How to Remove Malware From a Hacked WordPress Site

A hacked WordPress site usually shows one of a few symptoms: spam pages in Google's index, redirects to a sketchy domain, a "deceptive site ahead" warning, your host suspending the account, or unknown admin users. The cleanup below is the same sequence professional incident responders use: contain, scan, replace, clean the database, then close the hole. Skip the last step and you will be reinfected within days.

One number to keep in mind before you start: per Patchstack's 2025 mid-year report,91% of WordPress vulnerabilities live in plugins, not core, and57% required no authentication to exploit. So the entry point is almost always an outdated plugin or a weak password — not WordPress itself.

1. Contain first (do not start deleting yet)

• Take a forensic backup. Copy the full file tree and a database dumpbefore you change anything. The malware is your evidence of the entry point, and you will want a fallback if cleanup goes sideways (per Hostinger and Sucuri guides).
• Put the site in maintenance mode or take it offline so it stops serving spam/malware to visitors and to Google while you work.
• Rotate every credential: WordPress admin, database (wp-config.php), FTP/SFTP, hosting panel, and the email account behind them. 81% of compromised sites had weak or stolen passwords as a contributing factor (Patchstack 2025), so this is not optional.
• Delete unknown admin users. Attackers almost always create a backdoor account. In Users → All Users, remove any admin you do not recognize, and attribute their content to a real user before deleting.

2. Scan to find the infection

Use at least one reputable scanner. The mainstream, actively-maintained options in 2025-2026:

• Wordfence — free server-side scanner and firewall; its signature DB is large, but free signature updates lag the paid tier by 30 days.
• Sucuri — free plugin scanner plus a remote scanner (sitecheck.sucuri.net); paid plans include hands-on removal and a cloud WAF.
• MalCare — scans off-site so it barely touches server resources; known for one-click cleanup.
• WPScan — best for the vulnerability side: it cross-references your plugin/theme versions against one of the most curated WordPress vuln databases, so it tells you how they likely got in.

Run both a file scan and a remote (browser-side) scan. A remote scanner catches what an infected on-server plugin might hide from itself.

3. Hunt for backdoors from the shell

If you have SSH, grep is faster and more thorough than any UI for the classic obfuscation patterns. Run these from the site root:

# classic obfuscated-execution backdoors
grep -rEl --include="*.php" "eval\s*\(|base64_decode\s*\(|gzinflate\s*\(|str_rot13\s*\(" .

# files changed in the last 7 days (malware drops are recent)
find . -type f \( -name "*.php" -o -name "*.js" -o -name ".htaccess" \) -mtime -7 -ls

# PHP files hiding in the uploads dir -- uploads should hold media, never code
find wp-content/uploads -name "*.php" -ls

Treat hits as leads, not verdicts — base64_decode appears in legitimate code too. Compare any suspicious core file against the same file in a fresh WordPress download. Per WPScan and Sucuri, modern attacks increasingly inject intolegitimate core, plugin, and theme files rather than dropping a standalonemalware.php, so do not stop at the first obvious hit.

4. Replace core, plugins, and themes from clean sources

The most reliable file cleanup is wholesale replacement rather than line-by-line editing:

• Download a fresh copy of WordPress from WordPress.org matching your version.
• Delete wp-admin/, wp-includes/, and the root core files (index.php, wp-*.php), then drop in the clean copies. Keep your original wp-config.php and wp-content/ for now.
• Reinstall every plugin and theme from the official repository or the vendor — do not trust the copies on the server. Permanently remove anything nulled/pirated; that is a common infection source.

# with WP-CLI, verify core files against WordPress.org checksums
wp core verify-checksums
# list installed versions so you can cross-check them against WPScan
wp plugin list --fields=name,version,status

5. Clean the database -- or you will be reinfected

This is the step most rushed cleanups skip. A single backdoor row in wp_optionsor an injected admin can re-infect a fully cleaned file tree within days (per WPScan and Sucuri). Check for:

• Rogue admin users and unexpected entries in wp_users / wp_usermeta.
• Injected scripts in wp_options (look at siteurl, home, and any autoloaded option with encoded blobs).
• Spam content or hidden scripts in wp_posts.

# search a DB dump for obfuscation before importing it back
grep -aE "eval\(|base64_decode|<script" database-dump.sql

6. Close the hole and clear warnings

• Update everything — core, plugins, themes. The median time from a public disclosure to mass exploitation is about 5 hours (Patchstack 2025), so an unpatched plugin is a live target.
• Remove vulnerable/abandoned plugins. 46% of vulnerabilities disclosed in 2025 had no developer patch available (Patchstack); if a plugin is unmaintained, replace it.
• Add hardening: 2FA on admin accounts, limit login attempts, and a WAF (Wordfence or Sucuri). This directly addresses the credential-stuffing and unauthenticated-plugin vectors above.
• Request a Google review. In Google Search Console →Security & Manual Actions → Security issues, confirm the fixes and request a review to clear the blocklist warning. Submit a reconsideration if your host blacklisted you too.

When to call in help

Clean it yourself if you have a recent clean backup, shell access, and the symptoms are contained. Get a professional if the site reinfects after cleanup, you have no clean backup, the host has suspended the account, or the malware is injected across many legitimate files — those cases need careful diffing against known-good sources, which is slow and error-prone by hand. No honest provider can promise a site is "100% un-hackable"; what a good cleanup delivers is a verified-clean site, a closed entry point, and hardening so the same hole cannot be reused.

Sources

• Patchstack — 2025 Mid-Year WordPress Security Report:patchstack.com
• Sucuri — How to Clean a Hacked WordPress Site:sucuri.net
• Hostinger — WordPress Malware Removal Tutorial:hostinger.com
• WPScan — WordPress vulnerability database and scanner:wpscan.com
• Wordfence — security scanner and firewall:wordfence.com
• Jetpack — WordPress Malware Removal:jetpack.com

Site hacked right now and you need it cleaned properly? We do hands-on WordPress malware removal — verified-clean site, the entry point closed, and hardening so the same hole cannot be reused. Get in touch at GuardLabs.