wish to check. For instance, to locate PHP files modified within the last three days, you would run:

find . -type f -name '*.php' -ctime -3

This method helps identify files that may have been altered during a potential security breach.

However, if you’re wondering about WordPress error logs, there’s a detailed tutorial at the following link that we’ve already written for you: How to Configure WordPress Error Logs: Identify & Fix Issues

Update Passwords & Salts

Malware often exploits weak or compromised credentials to maintain access to your site. Prevent further breaches by updating all admin, database, FTP, and hosting passwords.

You may also use a password generator tool (like 1Password Strong Password Generator). Additionally, you may store your login credentials in NordPass or 1Password. These applications offer an encrypted vault to protect your login details. You may also refer to our detailed tutorial about password protection: How to Password Protect a WordPress Site – The Ultimate Guide

Moreover, we recommend you update your WordPress salts (found in your wp-config.php file) to invalidate any existing sessions. This adds an extra layer of security and ensures that unauthorized users can no longer access your site.

Here’s how to reset salts and all admin passwords to a random string of characters by running the following command via SSH:

wp config shuffle-salts && wp user reset-password $(wp user list --role=administrator --field=ID)

Remove Symlinks

Symlinks, or symbolic links, are shortcuts that point to files or directories, making it easier to access and manage them from different locations. However, if compromised, they become a security risk, as attackers may use these shortcuts to access critical files or your site’s root folder.

To reduce the risk of exploitation, it’s recommended to remove symlinks by unlocking them through the following SSH command:

find . -type l -exec unlink {} \;

Once the WordPress malware removal process is complete, ensure you recreate the necessary symlinks, as failing to do this could lead to website functionality issues.

These pre-removal steps will help protect your site and make the WordPress malware removal process smoother, reducing the risk of further damage. Now, let’s find out how to remove malware from WordPress website.

Manual WordPress Malware Removal

Users with technical knowledge will be more comfortable with a manual approach to WordPress malware removal. Beginners may find this challenging, but it’s possible if they follow the instructions correctly.

Reinstall WordPress Core Files

Reinstalling WordPress core files can help remove WordPress malware, as it replaces any corrupted or infected core files with fresh, clean versions.

Malware often hides within the WordPress core directories (such as wp-admin or wp-includes), and by reinstalling these files, you overwrite any malicious code that may have been injected.

This process ensures that the core WordPress structure is restored to its original and secure state without affecting your site’s content, themes, or plugins.

There are 3 main ways to reinstall WordPress core files that we’ve already covered. You may find each of them below:

– Reinstall WordPress Using Dashboard

– Reinstall WordPress Using FTP

– Reinstall WordPress Using WP-CLI

Once WordPress has been reinstalled, check that everything functions properly by visiting different areas of your website.

Compare Infected vs Clean Files

When dealing with a hacked or malware-infected WordPress site, comparing infected files to clean versions is important for identifying and removing malicious code. This process helps you pinpoint exactly which files have been compromised so that you can clean them or replace them with their clean versions.

To effectively clean your WordPress installation, you need access to the infected files (your current WordPress site) and clean files (an untouched version of WordPress).

The clean version serves as a reference for what the original, unaltered code should look like. This helps spot the differences and identify the malicious code injected into your site.

To do this, you need to access both WordPress files. Use an FTP client like FileZilla to download infected files from the server: Log in to your site’s root directory (/public_html/) and download the entire WordPress installation to your computer.

Advanced users can use SSH (Secure Shell) to access their servers and download files directly. SSH is useful to handle large files and automate comparisons. Connect to your server using SSH, navigate to the root folder of your website, and retrieve the infected files.

Next, you need to obtain a fresh, clean version of WordPress. You can download it from the official WordPress website. Keep this folder separate from the infected files for comparison purposes.

Once you have these infected and clean files, you can compare them to find differences. This step will help you pinpoint exactly which files were affected by malware.

One of the most effective ways to compare infected and clean files is to use the diff command in SSH. This command highlights the differences between two sets of files.

To use this, log in to your website’s server via SSH. Place the clean WordPress files in a separate folder on the server. Then, use the following command to compare the clean and infected files, excluding the wp-content folder (which contains your themes, plugins, and uploads):

diff -r wordpress-clean/ wordpress-infected/ -x wp-content

This will display differences between the two file sets, making it easier to identify which files have been modified by malicious code.

Another method to verify that your core WordPress files are intact is by using WP-CLI checksums. This command checks the integrity of your WordPress core files by comparing them to the official WordPress versions.

wp core verify-checksums

This command checks the core WordPress files (such as those in wp-admin and wp-includes) and ensures they haven’t been altered. If it detects any discrepancies, these files may have been compromised.

Furthermore, you may also run a checksum on WordPress plugins as follows:

wp plugin verify-checksum

Important: Remember: the WP-CLI checksum command only works for official WordPress files. If your website uses third-party plugins or themes from unofficial sources, checksum won’t check these files. Instead, you’ll need to manually verify these files or compare them with the official versions from the plugin or theme developer.

Remove Suspicious PHP Files from the Uploads Folder

Removing malicious PHP files from your WordPress site is one of the manual steps in the WordPress malware removal process. The uploads folder is particularly vulnerable to these infections, as it’s commonly used for media uploads and isn’t regularly checked for PHP scripts. Here’s how you can identify and remove these malicious files.

Use your hosting control panel’s File Manager feature to connect to your website’s file system. Hosted.com users can find this feature at cPanel → Tools → Files → File Manager.

Then, navigate to your WordPress root directory and open the /wp-content/uploads/ directory.

Remember, PHP files should not be in the uploads folder. To find them, manually check each folder or use a search feature in your FTP client.

Alternatively, if you’re using SSH, you can run the following command to list all PHP files:

find . -name "*.php"

This command will search the current directory (uploads folder) for any files with the .php extension. If you’re not in the uploads folder, you may use the following command with the complete path:

find /public_html/wp-content/uploads/ -type f -name "*.php"

Once you’ve identified the PHP files in the uploads directory, carefully review them. If they look unfamiliar or contain suspicious code, delete them using the following command:

rm *.php

OR

cd /public_html/wp-content/uploads/ && rm *.php

However, if you’re using FileZilla, you can right-click on the file and select Delete, or in File Manager, use the Delete option at the top to remove them.

Important: While it may seem easy to delete all PHP files in bulk, it’s essential to exercise caution. Bulk deletion could remove necessary files that your site relies on, such as PHP scripts added by trusted plugins or themes. To avoid deleting critical files, it’s important to review the files individually and ensure they are indeed malicious before removing them.

Look for Hidden Backdoors

As we already said, a backdoor is a piece of malicious code that hackers insert into a website to gain unauthorized access, often bypassing normal security protocols. Once a backdoor is in place, attackers can re-enter the site even after it’s cleaned up.

Hackers typically often use specific PHP functions (like base64, exec, move_uploaded_file, and str_rot13) to create backdoors and insert these backdoors into important WordPress files like wp-config.php, functions.php and sometimes even plugin or theme files.

To search for these functions, you can use an SSH command that scans all PHP files for these suspicious functions:

find . -type f -name '*.php' | xargs egrep -i "
(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("

This command will list all PHP files containing these potentially harmful functions. Once identified, you can open these files and examine whether using these functions is legitimate or part of a malicious backdoor.

Then, you also need to check for hidden code in images and iframes. Hackers may also embed malicious code within images or use iframes to insert harmful content into your website. These hidden backdoors can be challenging to detect since they don’t typically appear in obvious locations.

To locate this malicious code hidden in images, especially in your uploads folder, you can use the following command via SSH to search for PHP code embedded in image files:

find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

This will list any image files containing PHP code, a strong indicator of a hidden backdoor.

Similarly, you can check for malicious iframes using this command:

find . -type f -name '*.php'| grep -i '<iframe'

Important: iFrames can embed external, malicious websites within your own, potentially leading to various WordPress security issues like phishing attacks or data breaches. While functions like base64_decode() or eval() can be used maliciously, some legitimate plugins and themes might also use them for valid purposes. So, before you remove any code, it’s essential to understand whether the function serves a legitimate purpose.

After cleaning the files for WordPress malware removal, test the site thoroughly to ensure that removing these functions does not break the necessary functionality. If unsure, you can always set up a staging environment to test your changes before applying them to the live site.

Inspect the SQL Database

Malware doesn’t just infect your WordPress files; it can also hide within your database. This makes inspecting your SQL database an essential step in WordPress malware removal. To remove malware from your WordPress database, check for suspicious scripts that attackers may have inserted.

There are two main approaches to this:

1. Using WP-CLI Commands
2. Manually Reviewing your Database Backup.

To identify potentially harmful scripts in your SQL database, you can connect to your server via SSH and run the following command:

wp db search "<script"

This will display all entries containing the <script> tag, which might indicate malicious code. Be careful not to delete these entries immediately, as they can help you identify compromised posts in subsequent steps.

For more thorough searching, you can check for JavaScript functions that hackers frequently exploit, such as eval(), atob(), and fromCharCode(). To search for these, run the following command:

wp db search '(<script|eval\(|atob|fromCharCode)' --regex

However, if you prefer manual inspection, open the SQL database backup you created earlier and search for suspicious scripts using a text editor like Notepad++, Sublime, or Visual Studio Code, which can highlight the problematic code and make your review process easier.

Review Code for Pages & Posts

Cybercriminals can inject malicious code into your WordPress posts, pages, or comments section, compromising your content’s integrity. They often insert harmful scripts that are executed without your knowledge. This can lead to undesirable behaviors on your site, such as pop-ups, redirects, or spam content.

To identify these malicious changes, you can review your posts and page revisions:

To do this, log into your WordPress dashboard. From the left-hand menu, navigate to Posts or Pages. Open the post or page you want to inspect (in this example we demonstrate the process using a post). Once it’s opened, click on Settings on the top right. Then scroll down to the Revisions section and click on it.

This will show all the saved versions of the content. You can browse the different revisions and compare the changes made to see if any suspicious scripts were added.

Important: If no Revisions option is available, there haven’t been any changes since the post or page was last published.

Keep in mind that malicious scripts often hide in the code of your posts and pages. Hackers might add hidden links, JavaScript, or unwanted elements that only appear in the code view. To thoroughly inspect your content:

In Post or Page Editor click the three-dot icon (top-right corner) to open more options. Select Code Editor. This will show the HTML version of your content.

Now, carefully examine the code for any unfamiliar or suspicious tags, such as <script>, iframe, or encoded text that might contain hidden malware. If you find any unwanted code, remove it manually and save the changes.

If you are unsure about any changes or hidden code, request assistance from a security expert or use trusted security plugins to remove WordPress malware automatically.

Lastly, you may check and remove the unwanted comments by navigating to WordPress Dashboard → Comments and clicking Trash.

This step is important because any modifications to posts, pages, or comments can insert new entries into your database tables. To proceed, open your database backup with a text editor and carefully review the entries, removing any suspicious or malicious scripts you identify.

Review User Roles & Privileges

Once you have removed the WordPress malware from your WordPress site, check for unauthorized user accounts that cybercriminals may have added. Hackers often create new admin accounts to gain access to sensitive data or modify your website without your knowledge.

To check for unauthorized users, follow these steps:

Go to WordPress Dashboard → Users → All Users. Now, carefully review the list of users for any new or unfamiliar accounts, especially those with Administrator privileges.

If you find suspicious accounts, select the checkbox next to their username, choose Delete from the Bulk actions menu, and click Apply to apply the changes.

You can also review other users’ roles to ensure trusted individuals only have administrative access. You can also change a user’s role by selecting their name, choosing a lower role from the Change role to… dropdown menu, and clicking Change to save modifications.

For a more detailed user list, you can also use WP-CLI to check account information. Run the following command to list users sorted by their registration date:

wp user list --field=ID,user_login,user_registered --orderby=user_registered --order=ASC --format=table

This approach helps ensure your WordPress site remains secure from unauthorized access.

Remove Website from Blocklists

When your website gets hacked or infected with malware, Google takes measures to protect visitors by flagging the website. After successful WordPress malware removal, you must remove your site from Google’s blocklist.

You can do this from your Google Search Console. Navigate to the Security & Manual Actions section and select Security Issues. If the issue has been resolved, click I have fixed these issues, followed by Request a review to ask Google to review and re-index your website.

This process may take a few days, so act quickly. The longer your site remains flagged, the more it can negatively impact your search engine rankings and damage your website’s reputation.

Automatic WordPress Malware Removal

One of the easiest ways to go through the WordPress malware removal process is by using security plugins. Plugins like Wordfence or Sucuri are designed to scan your site for malware automatically. They find infected files, remove malicious code, and protect against future threats. You can set these tools to run regular scans and fix issues without manual intervention.

Additionally, many web hosting providers offer host-specific malware scanners. These are built into your hosting account and can quickly detect and remove malware, making this a hassle-free solution.

FAQs

Other Related Tutorials & Blogs:

– How to Install WordPress Themes: A Beginner’s Guide

– WordPress Multisite Setup & Installation Guide

– How to Enhance Website Performance with WordPress CDN Plugins

– How To Configure WordPress Error Logs: Identify & Fix Issues

– How to Fix 502 Bad Gateway Error in WordPress