As a wordpress website owner, agency, or developer, there is nothing frustrating than waking up in the middle of the night and realizing that your wordpress site is infected with malware. It even becomes more annoying you really don’t know where to start to remove malware from the WordPress site.

As a WordPress website maintenance company,  we know that is means for a site to be hacked and the time you will take to restore the website or clean the malware infection if you don’t keep backups.

PS: It feels stupid when I see a online business owner running a wordpress website without having a backup system in place. A backup is critical to the security of your website.

WordPress websites get infected with malware all the time and care must be taken to clean up the malware infection before Google or other search engines finds out.

Why? If Google finds out that you are running a website that is infected with malware, you will get a 30 days block from the search engine. This means that your website will receive nearly zero traffic from search engines. This is enough to collapse your business’s reputation and hence your revenues.

Recommendation: To do ensure complete and fast malware removal I recommend you find a WordPress security expert to offer wordpress malware removal services for malware clean up but if you have actually been hacked, it is time to go for our advanced hacked WordPress website repair services.

Alternatively, if you want to do it on your own, here are 10 critical steps on how to clean malware from a wordpress website on your own (without outsourcing wordpress malware removal help).

Note that if you have an offsite or an offline backup all you need to do is to login to your Cpanel, delete all files, and restore your latest backup.

If you don’t have a backup, read on to learn how you can remove malware from a WordPress website.

Steps By Step Guide on How Remove Malware From Your WordPress Site

Now that you have decided to take the bold step (really bold step) to clean your malware infected website yourself, we have outlined the 10 things you need to do to ensure 100% malware removal from your site.

You can use the above table of content to make sure you go through all the steps listed below.

The very first step you must do after your site has been infected with malware is taking it down for maintenance. Google recommends creating a 503.php page where all your visitors will land when you are carrying out malware removal.

Here is the code you need to create a simple website on maintenance page.

Create a 503.php file and add the code below to the file.
header(“HTTP/1.1 503 Service Temporarily Unavailable”);
header(“Status: 503 Service Temporarily Unavailable”);
header(“Retry-After: 3600”);
<!DOCTYPE html>
<title>Site is temporarily unavailable due to maintenance</title>
<h1>Site is temporarily unavailable due to maintenance</h1>
<p>We expect to have the site back up within 4 hours.</p>

Save and close the file. Process to edit your .htaccess file with the code shown below

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_ADDR} !^00\.00\.00\.00
RewriteCond %{REQUEST_URI} !^/503/php [NC]
RewriteRule .* /503.php [L,R]

Insert this code in your .htaccess file. Any page visited will redirect to 503.php page.
You should remove this code once you have fixed the malware infection.

1. Perform a WordPress Site (Offsite) Backup

Perfoming a backup of your wordpress backup is a core rule when you are maintaining a WordPress website on your own. Before you get started cleaning the malware infection, you need to keep a complete copy of your site just incase the clean up go wrong, you can always start again using the backup.

What is offsite backup? When it comes to wordpress backups, you can perform a backup and choose to either leave the backup on your hosting server, download it to your local machine, or upload it to dropbox, Google drive, or any othet file sharing service online.

Uploading the backup online or downloading it to your local machine is what is called creating an offsite backup.

Here is an amazing guide on how you can backup your entire WordPress website

Once you have successfully performed the backup, it is time to examine what kind of malware your WordPress site has been infected with. This is important if you are interested in tracing the malware injection.

I would also recommend you download the infected files to your machine. At this point, make sure that you have an antivirus software installed, just incase you are dealing with some kind of a virus attack.

It is always great to be safe than sorry. In the online world you don’t know what you dealing with unless you perfom a diagnosis first.

2. Inspect The Infected Files (One By One)

This might sound like alot of work, (and I bet it is) but it is what our WordPress malware cleaners go through when dealing with an infected WordPress website.

Once you have downloaded a copy of your infected website or blog, it is time to examine the files to look out for malware code.

Here are the five core areas you must be keen on:

1. Wodpress Core Files: Unless you have made modification to the wordpress core files, the best thing is to download a fresh copy of wordpress installation from These fies are many and cleaning each at a time is a hectic task.

2. WP-Config File: On your public_html folder on your server (this is the defaul location unless you have made some changes), you need to identify wp-config.php file. Check for any suspicious code and make note of Database Name, Password, Table prefix. You will need this information while restoring your site.

3. WP Contents Folder: This is the folder that houses you themes, uploaded images and , and plugins. Inside this folder (/wp-content), you will find:

(a.) Themes folder (…/wp-content/themes/): This is where all your themes are stored. You need to go through all the theme files to ensure none has been infected. If you still original files or if you can be able to download the files from the themes developer, you can compare the files to spot any suspicious code.

If you are using a poorly coded or secured theme, this might be the source of your infection. Most free themes are poorly coded and not great for you.

(b.) Plugins Folder (…/wp-content/plugins/): Examine the plugin files to kn ow whether they are infected. Unless you have custom plugin or a plugin related issue on your site, I recommend you to delete these files and install fresh files from the repository.

Before this it would be great if you are able to identify if you have installed a vulnerable plugin. A simple google search will show you most vulnerable plugins.

(c.) Uploads Folder (…/wp-content/uploads/): This folder contains all the files you have uploaded via the wordpress admin. You need to scan the files for infection using your local machine (computer) for viruses.

4. .htaccess File: If you are using an apache server, (most of the shared hosting services use apache), you must locate a .htaccess file.

Note the dot (.htaccess) in the begining of the file name. This means that this is a hidden file and can only be seen if you have activated the settings on your cpanel or you use filezilla to download your files.

What you will be looking for: A different web adress, an IP address, or any other kind of redirection.

5. Database Backup File: This comes as an SQL file or compressed SQL file. You will need this after cleaning a malware infection.

3. Delete all files from the server

Now that you have identified the malware infection, the next step would be to login to your server and delete everything in the public_html folder (or your document root).

Care should be exercised not to delete the cgi-bin folder or any other server files that might not be infected.

Note: If the infection goes beyond your website files to server files, this might be beyond you and you should contact your hosting company or hire a WordPress security expert to deal with the issue.

You can delete the files by manually logging into the cpanel file manager or use an FTP client.

4. Download and Install a Fresh Copy of WordPress

Once you have deleted the wordpress site files, you need to visit, and down the latest copy of wordpress.

Unzip the tar or zipped file and use your FTP client to upload the files to your server. Once you start the installation process, you need to to create a new wp-config.php and enter the data from your previous website. Only enter the database details: name, password, and prefix.

The next thing you need to do is to restore your database files.

5. Download and Install The WordPress Theme and Plugins

Once you have installed a fresh copy of wordpress, you need to login to your theme developers portal and download a new copy of the existing theme. If you had previously used a free theme or a nulled copy of wordpress theme, it is time you buy a new secure theme (this will cost you anywhere between $50 to $120). Themeforest is a good place to start where you can get cheap themes for your wordpress website.

You can also purchase Divi Theme builder and create a unique website on your own. The great thing about DIVI is that they offer support and updates (including security patches) all around the year, not to mention a growing and vibrant Divi community.

PS: Do not attempt to reinstall the previous theme (from the backup) as the malware might continue to spread meaning you will have wasted your time and effort.

Nulled wordpress themes are dangerous: Most of these themes contain backdoors where hackers and other malicious people gain access to your site. If you are a serious website owner, I don’t think the idea of using a nulled theme should cross your mind!

For plugins, log on to your wordpress admin and install the plugins directly from the wordpress repository. If you are installing a plugin from external sources, make sure that the developer can be trusted.

6. Force Admin Passwords and Change The Salt Keys

Now that you are about to bring your website back to life, you need to change the passwords of all admins to seal any loophole that the attacker might have used to get access to your system

Use of weak passwords is the number one cause of hacking or malware injection on wordpress website. Make sure that your new passwords are strong enough and not easy to guess.

Scan your users for suspicous users and delete them.

Generate New Salt Keys: Salt keys will help you keep your wordpress secure. You can generate these manually, but I would recommend a free plugin: Salt Shaker plugin. In many client sites, we use this plugin to automate and schedule the process.

8. Scan and Re-upload The Contents (Uploads Folder)

Remember the uploads folder (from the backup) where all images and uploaded documents are stored? You need to scan all the files using a computer with an up-to-date antivirus to rule out chances of infection.

Once you verify all your files are clean, use the FTP client to upload the files back to your server. Note that inside the uploads folder, there are other folders which hosts the actual files.

PS: Do not alter the folder structure or you will be left with so many broken links which might take alot of your time to fix.

9. Secure Your New WordPress Website

Now that you have managed to successfully clean malware from your wordpress website, you need to secure it to minimize the chances of other attacks. Here are some of the ways you can do this:

1. Install a Security Plugin: If you have the time and effort to make you site secure, this is the best option for you. There are many wordpress security plugins available. Most of these comes with a freemium model while others are available for free from the wordpress plugins repository. Some of the most recommended security plugins include: iThemes Security, Sucuri Security, and Wordfence Security

2. Purchase a Security Monitoring Plan: If the above option is not for you, I would recommend you pick our Wordress security monitoring plan and wordpress experts will take care of your website and fix it if anything goes wrong throughout the year. We keep an eye at your website while you sleep. Sounds great? We are online 24/7 there to resolve all your security concerns. For optimum security, choose the ‘WP Protect, Fix & Monitor’ package.

3. Outsource Website Maintenance and Management: This is for serious website owners, freelancers, and wordpress agencies. You can actually outsource complete website maintenance to our team so that you can attend to other business tasks. Checkout our WordPress care plans here. The ‘Vip Site Support’ package comes with all you need to run a successful website.


Maintenance By