How to Remove Malware from a Hacked WordPress Website Print

  • 0

At, we devote every day of the week to helping agencies and entrepreneurs overcome issues with their websites. One of the most frequent support requests we receive is to repair hacked websites. In this article, we’ll review the steps to remove malware from a WordPress installation. Please note that this guide is not meant to be a catch-all solution to repair all types of hacks. But rather an overview and proposed process on how to proceed when a WordPress site is compromised.

Whatever the situation, it’s super important to stay cool!

Cat hacked

Internal links:

  1. Access details
  2. Back up
  3. Maintenance mode
  4. Scan
  5. Update WordPress
  6. Plugins
  7. Themes
  8. Users
  9. Unwanted content
  10. New passwords
  11. WAF and optimization
  12. Google Search Console review
  13. Additional considerations

After reading this article, if you find the task to be out of your comfort zone, please don’t hesitate to review our WordPress malware removal service.

1. Access details

The first step is to get access to your hosting account’s control panel. For most WordPress administrators that’s cPanel or Plesk. If you are in a managed hosting environment, you will need access to your file system and database.

Likewise, you will also need a WordPress administrator account.

2. Back up

Even though your website may be infected, it’s important that you make a backup for your WordPress installation. Why may you ask yourself? Many hosting companies will either suspend your account and in some cases delete your website. It may sound a little extreme, but its common practice to prevent other systems on their network from getting infected.

To make a backup of your site, you can use the popular Updraft Plus plugin. Don’t forget to make a copy of your database and download your backup files to your computer. You’ll feel safer knowing that you have a copy of your site on hand!

3. Maintenance mode

To temporarily protect your website users, you should upload a maintenance page. A hacked site may redirect your visitors to pornographic, gambling and malicious sites. The last thing you want as a business owner is to harm your customers.

There are two easy ways to upload a maintenance page.

The first is to install a plugin like SeedPro’s Coming Soon Page & Maintenance Mode.

Another option is to rename your index.php file and upload a simple index.html in your root directory.

4. Scan

In one of the prior blog posts, we compiled a list of the best malware scanner plugins for WordPress.

When we are assigned the task of removing malware from a WordPress website we use two plugins for our initials scans. The first is WordFence and the second is GOTMLS by Eli Scheetz.

WordFence is packed with features and options, you can read more about their extensive settings on their documentation page here.

After installing the plugin, head over to the Scan page and click on “Scan Options and Scheduling“. You will want to set WordFence to run a “High Sensitivity” scan.

WordFence malware scan settings

Depending on your server’s resources, you may need to adjust the performance settings accordingly.

WordFence performance options

Once the scan is complete, the software will compile a list of infected files on your system, outdated and vulnerable plugins as well as suspicious content and spammy URLs.

In a similar fashion, GOTMLS (a super cool plugin) will scan your WordPress installation for malware and known exploits.

Install the plugin and register for a free account. Then proceed to download the latest security definitions.

GOTMLS - Anti-Malware Security and Brute-Force Firewall

Run a complete scan and go have a cup of coffee! It will take some time. We often find that GOTMLS and WordFence complement each other. Either one or the other catches something that the other might miss.

Once the scan results are in, take your time to slowly go through the list. The results will help you get an understanding of the infection. Be it whether a plugin, theme or core WordPress files have been compromised.

It’s also worth noting that both malware scanners are not 100% accurate. Check your installation’s most important files manually for malicious code that the scanners might have missed (more on that in the next steps).

5. Update WordPress

By updating WordPress to its latest version, we are replacing the:

  • wp-includes directory
  • wp-admin directory
  • root files

with a fresh copy. Effectively, removing any hacked files in those locations.

We have written a short tutorial on how to update WordPress using the popular FileZilla FTP client.


Whatever you do, make sure you don’t delete the wp-content directory and wp-config.php file. The wp-content directory is where all your theme and plugin files are stored as well as your images. While wp-config.php is used to connect your application to the database.

6. Plugins

Running and keeping vulnerable plugins on a website is one of the most common reasons why WordPress sites hacked!

To help you sort through your plugins, WordFence will list the plugins that:

  • Need to be updated
  • That are vulnerable
  • That are abandoned
  • That have been removed from the WordPress repository

Replace, update and delete as necessary.

Then head back over to your scan results from GOTMLS and WordFence and double check which plugins have been flagged with malicious content.

You can either remove the malicious content from the plugin or delete the plugin and re-install a fresh copy from the WordPress repository.

If you are not using a plugin, delete it.

You can also head over to the WPScan Vulnerability Database and check for any listed vulnerabilities.

Naturally, if you installed a premium plugin for free (nulled plugin), don’t be surprised if you find a backdoor or that your site is being used in some way without your authorization!

7. Themes

If your website is infected with malware, you’ll want to pay extra attention to your theme files.

We often find that customers have dozens of themes in their theme directory.

If you are not using a theme, delete it.

In your theme directory, you should have a fresh copy of the default twenty-something theme and your active theme.

For your active theme, replace it with a clean copy or an updated version.

If you have a child theme, update the parent theme and manually review child theme for any unwanted code. Pay extra attention to your child theme’s functions.php, index.php, header.php and footer.php.

8. Users

phpmyadmin users

A common tactic for hackers is to create an account which they can use to access your website.

To address this issue, we need to login to our control panel and open PHPMyAdmin. Then, open our database and select the user’s table.

Review the entries for any accounts that were not created by you.

You can also review your website’s users in the WordPress dashboard (accounts may be hidden).

If you find an unauthorized user, delete the account as well as any content attributed to the user.

9. Unwanted content

Up to now, we have been working on our site’s core files, themes, and plugins. But we have not reviewed our site’s content.

In some cases (e.g. pharma and SEO hack), links may be injected into your pages and blogs posts. Removing content page by page is only feasible if your website consists of a few pages. However, if you have a couple hundred pages, you will need to run a search and replace in your database.

To help with the task, we often use the Better Search Replace plugin by Delicious Brains.

Better search replace

Find a pattern in the hack, and enter it into the “Search for” field and leave the “Replace with” field empty.

Then select the table you would like to run the search and replace query on.

If you select “Run a dry run”, no changes will be made to the database, allowing you to check the results beforehand.

On the same issue, pay extra attention to sensitive pages like the contact, cart and checkout page. If you have custom fields (e.g. footer and header script fields), make sure that no devious scripts have been added to them.

10. Passwords

This part is simple, reset everything!

Start with your wp-config.php file. Reset your database password and create a new set of security keys.


  /** MySQL database password */
  define('DB_PASSWORD', 'password_here');
  * Authentication Unique Keys and Salts.
  * You can generate these using the {@link secret-key service}
  define('AUTH_KEY', 'put your unique phrase here');
  define('SECURE_AUTH_KEY', 'put your unique phrase here');
  define('LOGGED_IN_KEY', 'put your unique phrase here');
  define('NONCE_KEY', 'put your unique phrase here');
  define('AUTH_SALT', 'put your unique phrase here');
  define('SECURE_AUTH_SALT', 'put your unique phrase here');
  define('LOGGED_IN_SALT', 'put your unique phrase here');
  define('NONCE_SALT', 'put your unique phrase here');


Then proceed to reset your user account passwords. Naturally, use strong passwords and not something silly like the name of your blog or “starwars”.

11. WAF and optimization

At this stage in the process, your WordPress installation should be free of malware. To double-check, you can always re-scan your application.

Moving forward, you will want to implement a few security measures to protect your website. One of the options available to you is to install a web application firewall (WAF).

Two popular service providers include Sucuri and WordFence.

Since we scanned our website with WordFence, we may just as well activate their WAF (the basic version is also free). If you want to learn more about the plugin, we have a cool tutorial on how to install and configure Wordfence where we examine the features in more detail.

Head over to the WordFence dashboard, in the firewall tab select “All Firewall Options”.

Brute force protection

One of the first optimization measures you can implement is brute force protection. Brute force protection will limit and block invalid login attempts on your website.

Naturally stricter rules are better, but be careful not to lock yourself and your users out!

Brute force protection

Rate limiting

Another helpful feature built into WordFence is rate-limiting. Rate limiting will monitor your visitors and either throttle or block them depending on their activity on your site. For instance, if a human visits more than 15 pages in a minute, we’ll limit their access to the website for 30 minutes. Likewise, if someone targets a vulnerable URL, we’ll block their IP.

Adjust the settings to your needs, may need a little tweaking and adjusting to get it right for your website.

Rate limiting

File permissions

According to the WordPress’s official documentation, your permissions should be set as follows:

  • Folders – 755
  • Files – 644

Permissions can be updated via FTP and command line. In any case, it doesn’t harm to send an email to your hosting provider as changing your permissions can have adverse effects on the performance and availability of your site.

At all cost, avoid having files or directories set to 777!


Additional hardening can be achieved by limiting access and preventing file execution in certain directories.

To prevent access to the wp-includes directory, add the following mod_rewrite rule to your .htaccess file:


  # Block the include-only files.
  <IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]


The wp-content/uploads directory is where your images and files are uploaded to. In most cases, PHP files have no business there. To stop the execution of PHP files you can add an .htacess file to the directory with the following syntax:


  # Kill PHP Execution
  <Files ~ "\.ph(?:p[345]?|t|tml)$">
  deny from all


wp-config.php is one of the most important files in a WordPress installation. By placing the following syntax in your .htaccess file you can deny all access to it.


  # Deny wp-config.php
  <files wp-config.php>
  order allow,deny
  deny from all



Most business and brochure websites don’t need an API to remotely communicate with their website. If you want to disable the feature, you can do so by:

Adding the following your .htaccess file:


  # Deny xmlrpc.php
  <files xmlrpc.php>
  order allow,deny
  deny from all


And the following to your functions.php:

add_filter( 'xmlrpc_enabled', '__return_false' );

And don’t forget to disable pingbacks and trackbacks in your discussion settings.

Be aware that popular plugins like JetPack use XML-RPC and will not work if you disable it.


Most important of all, make sure WordPress and all plugins and themes are kept up to date!

12. Google Search Console review

If your website is blacklisted, your visitors may get a warning in their browser and from their anti-virus when visiting your website.

Enter the following URL to determine if your website has been blacklisted by Google:

Sign in to your Google Search Console account (ex. Webmaster Tools). On the left-hand side, click “Security Issues” and, once your site is clean, request a review.

If Google determines that your site is safe, the security warning will be removed from Chrome browsers. Other authorities (e.g. McAfee Site Advisor) that maintain blacklists have their own policy for removing and reviewing websites.

13. Additional considerations

Steps 1 through 12 will help you restore your website in good order.

Based on my experience as a website mechanic, I thought I would include a few considerations that you may have to account for when removing malware from a WordPress website.

Hosting company

Every hosting company is a little different. Some providers take security more seriously than others. That being said, it’s possible that your website was compromised due to lax security measures at the hosting level.

Choosing a hosting company is like choosing a place to live. Preferably, you want to live a neighborhood that is affordable and safe. The same logic applies to your website.

Old installations

Most of us, on our server, have a bunch of old websites and WordPress installations floating around!

Perhaps, a few years back when you were getting started with your online business, you created a few test websites to get familiar with the way WordPress works. But did you delete those websites? And are you aware that those sites are accessible on the web?

As a rule of thumb, delete every old installation on your server.

We have worked on several projects where the main site was adversely affected by old sites being riddled with outdated software and malware.

Shared hosting

Here is a common (and unfortunate) scenario where AgencyXYZ manages a shared hosting account.

The main (or root) website is AgencyXYZ manages the websites of dozens of clients.

The client websites are hosted on the same server in the same public_html directory. The sites were created using cPanel’s addon domain feature.

As a result, when one site gets compromised all the other sites on the server soon follow.

In this case, you will need to go through steps 1 to 12 for each individual website. If possible, you could also create a separate hosting account for each client and migrate the sites!


Finally, it’s pretty common for websites that have been hacked to be blacklisted. In short, “Blacklists” are lists of websites, domains, and IP addresses that have been flagged for distributing harmful content.

If you’re blacklisted, have a look at our website blacklist removal guides to get those scary browser warnings sorted!

Final thoughts

Picard Fix Website

Having your website hacked is an awful experience, but don’t take it personally. Most hacks on the net occur totally randomly.

Keep your cool and work systematically through the list.

Sooner than later, your site will be restored in good order.

But most important of all, every now and then, log in to your WordPress dashboard and update those plugins and themes!

Was this answer helpful?

« Back