Tutorials

WordPress Malware Removal: Step-by-Step Guide for 2025

Complete guide to removing malware from your WordPress site. Learn the professional cleanup process used by security experts to restore hacked sites.

D
David Kim
8 min read
1,579 views
Step by step WordPress malware removal process

Discovering malware on your WordPress site is stressful, but with the right approach, you can clean your site and restore it to a secure state. This guide walks you through the professional malware removal process step by step.

Before You Start: Preparation

Don't Panic

Most WordPress malware infections can be cleaned completely. Acting methodically is more important than acting quickly. Rushing can lead to incomplete cleanup and reinfection.

Document Everything

Note when you discovered the infection, any symptoms you've observed, and recent changes to your site. This information helps identify the entry point.

Take a Backup

Even of the infected site. You may need to reference infected files later, and some malware removes evidence when detected.

Step 1: Isolate the Site

Prevent further damage by limiting access:

  • Put the site in maintenance mode if possible
  • Change all admin passwords immediately
  • Revoke all active sessions
  • Change FTP/SFTP and database passwords
  • Temporarily block admin access except your IP

Step 2: Full Malware Scan

Identify all infected files before cleaning:

Using WP Folder Shield

  1. Navigate to WP Folder Shield > Malware Scanner
  2. Run a full site scan
  3. Review all flagged files
  4. Note locations of confirmed malware

Manual Verification

For each flagged file, determine if it's:

  • A legitimate file that was modified (clean or replace)
  • A completely malicious file (delete)
  • A false positive (whitelist)

Step 3: Clean WordPress Core Files

The safest approach is replacing core files entirely:

  1. Download a fresh copy of your WordPress version from WordPress.org
  2. Delete and replace the entire wp-admin folder
  3. Delete and replace the entire wp-includes folder
  4. Replace all root PHP files (except wp-config.php)

Do NOT delete wp-content or wp-config.php—these contain your site data.

Step 4: Review wp-config.php

Compare your wp-config.php against a clean copy:

  • Look for eval(), base64_decode(), or suspicious includes
  • Check for code added at the beginning or end of the file
  • Verify define statements haven't been modified
  • Regenerate salt keys from WordPress.org salt generator

Step 5: Clean Themes and Plugins

Delete Inactive Themes

Inactive themes are a favorite hiding place for malware. Delete any theme you're not actively using.

Reinstall Active Theme

Download a fresh copy of your theme from the official source. Compare custom modifications against your backup before reapplying.

Reinstall Plugins

Delete and reinstall all plugins from official sources. For premium plugins, download fresh copies from the vendor.

Remove Pirated Software

If you're using nulled themes or plugins, remove them permanently. They're a leading source of WordPress malware.

Step 6: Clean the Uploads Folder

Check wp-content/uploads thoroughly:

  • Delete ALL PHP files—there should be none
  • Remove suspicious directories with random names
  • Check for .htaccess files that might enable PHP execution
  • Look for files with double extensions (.jpg.php)

Step 7: Database Cleanup

Malware often injects code into the database:

wp_posts Table

Search for base64 encoded strings, script tags, or iframe injections in post_content and post_excerpt fields.

wp_options Table

Check these options for injected code:

  • active_plugins
  • template, stylesheet
  • sidebars_widgets
  • widget_ options

wp_users Table

Look for unknown admin accounts and delete them.

Step 8: Secure the Site

Prevent reinfection with security hardening:

  • Update WordPress, themes, and plugins to latest versions
  • Enable two-factor authentication for all admins
  • Block PHP execution in uploads folder
  • Enable web application firewall
  • Set up file change monitoring

WP Folder Shield provides all these features plus automatic malware scanning to catch future infections early.

Step 9: Request Review if Blacklisted

If your site was blacklisted:

  • Google: Submit review request in Search Console
  • Bing: Use Bing Webmaster Tools
  • McAfee SiteAdvisor: Submit site for review
  • Norton Safe Web: Request site review

Professional Help

If the infection is severe or keeps returning, consider professional malware removal services. WP Folder Shield customers can contact support for guidance on complex infections.

Get WP Folder Shield to protect your site from future malware infections with comprehensive security features.

Share:
D
Written by David Kim

WP Folder Shield Team

Related Articles

The Ultimate Guide to WordPress Security in 2026
The Ultimate Guide to WordPress Security in 2026

Learn how to protect your WordPress website from hackers, malware, and security threats with this...

January 15, 2026
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content

Learn effective methods to scan your WordPress site for hidden SEO spam, malicious links, and...

January 13, 2026
How to Protect Your WordPress Uploads Folder from Malware
How to Protect Your WordPress Uploads Folder from Malware

The wp-content/uploads folder is one of the most vulnerable directories in WordPress. Learn how to...

January 13, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started