The most frustrating part for a website owner or developer is getting to know that their WordPress site is infected with malware and it becomes annoying when you have no idea where to start to remove that malware.

As an experienced WordPress website maintenance company,  we know what it means for a site to be hacked and the time needed for restoring the website or cleaning the malware infection if proper backups are not taken. A backup is critical to the security of your website.

WordPress websites are frequently infected with malware and care must be taken to clean up the malware infection before any search engine finds out.

Why is this needed?

Say if Google finds out that your website is infected with malware, you will get a 30 days block from the search engine which will result in nearly zero traffic from search engines and that will be enough to collapse your business’s reputation and hence your revenues.

What is the remedy?

To ensure a complete and fast malware removal, we recommend you to find a WordPress security expert who offers WordPress malware removal services for malware clean up but if there is a case of hacking, it is time to go for our advanced hacked WordPress website repair services.

Can I handle it myself?

Yes, if you want to do it on your own, here are 10 steps on how to clean malware from a WordPress website on your own that too without any outsourcing help for WordPress malware removal.


If you have an offsite or offline backup, simply login to Cpanel, delete all files and restore your latest backup. And if you don’t have a backup, read on to learn how to remove malware from a WordPress website.


Step By Step Guide on How to Remove Malware from your WordPress Site


1. Create a Website Maintenance Page (503.php)

The first step after a malware infection is taking your website down for maintenance. Google recommends creating a 503.php page where all your visitors will land during the malware removal process.

Following is the code you need on the maintenance page.

Create a 503.php file and add the code below to the file.

header(“HTTP/1.1 503 Service Temporarily Unavailable”);
header(“Status: 503 Service Temporarily Unavailable”);
header(“Retry-After: 3600”);
<!DOCTYPE html>
<title>Site is temporarily unavailable due to maintenance</title>
<h1>Site is temporarily unavailable due to maintenance</h1>
<p>We expect to have the site back up within 5 hours.</p>

Save and close the file. Process to edit your ‘.htaccess’ file with the code shown below

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_ADDR} !^00\.00\.00\.00
RewriteCond %{REQUEST_URI} !^/503/php [NC]
RewriteRule .* /503.php [L,R]

Insert this code in your ‘.htaccess’ file. Any page visited will redirect to 503.php page.
Remove this code once you have fixed the malware infection.

2. Perform a WordPress Site (Offsite) Backup

Before cleaning the malware infection, you need to follow the core rule of creating a backup of your WordPress backup. Preparing for the worst-case scenario, you need to have a complete copy of your site just in case the clean up goes wrong.

What is the offsite backup? For WordPress backups, you can perform a backup and choose to either leave the backup on your hosting server, download it to your local machine, or upload it to Dropbox, Google Drive, or any other file sharing service.

Uploading the backup online or downloading it to your local machine is what is called creating an offsite backup.

For tracing the malware injection, download the infected files to your machine which has installed antivirus software, just in case you are dealing with some kind of a virus attack. Better to be safe than sorry. The stature of the malware is known after the initial diagnosis.

3. Inspect The Infected Files (One By One)

Does it sound like a lot of work? I bet it is and this what our WordPress malware cleaners go through when inspecting an infected WordPress website.

After downloading the website copy, examine the files to search for the malware code. Following are the core areas to concentrate:

  1. WordPress Core Files: In case you haven’t made any modification to the core files, Download a fresh copy of WordPress installation from as there will be many files and it will become a hectic task to clean each.
  2. WP-Config File: Default location – On the public_html folder on your server, identify the wp-config.php file. And check for suspicious code making notes of Database Name, Password, Table prefix (This data will be needed during site restoration).
  3. WP Contents Folder: This folder contains themes, uploaded images, and plugins. Here (/wp-content), you will find:

    • Themes folder (…/wp-content/themes/): This is a storage place for all your themes. Go through all the theme files and ensure none are infected and if you have original files then you can compare them to find any suspicious code. Generally, free themes are poorly coded and can be a cause of security concerns.
    • Plugins Folder (…/wp-content/plugins/): Examine the plugin files for any malware infection. Unless you have a custom plugin or a plugin related issue on your site, we recommend you to delete these files and install fresh files from the repository. You can do a Google search for finding vulnerable plugins.
    • Uploads Folder (…/wp-content/uploads/): All the files you have uploaded via the wordpress admin gets stored here. Scan the files with your antivirus software.

    .htaccess File: If you are using an apache server, you must locate a ‘.htaccess’ file. This is a hidden file and can only be seen on being activated from the settings on your cpanel or you use Filezilla to download your files.

    What should I look for inspecting? A different web address, an IP address, or any other kind of redirection.

  4. Database Backup File: This comes as an SQL file or compressed SQL file. You will need this after cleaning a malware infection.

4. Delete all files from the server

Once you have identified the malware infection, the next step is to delete everything in the public_html folder (or your document root). Do not delete the CGI-bin folder or any other server files that might not be infected.

Note: If the infection has reached your server files, you might not be able to take care of it and should probably contact your hosting company or hire a WordPress security expert to deal with the issue.

5. Download and Install a Fresh Copy of WordPress

After deleting the WordPress site files, visit and download the latest copy of WordPress. Use your FTP client to upload the files to the server. Once installation process starts, create a new wp-config.php and enter the data from your previous website. Only enter the database details: name, password, and prefix. Next is to restore your database files.

6. Download and Install The WordPress Theme and Plugins

On installing a fresh copy of WordPress, login to your theme developers portal and download a new copy of the existing theme. If you had previously used a free theme or a nulled copy of the WordPress theme, it is advised to buy a new secure theme (A good theme will cost anywhere between $50 to $150).

Note: Do not attempt to reinstall the previous theme (from the backup) as the malware might continue to spread meaning you will have wasted all of your time and efforts.

For plugins, log on to your WordPress admin and install the plugins directly from the WordPress repository. If you are installing a plugin from external sources, make sure that the developer can be trusted.

7. Force Admin Passwords and Change The Salt Keys

Just to seal any loopholes that hackers might have used, change the passwords of all admins. Weak passwords are the number one cause of hacking or malware injection on a WordPress website. Make sure that your new passwords are strong enough and not easy to guess.

Scan suspicious users and delete them from your application.

Generate New Salt Keys: Salt keys help you keep your WordPress secure. You can generate these manually or use a free plugin.

8. Reconfigure Permalinks

login to your WordPress admin -> Settings -> Permalinks and set the permalinks as desired and required. Just do a cross-check, try accessing your WordPress frontend to confirm that your main pages and posts are working fine.

9. Scan and Re-upload The Contents (Uploads Folder)

Scan all the files in the uploads folder with antivirus. Once checked, use an FTP client to upload the files back to your server.

Note: There are other folders within the uploads folder which hosts the actual files. And do not alter the folder structure else it will create so many broken links which will take plenty of time to fix.

10. Secure your New WordPress Website

After successfully clearing the website from malware infection, it is time to secure it for future attacks. Following ways can help with that:

  1. Install a Security Plugin: Most of the plugins are available free of cost from WordPress plugins repository. Our recommendation: iThemes Security, Sucuri Security, and Wordfence Security
  2. Purchase a Security Monitoring Plan: If getting a security plugin doesn’t seem promising then you can pot for our WordPress security monitoring plan. Our experts can take care of your website throughout the year. You can relax and have a sound sleep when your website is under the supervision of our skilled experts. We are available 24/7 for any security concerns.
  3. Outsource Website Maintenance and Management: Outsource your complete website maintenance to our team so that you can have more time for indulging in to other business tasks. Checkout our WordPress care plans