How to remove malware from your WordPress

How to remove malware from your WordPress

Are you looking for a comprehensive guide on how to remove malware from your WordPress site? If so, you’re in the right place.

In this blog post, we’ll cover everything from the basics of malware to useful tricks on how to remove malware from your WordPress. So, let’s get started!

What is malware?

Malware is a type of malicious software that can infiltrate your computer or website and cause damage. This can range from stealing confidential information to disrupting your website or even holding it hostage.

Malware can take many forms: viruses, worms, trojans, and even ransomware. It’s often spread through malicious links, suspicious file downloads, and even through vulnerabilities on your website. That’s why it’s crucial always to take measures to protect against malware and its repercussions.

If you have a WordPress site, you are especially vulnerable to malware attacks. This is because WordPress is one of the world’s most popular content management systems, making it an attractive target for malicious hackers.

Isn’t WordPress safe?

WordPress is continually evolving, adding enhancements, and most importantly, patching vulnerabilities. Due to the large number of WordPress users, it’s an attractive target for hackers who are also constantly innovating to discover flaws in the CMS and its plugins.

It’s not that WordPress is less secure than other CMSs, but security requires ongoing efforts from users that should not be overlooked.

How to remove malware from your WordPress step by step

If you’ve detected malicious code on your website, it’s essential to take measures to remove malware. While the easiest way is through tools like Wordfence, it’s crucial to be cautious when eliminating malware, as it can be challenging to rid of all malicious code traces.

Before you start

It’s also possible to manually remove any suspicious files and code from your site, as we’ll show you next. Be careful when undertaking these actions, and follow this guide only if you understand WordPress’s inner workings and can interpret the error log. Otherwise, you might render your WordPress inaccessible. If that happens, remember you can always restore the latest backup through the Control Panel.

How to restore a backup from your Hosting

Initial steps

The first step is always to check the injection’s source. Although one of the most common access points is through an outdated WordPress, it’s vital to inspect the device you typically access via FTP for viruses and malware.

Before starting to remove malware, it’s crucial to download the latest WordPress files from the official website. Once downloaded and extracted to your computer, connect via FTP to eliminate the infection.

A standard WordPress installation consists of several files, but most of them are generic across all installations. This means they can be deleted and replaced with the newly downloaded files, ensuring a clean installation. To accomplish this, start by deleting all files except .htaccess, wp-config.php (which contains all the data to connect to your database), and the wp-content folder (which has all the files and web content).

Final review

After removing everything, and before restoring the WordPress files you’ve downloaded, review the wp-config.php file to ensure no injected code. To check if the file is clean, compare it with the wp-config-sample.php file from your download. A code injection in this file is usually easy to spot as it appears as a long string, typically at the beginning or end of the file.

Comparison between two wp-config.php
wp-config.php infected

With the file corrected, check the wp-content folder. Delete all unused plugins since they can become significant security vulnerabilities if not updated. It’s also advisable to delete all themes except the current one and a default WordPress theme like Twenty Twenty Three.

Finally, re-upload all the WordPress files you downloaded earlier. Once your WordPress is restored, the last step is to change your installation’s password to a new, secure one.

How to prevent malware on your WordPress

The best way to secure your WordPress from malware is by taking preventative measures. Here are some tips to keep your WordPress site safe from malware:

  • Update or enable automatic updates for WordPress, its plugins, and themes.
  • Use secure passwords for your admin account.
  • Install security plugins like Wordfence.

By following these suggestions, you’ll increase your website’s security.


In this post, we’ve covered everything needed to remove malware from your WordPress site and how to prevent it in the future.

If you don’t have the time nor the expertise to remove malware from your site or update it to the latest version, you can subscribe our WordPress Consultancy services to help secure your website and keep it updated to protect against future attacks. What are you waiting for?