How to Detect and Remove Malware from a WordPress Site

There is nothing more painful than losing access to your website. And WordPress being one of the biggest CMS platforms out there, it has become the number one target for hackers to attack.

Research says that, WordPress websites get hacked at least 13,000 per day. That's around 9 per minute, 390,000 per month, and 4.7 million per year.

So, if you have a WordPress website and experience something unusual, maybe it's because your site has been infected by malware. To be sure of whether your site is attacked or not, you should check your site's condition every 30 days.

And if unfortunately, your site is infected by malware, you should take immediate measures to protect your site from hackers.

Today, in this blog post, we are going to discuss how to detect malware on a WordPress site and the 7 steps to remove them permanently. So, stay tuned with us to protect your site from malware.

What is Malware: Types of Malware

Malware is an umbrella term used to describe a piece of software that has malicious intentions. That means once this software gets access to your website, it can turn down or misuse your website. Sometimes the damage can be irrevocable.

There are several types of malware. Some of the common types of malware are:

• Trojans: A Trojan (or Trojan Horse) disguises itself as legitimate software with the purpose of tricking you into executing malicious software on your computer.

• Spyware: Spyware invades your computer and attempts to steal your personal information such as credit card or banking information, web browsing data, and passwords to various accounts.

• Adware: Adware is unwanted software that displays advertisements on your screen. Adware collects personal information from you to serve you with more personalized ads.

• Rootkits: Rootkits enable unauthorized users to gain access to your computer without being detected.

• Ransomware: Ransomware is designed to encrypt your files and block access to them until a ransom is paid.

• Worm: A worm replicates itself by infecting other computers that are on the same network. They’re designed to consume bandwidth and interrupt networks.

• Keyloggers: Keyloggers keep track of your keystrokes on your keyboard and record them on a log. This information is used to gain unauthorized access to your accounts.

How to Detect Malware on Your WordPress Website

If you want to remove malware from your WordPress site, first, you need to know how to detect malware. Once you know your site is affected by malware, then you can take action to remove them. So, now let's find out how to detect malware from WordPress sites.

• Scan Your Site with a Security Plugin: There are several WordPress security plugins available that can scan your site for malware. Examples include Wordfence Security, Sucuri Security, and MalCare. These plugins will scan your site for known malware signatures and suspicious files.

• Check your site for changes: Look for any changes to your WordPress files or database, such as new files or code that you didn't add. You can check your files through your web host or using an FTP client. Also, review the user accounts and make sure there aren't any unfamiliar ones.

• Look for suspicious activity: Check your site's access logs for any unusual activity, such as multiple failed login attempts or unusual requests. You can use a plugin or view logs through your web host or web server.

• Use an online scanner: There are several online scanners available that can scan your site for malware. Examples include VirusTotal and Quttera. These scanners can check your site against a database of known malware and identify any suspicious code.

• Sucuri SiteCheck: Brought to by Sucuri, SiteCheck is another popular malware scanner. Apart from searching websites for malicious code, it also checks your website blacklist status, finds out-of-date software & plugins, and even detects security issues and anomalies. 

After inserting the site URL if you click the Scan Website button, you'll get the result within minutes.

How to Remove Malware from WordPress Site Manually – 7 Easy Steps

Now you know what is malware and how to detect malware from a WordPress site. After scanning your site, if you find your site is affected by malware, you have to remove malware as soon as possible.

Follow these steps to remove malware from your website:

1. Turn on the Maintenance Mode 
2. Take a Full Backup of Your WordPress Website 
3. Reinstall WordPress on Your cPanel 
4. Remove Malicious Code from Your wpconfig.php File 
5. Reinstall a Fresh Theme and Necessary Plugins  
6. Remove Hidden Backdoors 
7. Ask Google to Reindex Your WordPress Website

Without any further delay, let's get started with the first point-

Step 01: Turn on the Maintenance Mode 

When you are sure that your site is attacked by malware, you must take the necessary procedures to remove that malware. To do so, the first thing that you need to make sure of is that you have put your site into maintenance mode.

This process hides your website content from visitors and shows a message telling them that your site will return soon. There are free plugins to turn on your site maintenance mode. You can use a plugin like LightStart or Site Offline to get your job done.  

These free tools let you easily enable maintenance mode on your site in just a few clicks. Let's assume, you have installed and activated the LightStart plugin, now navigate to Settings -> LightStart to access the maintenance mode.

Next, select Activated as the Status. When you’re done, click on the Save settings button at the bottom of the screen. Your site will now go into maintenance mode. 

Step 02: Take a Full Backup of Your WordPress Website 

Before making any changes to your website, it's always a good idea to take a full backup of your website.

There are two aspects you’ll need to back up, your database and your files. The database is where your content, settings, and user information are stored. Your files are everything else, like your themes, plugins, and images.

The easiest way to take site backup is using a WordPress plugin. There are free WordPress plugins like UpdraftPlus, BlogVault, and Jetpack to get your job done.

If you don't know how to take a backup of your WordPress website, you can check this blog-

Read: How to Backup a WordPress Site

Step 03: Reinstall WordPress on Your cPanel

After taking the backup of your WordPress website, now it's time to reinstall WordPress on your control panel.

Go to the WordPress official website to download the latest WordPress version. We have a dedicated blog on installing WordPress on cPanel. If need any help while installing WordPress, you can check out the step-by-step tutorial.

Step 04: Remove Malicious Code from Your wpconfig.php File 

It’s also a smart idea to compare your wp-config.php file to the original one offered by WordPress Codex. This step will make it easier to identify and locate anything that has been added like malicious code.

From the WordPress Codex, download a fresh copy of the wp-config.php file. Open the file as well as your existing wp-config.php file in a text editor to compare them.

There are some legitimate reasons your file may be different from the original, especially when it comes to information about your database. But take the time to look for anything suspicious and remove it if necessary. When you’re done, save the cleaned-up file, then upload it to your server. 

Step 05: Reinstall a Fresh Theme and Necessary Plugins 

Your theme or plugin can contain malicious code. To avoid this risk, you need to reinstall your theme and all the necessary plugins.

To reinstall your theme, go to your WordPress dashboard and then navigate to Appearance -> Themes. Now install and activate your chosen theme.

If you aren't aware of how to change a theme without losing the content, you can check this step-by-step tutorial to get your job done.

After reinstalling the theme, now it's time to reinstall all the plugins that you have been using on your site. Click on the Plugins option from the left sidebar of your WordPress dashboard and then click the Add New option to install and activate plugins on your site.

Step 06: Remove Hidden Backdoors 

Hackers might embed backdoors in files to create security vulnerabilities within your WordPress site, so it’s important to remove any hacked files that carry them. Backdoors often look similar to WordPress core files. wp-config.php and files within plugins, themes, and uploads folders are the most popular targets of backdoor injections.

To identify potential backdoors, check your files for these PHP functions:

• base64
• exec
• move_uploaded_file
• str_rot13
• gzuncompress
• eval
• stripslashes
• system
• assert
• preg_replace (with /e/)

Use the following SSH command to detect any hacked files located within your directories:

find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("

The following command will locate image files with backdoor functions:

find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

Lastly, use the command below to locate infected iframes:

find . -type f -name '*.php'| grep -i '<iframe'

Step 07: Ask Google to Reindex Your WordPress Website

This is an additional step of how to remove malware from WordPress website. Because if you follow the above-mentioned 6 steps, at this point, malware should be removed from your website. Now all you have to do is ask Google to reindex your WordPress website.

You can do that using Google Search Console. Navigate to your Google Search Console's admin dashboard and open the Security & Manual Actions -> Security issues tab. Select I have fixed these issues -> Request a review to have Google review and re-index your WordPress site.

Keep in mind that Google can take a couple of days to process the blocklist removal request.

How to Remove Malware from WordPress Site Using a Plugin

If you don't want to remove WordPress malware manually, you can use a plugin to clean your website. Here we are going to use the Wordfence plugin to make this tutorial.

Step 01: Install the Wordfence Plugin

Go to your WordPress dashboard, click on “Plugins,” and then select “Add New.” Search for “Wordfence,” install the plugin, and activate it.

Step 02: Scan Your Website

Once Wordfence is activated, go to “Wordfence” in your WordPress dashboard and click on “Scan.” Choose the “Scan Type” as “Full Scan” and click on the “Start New Scan” button. Wordfence will now scan your website for malware.

Step 03: Review Scan Results

After the scan is complete, Wordfence will display a list of identified issues. Review the results carefully and identify any malware or suspicious files. Then quarantine or remove the identified malware. In the scan results, locate the malware files, and select the action you want to take (quarantine or delete).

That's how you can remove malware from your WordPress website.

Bonus: Best 2 WordPress Plugins to Clean Malware from Your Site

There are two ways to clean WordPress malware. The first one is doing it manually (as we already have discussed) and another one is using a plugin to remove WordPress malware. If you are wondering which plugin to use to remove malware from WordPress websites, we are going to suggest the top 2 WordPress plugins that you can blindly rely on.

Let's check them out:

I) Wordfence Security Plugin

Wordfence is a comprehensive security plugin that includes a web application firewall, malware scanner, and login security features to protect your WordPress website from various threats.

Key Features

• Includes a Web Application Firewall (WAF) that identifies and blocks malicious traffic.
• Scans your WordPress site for malware, viruses, and other threats.
• Provides various login security features, including two-factor authentication, password policies, and login page CAPTCHA.

This is a free plugin with more than 4 million active installations.

II) Sucuri Security Plugin

Sucuri is a website security plugin that provides a cloud-based firewall, malware scanner, and activity auditing to detect and prevent attacks on your website. It offers a range of security services, including incident response, DDoS protection, and website monitoring.

Key Features

• Provides a Cloud-based Firewall to protect against DDoS, XSS, and other attacks.
• Tracks all security-related events, including file changes, login attempts, and more.
• Scans your website for malware and other malicious code.

This is a free plugin with more than 800,000+ active installations.

Also Read: 8 Best WordPress Security Plugins for Your Website (FREE)

FAQs on How to Remove Malware from WordPress Site

1. What are the signs that my WordPress website has been infected with malware?

Some common signs of a malware infection on a WordPress website include unexpected redirects, slow page loading times, unauthorized changes to website content, and the presence of unfamiliar files or code.

2. Can I remove malware from my WordPress website myself?

Yes, it is possible to remove malware from your WordPress website yourself. Just follow these steps to remove malware from your WordPress website permanently:

• Turn on the Maintenance Mode 
• Take a Full Backup of Your WordPress Website 
• Reinstall WordPress on Your cPanel 
• Remove Malicious Code from Your wpconfig.php File 
• Reinstall a Fresh Theme and Necessary Plugins  
• Remove Hidden Backdoors 
• Ask Google to Reindex Your WordPress Website

3. What tools or plugins can I use to remove malware from my WordPress website?

There are several plugins and tools available that can help you remove malware from your WordPress websites, such as Sucuri, Wordfence, and MalCare. These plugins can scan your website for malware and help you remove it.

4. How can I prevent my WordPress website from getting infected with malware in the future?

You can prevent malware infections on your WordPress website by regularly updating your WordPress core, plugins, and themes, using strong passwords, implementing two-factor authentication, and using a reputable web host.

5. Should I hire a professional to remove malware from my WordPress website?

If you do not have the technical expertise or time to remove malware from your WordPress website, it is recommended to hire a professional. However, if you have a little technical knowledge, you can do it by yourself by following a step-by-step tutorial or watching a YouTube video.

How to Remove Malware from WordPress Site- Key Takeaways

Malware attacks on a WordPress website aren't something new. Every day a number of WordPress websites face different kinds of malware attacks. So, it would be a very smart decision if you check your website for malware every 30 days.

You can use online services like SiteCheck, VirusTotal, or Quttera to check if there is any malware attack on your site. And if there is any attack, no need to be afraid of it. Because you already know how to remove malware from WordPress sites. So, stay calm and follow these 7 steps to protect your site:

• Turn on the Maintenance Mode 
• Take a Full Backup of Your WordPress Website 
• Reinstall WordPress on Your cPanel 
• Remove Malicious Code from Your wpconfig.php File 
• Reinstall a Fresh Theme and Necessary Plugins  
• Remove Hidden Backdoors 
• Ask Google to Reindex Your WordPress Website

That's all!

And to protect your site from future attacks, you can take some necessary steps. We have a dedicated blog on that. Check it out here:

Read: The Ultimate Security Guide for Your WordPress Site in 2023