How to Clean Malware Virus from WordPress Site

How to Clean Malware Virus from WordPress Site

And knowing how to remove malware from a WordPress site is a skill every webmaster should have. Malware, which stands for “malware,” is a general term for malicious programs and files that can compromise a system. It can damage computers, servers, networks and websites. This article will tell you how to remove malware from your WordPress site.

1.How Can Malware Affect Your Site?

Although WordPress is well-maintained and secure, it has several vulnerabilities that can expose your site and its visitors to malware threats. That’s why paying attention to your site’s security is essential.

The following are some risks posed by malware:

  • Unwanted changes to your content or site, whether something is added or removed without your permission.
  • Compromised sensitive data, like users’ private information.
  • Spam, whether in the form of emails or suspicious links being spread from your site.
  • Your URL getting redirected to untrustworthy websites promoting scam, inappropriate content, or malicious ads.
  • A sudden spike in server resource consumption.
  • Google marking your site as unsafe on the browser and search results.
  • Negative impact on SEO (related to the point above).

Thus, it is absolutely essential to know how to maintain the latest protection and remove malware from your WordPress site.

2. Run a Scan on Your Computer

Our recommendation is to download your backup using an FTP client or file manager, then run a local scan of the backup.

To diagnose and fix potential issues in your site’s files, use an anti-virus system and a malware scanner such as Kaspersky or Malwarebytes. Changing your FTP password and re-uploading your site files will help identify and correct any issues that are detected during the scan.

3. Remove the Malware Infection

It’s possible to remove malware from a WordPress site in a few different ways. First, you will need FTP access or a file manager so you can access the site’s files.

Delete every file and folder except up-config.php and wp-content in your site’s directory.

Afterwards, open wp-config.php and compare its content with the same file from a fresh installation or wp-config-sample.php that can be found on the WordPress GitHub repository. Look for strange.

or suspiciously long strings of code and remove them. It’s also a good idea to change the password of your databases once you’re done inspecting the file.
  • Plugins – Erase the sub-folder containing all your installed plugins. They can be downloaded and installed again later.
  • themes – Make a fresh backup of your website and click on the ‘reinstall’ button if you’re not concerned about reinstalling your theme. If not, delete everything except your current theme and check for suspicious code.
  • uploads – check for anything you haven’t uploaded.
  • index.php – after you’ve deleted the plugins, erase this file.

4. Download a Fresh WordPress Copy to Install

Next, navigate to the wp-content directory and perform actions on these folders:

Upload the content to your website again using FTP or the file manager after re-downloading WordPress.

Locate the WordPress zip file in your file manager by clicking Upload Files. As soon as it’s uploaded, right-click the file or click Extract and define the directory where to save it. Besides the zip file, copy everything else to public_html.

Alternatively, you can use hPanel’s one-click installer and edit the credentials in the WP-config.PHP file to point it to your new installation.

5. Reset WordPress Password

It has involved multiple users in running the website when the breach was discovered. Every user’s password should be reset, they must log every account out, and we should delete any suspicious or inactive accounts.
Change the passwords to long, randomized strings that are inaccessible to brute force attacks. Use a password generator, it’s a great idea.

6. Re-Install Themes & Plugins

Now that you have removed malware from your WordPress site, re-install all the removed plugins and themes you had. However, be sure to leave out plugins that are outdated and no longer maintained.

While you’re at it, we advise you to install security plugins that can protect your WordPress site and easily remove malware in the future. Use one with a proven track record such as Malware, Videophones, or Sucuri.

How to Using a from WordPress Plugin Remove Malware?

If you want a faster way to remove malware from your site and can afford a premium service, you can purchase a WordPress security plugin.

We will show how to use Sucuri to remove malware from a WordPress site in this article. Here are some things it offers:

  • The server-side scanner (premium) and remote scanner (free). The former only detects malicious code on-site, while the latter also checks for it on the backend.
  • Replaces infected WordPress files with their original versions after detecting compromised WordPress files on your system..
  • Verifies whether your site is listed in blacklists using antivirus software and search engines.
  • Reinforces your site’s security to prevent malware attacks.
  • Notifies you whenever signs of malware activity are detected.
  • Sets up a firewall on your website (premium).

WordPress has a plugin repository where you can install Sucuri.

In order to fully utilize its features, you will need to go to the plugin’s dashboard and Generate an API Key.

You will need to refresh your malware scan after you have integrated the API service with your site. I will flag any suspicious files in the file log. As part of this tutorial, we added suspicious code to the index.php file of our test site.

Google SERP Removing the Warning Label

We have removed the malware from your WordPress site, but you still need to ask Google to remove the warning label:

  1. Register your website with Google Search Console. If you already have an account, you can skip to the third step.
  2. After that, verify it either using Domain or URL prefix.
  3. To access Security & Manual Actions, scroll down to the left tab. Click on Security Issues to reveal a drop-down menu.
  4. The report on the security of your site will appear, where you can request a review

Be sure to double-check whether you have successfully removed malware from your WordPress site before submitting a request. In any other case, it will be tagged as a repeat offender, and you won’t be able to request another review for 30 days..


Malware is a major issue that undermines the credibility and trust of your WordPress site while compromising the security of you and your users. In our review of how to remove malware from a WordPress site, we discussed two methods:

Manual removal, for which you need to:

  • Back up your site.
  • Scanning the backup locally with anti-virus and malware software is recommended.
  • Delete old or suspicious WordPress files and tweak your WordPress files to eliminate malware.
  • Check for suspicious users and reset all passwords.
  • Reinstall plugins and themes.

You can also use plugins to resolve the issues and improve your site’s security. We also learned how to remove the warning label that Google can place on your website. I hope these suggestions will help you speed up the process of restoring your WordPress site and keep future threats at bay.

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *