Contact us
Clean Website

WordPress Malware Clean-Up

If your WordPress website has been infected with malware, don’t panic. There are clear steps you can take to remove the malware and secure your site against future threats. This guide is designed specifically for businesses that require a professional WordPress malware clean-up process.

Note: This is a high-level guide. Malware removal can become complex, and if you have any doubts, always consult a WordPress security specialist.

Immediate Actions

1. Take Your Site Offline

Minimise the risk to your visitors by taking your website offline immediately. Display a maintenance page rather than leaving your site vulnerable.

Tip: Most hosting providers offer an option to suspend your site via the hosting control panel.

2. Back Up Your Infected Site

Yes, back up your infected site. If something goes wrong during the clean-up, you can always revert to this backup.

Backup Essentials:

  • Entire public_html (or root) folder
  • Full database export

Save the backup locally and label it clearly as ‘infected’.

Cleaning Your WordPress Site

3. Extract and Review Website Files

Extract the backup on your local machine. Use up-to-date antivirus software for added security while reviewing the files.

4. Document Active Themes & Plugins

Note the themes and plugins located in /wp-content/themes/ and /wp-content/plugins/. This information will be vital later.

5. Download Fresh Copies

Re-download:

  • WordPress core files from wordpress.org
  • Themes and plugins from trusted sources (WordPress repository or official vendor sites)

Avoid using outdated or unsupported themes/plugins as they are common malware entry points.

6. Rebuild Your Website Locally

  • Create a new folder.
  • Extract the fresh WordPress files.
  • Rename wp-config-sample.php to wp-config.php (you’ll edit this shortly).
  • Add clean copies of your themes and plugins.
  • Review the /uploads/ folder: transfer only media files (images, PDFs) — no PHP files should exist here.

Important: Do NOT copy themes/plugins from the old site unless you are 100% certain they are clean.

7. Clean Your Database

Database clean-up is critical. Look for suspicious content like:

  • Malicious links
  • Hidden iframes
  • base64_decode, eval(), shell_exec, etc.

Tip: Use SQL queries to search for anomalies or consider a database scanner tool. If unsure, seek professional help.

8. Secure Hosting & Database

  • Change all hosting account passwords.
  • Delete the old database and create a new one with strong credentials.
  • Import the cleaned database.

9. Update wp-config.php

Edit the new wp-config.php to reflect the updated database credentials.

10. Upload Clean Files

  • Delete all files from your web server.
  • Upload the cleaned version.
  • Ensure correct file permissions:
    • Directories: 755
    • Files: 644
    • wp-config.php: 640

Learn more about file permissions.

11. Test Thoroughly

  • Bring your site back online.
  • Check the front-end and back-end for issues.
  • Resave permalinks in WordPress to refresh URLs.

Proactive Security Measures

  • Avoid Nulled Themes/Plugins: They are high-risk vectors for malware.
  • Use Reputable Hosting: Cheap hosting often compromises on security.
  • Implement SSL: Free SSL options include Let’s Encrypt and ZeroSSL.
  • Strong Passwords & 2FA: Use complex passwords and enable Two-Factor Authentication (2FA).
  • Security Plugins: Consider WordFence, iThemes Security, or Defender.
  • Disable XML-RPC: Commonly exploited; most security plugins can disable this.
  • Robust Backup Strategy: Follow the 3-2-1 rule — 3 copies, 2 different mediums, 1 off-site.

Disclaimer

While this guide provides a robust framework, WordPress configurations vary. If you’re uncertain at any stage, contact a professional WordPress security expert.

For businesses needing urgent WordPress malware clean-up services, contact us for expert support.