Contact Us
Contact Us

How to Remove Malware from WordPress Manually (Step-by-Step Guide 2025)

Home > Blog > Fix > How to Remove Malware...
shape
shape
shape
shape
shape
shape
shape
shape
How to Remove Malware from WordPress Manually
Fix
By admin October 7, 2025 No Comments

WordPress is a powerful and popular CMS — but its popularity also makes it a frequent target for hackers. If your site has been infected with malware, you may see unwanted redirects, strange content, SEO warnings, or even have the entire site disabled. Removing malware manually takes care and precision, but it gives you full control over what’s cleaned. If you need immediate assistance to clean your site safely, you can get emergency WordPress support to resolve malware issues quickly and restore your website.

In this article, we will walk you through a step-by-step manual malware removal process. This guide is 100% human-written, plagiarism free, and SEO optimized to help you rank for key queries like “remove WordPress malware”, “WordPress manual malware cleanup”, and more.

By following these steps, you can regain control of your site, restore its integrity, and harden it against future attacks.

Table of Contents

  1. Signs Your WordPress Site Is Infected

  2. Preparatory Steps Before Cleaning

  3. Manual Malware Removal — File Cleanup

  4. Manual Malware Removal — Database Cleanup

  5. Reinstall & Restore Clean Core, Plugins, Theme

  6. Hardening & Preventive Measures

  7. Submit Site for Review & Monitor

  8. FAQs

1. Signs Your WordPress Site Is Infected

Before you begin cleanup, it’s important to confirm the infection and identify symptoms. Some common signs include:

  • Unexpected site redirects to spammy or unknown domains

  • Strange content (links, adverts, SEO spam) appearing on pages you did not add

  • Warnings in Google Search Console (“This site may be hacked”)

  • Sudden drop in traffic / SEO ranking

  • Unknown admin users or changed user roles

  • Files modified even though you didn’t edit them

  • Security plugin alerts or scan failures

  • Visitors reporting suspicious popups or phishing windows

If you see one or more of these, act quickly — the longer malware persists, the more damage it can cause.

2. Preparatory Steps Before Cleaning

Cleaning malware is risky — you might accidentally break parts of your site. So preparation is key.

2.1 Take Full Backups (Files + Database)

Before doing anything, back up your entire WordPress site (all files) and the MySQL database. You can also learn how to backup WordPress to Google Drive automatically to keep your backups safe and off‑server before malware removal.

  • Use your hosting file manager or FTP/SFTP to download all files.

  • Use phpMyAdmin, Adminer, or mysqldump to export the database. If you need detailed steps on putting your site back exactly the way it was, check out how to restore WordPress site from backup manually for a full walk‑through.

  • Store backups securely off the server (local machine, cloud storage).

If anything goes wrong, you can restore from this backup.

2.2 Put the Site in Maintenance Mode

This prevents visitors or indexing bots from seeing broken or malicious content during cleanup.

You can use a basic plugin (e.g., WP Maintenance Mode) or add a snippet to your site’s root .htaccess:

# In .htaccess (public_html or root)
RewriteEngine On
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteRule ^(.*)$ /maintenance.html [R=503,L]

Create a simple maintenance.html page telling visitors “Under maintenance, we’ll be back soon.”

2.3 Change All Access Credentials

Immediately change passwords for:

  • WordPress admin accounts

  • FTP/SFTP / SSH

  • Database user

  • Hosting control panel

Also regenerate WordPress file salts in wp-config.php — this invalidates old cookies and sessions:

define('AUTH_KEY', 'new random phrase here');

define(‘SECURE_AUTH_KEY’, ‘…’);

define(‘LOGGED_IN_KEY’, ‘…’);

define(‘NONCE_KEY’, ‘…’);

define(‘AUTH_SALT’, ‘…’);

define(‘SECURE_AUTH_SALT’, ‘…’);

define(‘LOGGED_IN_SALT’, ‘…’);

define(‘NONCE_SALT’, ‘…’);

You can generate new salts at WordPress.org secret-key service.

3. Manual Malware Removal — File Cleanup

Manual file cleanup is tedious, but gives you fine control. You’ll compare files to clean versions, remove suspicious ones, and patch backdoors.

3.1 Compare with Clean WordPress Core

  1. Download a clean version of the same WordPress version you’re using.

  2. Extract it locally.

  3. With an FTP client or via ssh, overwrite wp-admin/ and wp-includes/ directories (except wp-content/) with clean copies.

  4. For root files like index.php, wp-login.php, etc., replace them as well (except wp-config.php and .htaccess).

Ensures no malicious code remains in core files.

3.2 Inspect wp-content (Themes, Plugins, Uploads)

These are common infection points.

  • Plugins / Themes: Delete any unused or suspicious plugins/themes. Re-upload clean versions from official sources. If you’re unsure whether the latest version of a plugin or theme is safe, you can also learn how to roll back WordPress plugin or theme version to a previous stable release before cleaning or reinstalling.

  • Uploads folder: Malicious PHP files are sometimes hidden in wp-content/uploads/. Search for .php files there (only media is expected).

    find wp-content/uploads -type f -name "*.php"

    Delete anything that looks suspicious or shouldn’t be a .php.

  • Hidden backdoor files: Attackers often place files like wp-cache.php, zzz.php, class*.php, or files with random names.
    Search for stealthy code patterns base64_decode, eval, gzinflate, str_rot13, etc.
    Example snippet scanning in PHP:

$code = file_get_contents('somefile.php');

if (strpos($code, ‘base64_decode’) !== false || strpos($code, ‘gzinflate’) !== false) {
// flag as suspicious
}

3.3 Clean or Remove Suspicious Files

Once you spot suspicious code:

  • If it’s a legitimate plugin or theme file, restore from a clean backup.

  • If it’s custom code (you or devs added), manually remove only malicious parts — keep unaffected logic.

  • Remove files that shouldn’t exist (e.g. wp-config.old.php, random .php files in root, etc.).

4. Manual Malware Removal — Database Cleanup

Malware often injects code or spam links via the database. You must inspect and clean it.

4.1 Search Suspicious Patterns in Tables

Using phpMyAdmin or a database client:

SELECT * FROM wp_posts WHERE post_content LIKE '%<script%';
SELECT * FROM wp_options WHERE option_value LIKE '%base64_decode%';
SELECT * FROM wp_users WHERE user_login LIKE 'hacker%';

Look for:

  • JavaScript injections

  • If wp_options.siteurl or home is changed

  • Unknown admin users

  • Code snippets in post_content, widget_text, etc. For deeper insights into WordPress database issues — including causes, prevention, and fixes for corruption that often accompanies malware infections — check out WordPress database corruption causes, prevention & fixes.

4.2 Remove / Repair Infected Entries

Be cautious when editing database. For instance:

  • Remove <script>...</script> blocks

  • Reset option_value fields that were modified

  • Delete unknown user accounts

  • Use regex replace if needed (in MySQL 8+):

UPDATE wp_posts
SET post_content = REGEXP_REPLACE(post_content, '<script[^>]*>.*?</script>', '')
WHERE post_content REGEXP '<script';

4.3 Clean Autoload / Transients

Malware sometimes hides in autoloaded options:

DELETE FROM wp_options
WHERE option_name LIKE '%_transient_%'
AND option_value LIKE '%base64_decode%';

5. Reinstall & Restore Clean Core, Plugins, Theme

Once files and database are cleaned:

  • Reinstall your active theme from a clean source (backup or original).

  • Reinstall all plugins from safe repositories.

  • Restore only the content you verified from backups (posts, images).

  • Reset .htaccess to default WordPress rules:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]
</IfModule>

# END WordPress

  • Set correct file permissions: directories = 755, files = 644.

6. Hardening & Preventive Measures

Cleaning is only half the battle. You must protect your site against future attacks.

6.1 Keep Everything Updated

Always update WordPress core, plugins, and themes promptly. Many hacks exploit known vulnerabilities.

6.2 Use Strong Passwords & 2FA

Require strong, unique passwords and enable two-factor authentication for all admin users. For a step‑by‑step walkthrough on setting up two‑factor authentication and locking down your login security, check out how to set up WordPress two‑factor authentication (2FA).

6.3 Install Security Plugin / Firewall

Use reputable tools like Wordfence, Sucuri, iThemes Security, or All In One WP Security. Configure features like:

  • Malware scanning

  • Web Application Firewall

  • Login protection (limit login attempts, block IPs)

  • File integrity checking. For a complete comparison of top security tools you can install to protect your site, check out the best WordPress security plugins and choose the one that fits your needs.

6.4 Disable Plugin / Theme Editors

Prevent code injection via the WP dashboard:

// Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);

6.5 Disable PHP Execution in Uploads

Add .htaccess inside wp-content/uploads/:

<Files *.php>
deny from all
</Files>

6.6 Configure wp-config Hardening

Add lines to wp-config.php:

// Protect file

if (!defined(‘ABSPATH’)) exit;

// Disable file modifications

define(‘DISALLOW_FILE_MODS’, true);

// Limit post revisions, etc.

6.7 Regular Backups & Monitoring

  • Use automated backups (daily/weekly) stored offsite.

  • Use uptime monitoring and malware scan schedules.

  • Review logs and scan reports regularly.

7. Submit Site for Review & Monitor

If Google flagged your site:

  1. In Google Search Console → Security & Manual ActionsSecurity Issues

  2. Mark “I have fixed these issues” and request a review

Keep monitoring for suspicious behavior post-cleanup. Use logs and security plugin alerts to catch any reinfections early.

FAQs

Q1: Can I clean malware automatically instead of manually?
Yes — security plugins like Wordfence, Sucuri, or MalCare can scan and remove many threats automatically. But manual cleaning gives you control and ensures deep removal when infections are complex.

Q2: Will cleaning malware affect my content or SEO?
If done carefully, no — your content (posts, images) can be preserved. But some SEO may suffer if Google flags your site. That’s why you should request re-indexing after cleanup.

Q3: How long does manual removal take?
It depends on the infection’s severity and your technical comfort — from a few hours to a full day or more for complex hacks.

Q4: What if I miss a hidden backdoor?
That’s a risk. Always keep logs, schedule scans, and monitor for unusual file changes. If you see reinfection, repeat cleanup or hire an expert.

Q5: How can I prevent reinfection?
Follow hardening practices: updates, security plugins, backups, strong credentials, disable file editing, restrict PHP in uploads, etc.

Q6: Should I hire a professional?
If the infection is deeply hidden, affecting critical files, or you’ve lost access to admin, a security expert or specialized service may be safer.

Subscribe To Our Newsletter & Get Latest Updates.

WPThrill provides fast, reliable, and affordable WordPress support services. Our mission is to help website owners resolve technical issues quickly — without the stress, complexity, or high costs of traditional support.

Contact Us

Company

Trusted Worldwide

Copyright @ 2025 WPThrill.com. All Rights Reserved.