How to remove malware from WordPress and fix a hacked WP site

📂 Category: WP Blog

🖺 Last modified: 7th Dec 2021

💻 Experience: Intermediate - Expert

🕑 Read Time: 6 min

Hacker attacks on WordPress sites are not unusual and they happen on daily basis. If you don’t take all measures available to protect your WP website, there’s a high chance that sooner or later it will be hacked and infected with malware. In this article we’ll show you how to manually remove malware from WordPress and quickly fix a hacked WP site.

How WP sites get hacked and infected with malware

There are several ways how WP web sites get hacked and infected with malicious code. In general, sites get hacked by exploiting their vulnerabilities. No matter how important it is, security aspects of a WP web site are neglected too often. By learning the ways how sites get infected and applying security measures you can save yourself a lot of headache and time spent to remove malware from WordPress.

  • brute force attacks on WP Login forms (weak password exploits)
  • outdated software vulnerabilities exploits (WP core, plugins, themes..)
  • unverified plugins and themes can have security vulnerabilities or even backdoors
  • free or low quality hosting providers often lack of security standards

Since this article explains the procedure how to remove malware from WordPress sites, we’re not going too deep into security precautions. Always make sure to apply all possible security measures to repulse potential hacker attacks.


How to identify a hacked WordPress website infected by malware

Since you’re reading this article, you probably already figured your WordPress website is hacked and infected with malicious code. Nevertheless, before we start to remove malware from WordPress, let’s quickly review symptoms indicating a site is hacked.

Visual front-end signs of a hacked website

  • slowed down website or other suspicious functioning
  • website showing content, adds or banners not added by administrators
  • website not loading at all or redirecting to some other site
  • warning email from hosting provider about website fully or partly disabled due to malware detection
  • website blacklisted by Google – showing warning notice when accessing trough search results

Hacked WordPress website signs visible trough WP Dashboard and cPanel

  • WP Dashboard not working properly, unable to save changes etc..
  • suspicious plugins not installed by website administrator
  • malware detected when scanning website with various WordPress security plugins
  • various suspicious .php files found on server using cPanel File Manager, not part of a standard WordPress installation
  • WordPress system files (index.php, wp-config.php…) containing unusual code

If you identified any mentioned symptoms of a hacked website, you should start to remove malware from WordPress right away. Here’s how to do it simply and quickly.

Remove malware from WordPress using Wordfence

Scanning a infected WordPress website with Wordfence security plugin reveals malicious .php files that should be removed right away.


Remove malware from WordPress website trough WP Dashboard

This method is suited for cases of less harmful hacker attacks when you still can access your WP Dashboard. Even less experienced WP users should be able to remove malware from WordPress using this method. Here are the steps to perform in order to fix your hacked website.

NOTE: From our experience, this method will remove malware from WordPress and fix a website in most cases, but there’s no guarantee it will work for your specific case.

  1. change your login password into a new strong password (also change your cPanel password if you have access to it)
  2. backup your website using a backup plugin of your choice
  3. update WordPress, themes and plugins to their latest version
  4. uninstall any suspicious plugins that are not a part of your standard website configuration
  5. install the Wordfence security plugin
  6. run a scan of your website using Wordfence in order to detect all suspicious files, themes and plugins
  7. review the scan results, carefully delete malicious files and repair repairable files
  8. if you don’t have any doubts that deleting or fixing any files could damage your website, you can quickly delete and repair everything by clicking the Delete All Deletable Files and Repair All Repairable Filesbuttons
  9. check if your website works well, eventually reactivate or reinstall any plugins that might got deactivated during the repairing process
  10. change your WP login (and cPanel) password into a new strong password once again
  11. delete the infected website backup you initially made and make a new backup of the cleaned website

Additionally, if you have access to your web hosting cPanel, use it’s File Manager to review your WordPress installation file structure. Compare it to a clean WP installation structure and delete any suspicious files that might have left behind by the Wordfence scan. Do this only in you’re familiar with your website file structure, in order to not cause any damage to the website itself.


How to remove malware from WordPress website manually trough cPanel

In cases of harder hacker attacks and stronger malware infections, a WordPress website can completely stop working or redirect to other malicious domains. In those cases the WP login screen is usually inaccessible and it’s impossible to get into the WP Dashboard. When that happen, the only way to remove malware from WordPress and fix a hacked website is performing a manual cleanup using cPanel File Manager.

Remove malware from WordPress using cPanel File Manager

Comparing a clean WordPress installation (above) with a malware infeected one (below) in cPanel File Manager reveals suspicious files and folders.

This method consists of practically performing a complete manual WordPress re-installation, while keeping only essential parts of the infected WP file structure. That’s because the infected WP installation usually contains many malware .php files, some of them hard to locate and delete. Furthermore, WP system files such as index.php, wp-config.php, wp-settings.php etc. are often injected with maleficent PHP code, which can also be hard to find and remove completely.

Remove malware from WordPress website system files

A hacked WordPress website’s system files such as index.php (left) or wp-config.php (right) are usually infected with malicious code.


Steps to remove malware from WordPress website manually using cPanel File Manager

NOTE: The procedure to remove malware from WordPress described below works in most cases of hacked WP sites, but there’s no guarantee it will work on your specific case. Performing this operation requires good knowledge of the WP system files structure and being familiar with the hosting cPanel system. Make sure you know what you are doing to avoid any damage to your website.

  1. change your cPanel login password into a new strong one
  2. backup your website using the cPanel Backup app
  3. using cPanel File Manager check if the wp-content folder contains any suspicious .php files and delete them (make sutre to turn on the “Show hidden files” option)
  4. wp-content folder and it’s subfolders contain index.php files that might be corrupted with malicious code, clean them if needed
  5. also delete all suspicious plugins that are not a part of your WordPress website
  6. once cleaned, compress and download the wp-content folder
  7. download your wp-config.php and .htaccess files
  8. delete the complete WordPress installation from your hosting account public_html folder or folder containg the website
  9. make sure there are no any suspicious files left there, delete if needed
  10. upload and extract a clean latest version of WordPress in the same place (folder name) where was the old WP installation located
  11. replace the fresh installation wp-content folder with the previously backed up wp-content folder (make sure you cleaned it from any suspicious files, plugins and malicious code)
  12. upload the backed up wp-config.php file into the home folder of the fresh WordPress installation (make sure you previously cleaned it from any malicious code – compare it to the fresh wp-config-sample.php file)
  13. alternatively, you can create a new wp-config.php file from the fresh wp-config-sample.php file and add your MySQL database name, username and password to it manually
  14. if needed clean the downloaded .htaccess file of any malicious code and upload the file in the home folder of your website

If you’ve done everything correctly, your website should be working again (might be broken a bit due to deactivated plugins or other easy fixes). But most importantly, you should regain access to the WP Login form and be able to access to the WP Dashboard. To wrap things up, conduct all the steps described earlier in the Remove malware from WordPress website trough WP Dashboard section of this article.


Fixing a hacked WordPress website – Conclusion

The process of fixing a hacked WP website described above was deducted from our long experience, and we managed to remove malware from WordPress each time using this procedure. However, due to different types of hacker attacks, this procedure might not work in each specific case. We’re sure that with slight modifications of this procedure you’ll be able to fix any hacked website.

Now that your hacked WordPress website is fixed, you might need to remove it from any blacklists or notify your hosting provider to reactivate the website if they disabled it due to malware. If your website was blacklisted by Google, you can submit a request to whitelist it again using the Search Console.