A hacked website can be a nightmare for any WordPress user. It may slow down, show unwanted pop-ups, or even redirect visitors to unsafe websites. If you don’t take quick action, it can damage your reputation and cause loss of traffic and sales.
WordPress malware can come from many sources, such as outdated plugins, weak passwords, nulled themes, or unsafe hosting. But the good news is that it’s possible to remove the malware and bring your site back to normal without losing your content or data.
In this blog, I will show you two easy methods to remove malware from your WordPress site. Hope this guide will be helpful to all kinds of website users. Let’s begin with how to remove malware from WordPress websites.
What Is WordPress Malware?
Malware is harmful code that someone hides on your website without your permission. On WordPress, it usually lives inside your files or your database. It can do many bad things, such as:
- Send your visitors to spam or scam websites
- Show ads, pop-ups, or pills/casino text you never added
- Steal logins, customer data, or credit card details
- Use your server to attack other websites
- Get your site flagged by Google or blocked by browsers
Most hacks happen because of an old plugin, an old theme, a weak password, or an outdated WordPress core. The good news: once you find the bad code, you can remove it.
Signs Your WordPress Site Has Malware
There are several signs that indicate you have malware. Once you know them, you can easily detect if your site has been affected or not. Below are the signs:
- Google shows a “This site may be hacked” or “Deceptive site ahead” warning.
- Your site redirects visitors to a strange website.
- You see new posts, pages, users, or files you did not create.
- Your site is slow, or your host suspends your account.
- Search results show spam words (like pills or gambling) under your site name. This is often called a “Japanese SEO” or “pharma” hack.
- Your antivirus blocks your own site.
- Customers email you saying the site looks broken or unsafe.
If you see even one of these, scan your site right away.
Before You Start Removing Malware from Your Site: 4 Things to Do First
Do not skip this part. These steps can protect your site if something goes wrong during cleanup. They are:
- Make a full backup. Back up both your files and your database. If a repair removes too much, you can put things back. Use a backup plugin or ask your host for a copy.
- Tell your hosting company. Many hosts can give you a clean backup, server logs, or a scan of their own. Some will even help you clean the site.
- Work on a copy if you can. If you know how to use a staging site, clean the staging copy first, then push it live. If not, that is okay—just keep your backup safe.
Finally, write down what you changed. Keep a simple note of files you delete or repair. This helps you undo a mistake.
Note: A backup of an infected site still has the malware in it. Only use that backup to restore content, not to “go back to safe.” Treat every backup as possibly infected until you scan it.
Method One: Remove Malware WITHOUT a Plugin (2 Ways)
There are some ways by which you can remove all malware entirely without using any plugin and clean your WordPress website. Here are the two most reliable manual ways. Take a look.
Way 01: Restore a Clean Backup (Fastest Manual Fix)
This is the quickest way to remove malware if you have a backup from before the malware attack occurred. In that case, you can simply restore the backup to fix the malware issue. However, make sure that you have not added much new content since the backup was created.
Otherwise, if a lot of new content has been added, you will need to add it again after restoring the backup.
Steps of How to Restore a Backup
You may maintain a backup of your site on multiple platforms. If your site is hosted on a good platform, like Hostinger, FlyWP, Namecheap, or others, they usually maintain a regular backup. You can instantly restore that backup on your site from the hosting server.
For example, my site is hosted on the Hostinger platform. Navigate to Websites → Manage → Backups. You’ll see the backups option as shown in the image attached below.
You can download the backups or restore them right away.
What to Do After the Backup Is Restored
As soon as the site is back, update WordPress core, all themes, and all plugins. The old version is what let the hacker in, so patch it fast.
Update WordPress admin, hosting, FTP, and database passwords. Run a scan (a plugin from Part 2 is great here) to make sure the restored site is truly clean.
Way 02: Clean the Files and Database by Hand
Use this when you have no clean backup, or you want full control. It takes more time, but it works. You will need access to your files through FTP/SFTP or your host’s File Manager, plus access to your database through phpMyAdmin.
Warning: This method touches core files and the database. Back up first (Safety Step 1). One wrong delete can break the site, so go slowly.
Steps of Cleaning the Files and Database
This process includes a few steps. If you are a non-technical person, I recommend that you not follow this method. The reason is already mentioned in the warning section.
Step 1: Scan your computer first
Make sure your own computer is virus-free. If your PC is infected, a hacker can re-steal your logins right after you clean the site.
Step 2: Reinstall WordPress core files
The WordPress core files are the same for everyone, so you can safely replace them with fresh copies. Download a fresh copy of WordPress from wordpress.org.
Connect to your site with FTP/SFTP or File Manager. Do not touch the wp-content folder or the wp-config.php file yet. Delete the wp-admin and wp-includes folders, then upload the clean ones from your fresh download.
Replace the loose core files in the main folder (like index.php, wp-login.php, and the other root .php files) with the fresh ones. This single step removes a lot of file-based malware, because it overwrites infected core files with clean ones.
Step 3: Reinstall themes and plugins fresh
Hackers love to hide code inside themes and plugins.
Make a list of every plugin and theme you use. Delete them all from the wp-content/plugins and wp-content/themes folders.
Reinstall each one from a trusted source: the WordPress.org directory, or the official seller for paid (premium) items. Do not reuse the old files — they may be infected.
Delete any theme or plugin you do not actually use.
Step 4: Check the uploads folder and wp-config
Open wp-content/uploads. This folder should hold images and media — not .php files. If you see a .php file here, it is almost certainly malware. Delete it.
Open wp-config.php and read it carefully. Remove any odd code you did not add, especially long lines of scrambled text near the top. Be careful — only remove code you are sure is bad.
Look for stray files with random names (like wp-xyz123.php) in the main folder. These are common backdoors. Remove them if they are not real WordPress files.
Step 5: Clean the database
Some malware hides in the database, not the files. Open phpMyAdmin from your host. Export (back up) the database before changing anything.
Look in the wp_users table for admin accounts you do not recognize. Remove fake users. Search your wp_posts table for spam links or hidden code, like <script> tags or links to sites you never added.
Check the wp_options table for strange entries in siteurl and home (a redirect hack changes these). They should point to your real site address.
If reading database tables feels too risky, stop here and use a scanner plugin from Part 2 to help find database malware — or hire a pro.
Step 6: Reset secret keys and passwords
Change all passwords (WordPress, hosting, FTP, database).
Reset your WordPress security keys (salts). Your host or a simple tool can refresh these. This logs out anyone using a stolen session.
Step 7: Confirm the site is clean
Reload your site and click around. Then run a scan (see Part 2) to double-check no malware is left.
Method Two — Remove Malware WITH a Plugin (3 Best Plugins)
A plugin makes cleanup faster and easier, especially if you are not comfortable editing files by hand. Below are the three best WordPress security plugins for finding and removing malware: Wordfence, MalCare, and Sucuri. Each works a little differently.
Note: Use only one main security plugin at a time. Running two scanners together can slow your site and cause conflicts.
Plugin 01: Wordfence (Best Free Option)
Wordfence has a strong free version. The free plan can scan your site, repair infected WordPress core/theme/plugin files, and delete files that do not belong. That is enough to clean many common infections without paying.
How to remove malware with free Wordfence
Install it. In your dashboard, go to Plugins → Add New, search for Wordfence Security, then click Install Now and Activate.
Connect a free account. Wordfence now asks you to link your site to a free Wordfence account so it can get malware signatures and firewall rules. Choose the free option and enter your email.
Run a full scan. Go to Wordfence → Scan and click Start New Scan. Wait for it to finish.
Read each result. Open every result and check the file path and severity. You will see action buttons.
Repair real files. Click Repair to overwrite an infected core, theme, or plugin file with a clean copy. Use Repair All Repairable Files only after you trust the list.
Delete bad files. For strange files that the hacker added, click Delete File.
Scan again. Repeat until the scan comes back clean.
Plugin 2: MalCare (Best for One-Click Cleanup)
MalCare scans your site on its own servers (offsite), so it does not slow your website down. It is known for fast, one-click malware removal. Its scanner is free, but the automatic one-click removal is a paid feature.
How to remove malware with MalCare
Install it. Go to Plugins → Add New, search for MalCare Security, then install and activate it.
Create a MalCare account. Enter your email to connect your site to the MalCare dashboard. The first scan starts automatically.
Run the scan. MalCare scans your files and database on its own cloud servers. This keeps the load off your site.
Review the report. The dashboard shows exactly what was found, including hidden and database malware that file-only scanners often miss.
Clean the site. Click the Auto-Clean (one-click removal) button. MalCare removes the malware for you. (This cleanup step requires a paid plan.)
Confirm and protect. After cleaning, turn on its firewall and login protection to stop new attacks.
In addition to these, there are many other WordPress security plugins. You can explore their free versions and choose the best one for your website.
A Quick Comparison Between Wordfence and MalCare
Below, I have covered a quick comparison between Wordfence and MalCare so you can have an overview about both these plugins.
| Feature | Wordfence | MalCare |
|---|---|---|
| Free scan | Yes | Yes |
| Free malware removal | Yes (repair + delete) | Limited (paid for auto-clean) |
| Finds database malware | Partly | Strong |
| Server load during scan | On your server | Offsite (low load) |
| Firewall | Yes (free, app-level) | Yes |
| Best for | Free DIY cleanup | Fast one-click cleanup |
Things to Do After Cleaning Up Malware from Your WordPress Site
Cleaning is only half the job. Unless you close the door, hackers may find a way to attack your site again in the future. So, do the following things carefully on your site.
Change every password — WordPress, hosting, FTP/SFTP, and database. Use long, unique passwords.
Update everything — WordPress core, all themes, and all plugins.
Delete what you don’t use — fewer plugins and themes mean fewer ways in.
Turn on two-factor authentication (2FA) — use an authenticator app (TOTP), not SMS text codes, which are being phased out. Wordfence free includes app-based 2FA.
Limit login attempts — lock out users after too many wrong tries.
Reset your security keys (salts) — this kicks out stolen sessions.
Ask Google for a review — if Google flagged your site, request a review in Google Search Console once it is clean. The warning will be removed after Google rechecks.
Frequently Asked Questions (FAQ) on How to Remove Malware from WordPress Websites
Now, in this section, I will list and answer some common questions that are commonly found online on various platforms.
Can I remove WordPress malware without a plugin?
Yes. You can restore a clean backup, or manually reinstall WordPress core files, reinstall fresh themes and plugins, and clean the database with phpMyAdmin. No plugin is required.
What is the easiest way to remove malware from WordPress?
For most people, the easiest free way is the Wordfence plugin: scan, then repair infected files and delete bad ones. If you have a clean backup from before the hack, restoring it is even faster.
What are the three best plugins to remove WordPress malware?
Wordfence, MalCare, and Sucuri. Wordfence is the best free option, MalCare is best for fast one-click cleanup, and Sucuri is best for monitoring plus professional cleanup on its paid plan.
Is it safe to delete the wp-admin and wp-includes folders?
Yes, if you replace them right away with fresh copies from a clean WordPress download. These core folders are the same for every site, so swapping them for clean versions is a common cleanup step. Always back up first.
How do I clean malware from the WordPress database?
Open phpMyAdmin, back up the database, then remove fake admin users from wp_users, delete spam code from wp_posts, and check wp_options for a changed site URL. If this feels risky, use a scanner like MalCare or hire a pro.
Will I lose my content when I remove malware?
Repairing core files and reinstalling plugins/themes does not delete your posts and pages, because your content lives in the database. Restoring an old backup can lose newer content, so copy any new posts out first. Always back up before you start.
My site keeps getting reinfected. Why?
There is likely a hidden backdoor file or database malware you missed, or an old plugin/theme is still vulnerable. Reinstall core files, reinstall premium items from the seller, update everything, change all passwords, and scan again. If it keeps coming back, get professional help.
How do I remove the Google “this site may be hacked” warning?
Clean the site fully, then open Google Search Console and request a security review. Google removes the warning once it confirms the site is clean.
Final Words
A WordPress malware infection looks scary, but you now have a clear path. No matter how secure, all the well-known websites in the world have become victims of hacking attempts at least once in their lives. So, you are not alone. Once your site starts growing traction, somebody will surely try to hack you.
So, it’s better to know how to clear malware. Besides, you must ensure preventive security measures so that nobody can easily get a way to harm your site. And whenever they try to do this, you get instant notifications. Hope this can save you a lot.
If you find this article helpful, kindly let me know through the comment box below.
