WordPress Site Hacked: How to Clean Malware and Stop Reinfection

If your WordPress site has been compromised, acting quickly is critical to prevent SEO penalties and data theft. Follow this step-by-step technical guide to completely clean the malware and secure your server against future attacks.

Step 1: Isolate the Site and Take Backups

Before modifying any files, isolate your site to prevent the malware from spreading or communicating with malicious command-and-control servers.

• Go Offline: Put the site into maintenance mode or restrict access via your .htaccess file to only allow your own IP address.
• Export the Database: Export your WordPress database via phpMyAdmin or your hosting control panel. Malware rarely lives in the database, but keeping a backup is essential.
• Backup the Uploads Folder: Download only the wp-content/uploads/ directory. Do not backup core files, themes, or plugins, as these are likely infected.

Step 2: Replace WordPress Core Files

Do not attempt to manually find and delete malicious code in core files. Replacing them entirely is faster and safer.

• Connect to your server via SFTP or SSH.
• Delete all files and folders in your root directory except the wp-config.php file and the wp-content/ folder.
• Download a fresh ZIP file of your exact WordPress version from WordPress.org.
• Extract the ZIP and upload all files and folders (excluding the wp-content/ folder) to your server.

Step 3: Clean Plugins and Themes

Backdoors are commonly installed inside theme and plugin directories. You must replace these with fresh copies.

• Navigate to wp-content/.
• Delete the entire plugins/ directory. Reinstall your plugins one by one from the official WordPress repository or trusted premium vendors.
• Delete your theme directories inside themes/ and reinstall clean copies. If you use a custom child theme, manually audit its files for unfamiliar code before re-uploading.

Step 4: Clean the Uploads Directory

Attackers often hide PHP backdoors inside media folders disguised as images or nested deep in monthly directories. Run this SSH command in your terminal to find any PHP files hidden in your uploads folder:

find wp-content/uploads/ -type f -name "*.php"

If this command returns any results, delete those files immediately. The uploads directory should only contain media files (such as JPG, PNG, PDF), never executable PHP scripts.

Step 5: Audit wp-config.php and Reset Salts

Open your wp-config.php file in a text editor and check for any injected code at the very top of the file (often starting with eval( or base64_decode(). Delete any suspicious code.

Next, invalidate all active user sessions to kick out any logged-in attackers:

• Go to the WordPress Salt Generator to generate a new set of unique security keys.
• Replace the existing salt constants in your wp-config.php file with the new ones.
• Change your database password in your hosting control panel, and update the DB_PASSWORD constant in wp-config.php to match.

Step 6: Stop Reinfection (Hardening)

Once clean, implement these hardening steps to prevent the vulnerability from being exploited again:

1. Block PHP Execution in Uploads: Create an .htaccess file inside wp-content/uploads/ and add the following code to prevent any uploaded scripts from executing:

<Files *.php>
deny from all
</Files>

2. Correct File Permissions: Ensure your file permissions are restrictive. Run these commands via SSH:

find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

3. Reset All Credentials: Change passwords for all WordPress administrator accounts, database users, SFTP/FTP accounts, and your hosting control panel. Use strong, randomly generated passwords.

Need this done? We handle this hands-on at GuardLabs — get in touch for a quote.