It is not uncommon for WordPress website owners to experience malware infections on their webpages. This could be a nightmare situation for most of us. It’s because malicious code can be hidden in your WordPress files, affecting your website and causing it to behave unusually. These malware code injections can harm your website’s reputation, redirect your visitors to spam websites, overload your server, slow down your site, steal data, and even get your website blacklisted on Google.
Although the process of malware removal from a WordPress site is not rocket science, it does require being code-proficient and willing to put in hours, and even days, to complete it. This is the reason most WordPress site owners hire experienced WordPress developers to remove malware from their sites.
Below are some of the steps that you or your WordPress developer can perform for malware removal from your website.
Step 1#: Take an Immediate Backup
Before making any changes to the site or the server, take a complete backup of your website (files + database). It’s because if something goes wrong during cleanup, you can restore your website.
Here are a few ways to back up your website:
- Install the UpdraftPlus plugin.
- Use JetBackup (via hosting)
- cPanel File Manager ZIP backup
Step #2: Scan Your Website for Malware
The next step is to scan the website using a reliable tool to identify infected files, suspicious scripts, and code injections.
Recommended tools/plugins:
- Sucuri SiteCheck
- Wordfence Security
- MalCare Scanner
Step #3: Identify the Infected Files
Malicious code is often injected into critical files, like:
- functions.php
- index.php
- wp-config.php
- header.php or footer.php
- wp-admin & wp-includes folders
- Theme and plugin files
If you aren’t sure about how malware code looks, look for suspicious code such as:
- Base64 encoding
- eval() functions
- iframes
- Encrypted or very long strings
Step #4: Replace Core WordPress Files
If your WordPress core files are infected with malware, the easiest way to clean them is to replace them with fresh WordPress files.
Steps:
- Download a clean version of WordPress from wordpress.org
- Replace wp-admin and wp-includes completely.
- Do NOT overwrite wp-content (contains your themes/plugins)
- This immediately removes malware hiding in core files.
Step #5: Clean Your Theme and Plugin Files
This part takes time. We generally recommend hiring a WordPress website expert to handle this for you.
Do the following:
- Replace your active theme with a fresh copy.
- Delete unused themes
- Reinstall all plugins
- Remove plugins you don’t use
- Check custom-coded theme sections manually.
- Custom themes are the most common source of infection, so check them twice.
Step #6: Clean the Database (Optional but Important)
Some malware adds scripts into the database—especially inside:
- wp_posts
- wp_options
- wp_users
- Search for strange JavaScript, long encoded strings, or spammy external links.
Step #7: Change All Passwords
Once you clean your website, change:
- WordPress admin passwords
- Hosting passwords
- FTP/SFTP passwords
- Database passwords
- Also, enable two-factor authentication.
Step #8: Install Security Plugins
To prevent reinfection, install:
- Wordfence
- Sucuri
- iThemes Security
- Enable firewall, brute-force protection, and malware scanning.
Final Thoughts
Removing malicious code from WordPress files can be stressful, but it’s completely manageable with careful steps. If the infection keeps coming back, consider hiring a professional WordPress malware removal service to ensure deep-level cleanup and long-term security.