Warning: Undefined array key "options" in /home/customer/www/malwarecare.com/public_html/wp-content/plugins/elementor-pro/modules/theme-builder/widgets/site-logo.php on line 124
How to Detect and Remove Malware from a WordPress Website - MalwareCare

How to Detect and Remove Malware from a WordPress Website

How to Detect and Remove Malware from a WordPress Website

It is estimated that 70% of the 40,000 WordPress sites in the Alexa Top One Million are vulnerable to cyberattacks. There are several signs a hacked website exhibits, such as defacing or linking to malicious websites. The popularity of WordPress has made it a common target for cyber attackers. In this article, we will discuss How to Detect and Remove Malware from a WordPress Website.

What is Malware and what does malware do?

Threat actors use malware to infiltrate systems and networks to gain access to sensitive information, such as viruses, Trojans, and other harmful computer programs.

It is a file or code that infects, explores, steals, or does virtually any behavior an attacker desires, typically delivered over a network and websites. Infection of website systems can occur in many ways because malware comes in so many different variants.

A malware infection can infect a network, hosting all files, website core files and more.

There are different ways in which malware may harm users or endpoints, depending on its type and its purpose. It is possible for malware to have relatively mild and benign effects, but it is also possible to have catastrophic effects in some cases.

Malware can be designed to take advantage of files at the expense of the user and for the benefit of the hacker — the person who designed and/or deployed it.

What are the different types of malware?

There are different types of malware, each with its own characteristics and traits. Malware can be classified into the following types:


Viruses are malicious programs that are attached to documents or files that execute their code through macros. When a file is downloaded and opened, the virus will lay dormant. Data loss and operational issues can be caused by viruses.


A worm is a malicious piece of software that replicates rapidly and spreads to any device on the network. By downloading a file or connecting to a network, a worm infects a device before multiplying and spreading. Worms are similar to viruses in that they can seriously disrupt the operation of a device and lead to data loss.

Trojan virus:

Trojan viruses can modify, block, or delete sensitive data once they gain access to it. There is no self-replication capability in Trojan viruses, unlike in normal viruses and worms. Computers and mobile phones can suffer greatly from this.


Computers that are infected with spyware report back to a remote user in order to gather information. Financial or personal information is often stolen by spyware. An example of spyware that tracks your keystrokes is a keylogger, which reveals passwords and personal information through the tracking of your keystrokes.


Advertisements are displayed based on information collected on your computer usage by adware. There are many effects of adware, including redirecting your browser to unsafe sites and containing Trojan horses and spyware. If your system is overrun with adware, noticeably slower performance can result. Continuous and intelligent scanning is crucial for protection.


Data is encrypted by ransomware, which is malicious software. The data must be paid for before it can be released. The ransomware is downloaded when the user clicks on a disguised link. A mathematical key that the attacker knows is required to open specific information encrypted by the attacker.

Fileless malware:

In file-less malware, files are not used by the malware, yet it operates from the memory of the victim. It is more difficult to detect than traditional malware because there are no files to scan. A reboot also causes the malware to disappear, making forensics more difficult.

If your website has malware, how would you know?

The work of non-professional hackers is often responsible for hacking websites so that they do not work. It is difficult to find the work of professional hackers.

Is it possible to identify the first symptoms of infection when a website is hacked?

Indirect signs of infection of the website:

Indirect signs that your website is infected include:

  •   An excessive amount of traffic is consumed.
  •   Attendance statistics are not accurate.
  •   Unknown Web site redirection.
  •   Web browsers are blocking the site.
  •   Server load is increasing.
  •   Your hosting company has sent you an alert
  •   Google has blacklisted your site.


All of these signs indicate infection as well as malicious links.

Direct symptoms of the virus on the website:

When a Google or search engine Yandex displays a “virus” mark about your Web site that is the simplest situation. An infected site will display a warning window in Opera, Chrome, or Firefox when opened. Infected sites are identified by this browser using its own database.

The local antivirus can determine that the Web site is infected, and you will see a corresponding message when navigating between internal pages. Perhaps the website was hacked and spam was sent from it. It will be obvious to you if you receive a notification that your host is being spammed.

How to remove malware from your website: What are the steps involved in removing malware?

Step 1: Make a backup of your site's files and database

If you can log in, you can back up the entire site with a WordPress backup plugin. A full XML file of all the content you’ve created can be downloaded via Tools > Export if you have trouble logging in. All your uploads are stored in the wp-content folder on your server.

Step 2: Review and download the backup files

As soon as your site is backed up, download the backup file to your computer. Once the zip file is on your computer, double-click it to open it. You should see:

  • All the WordPress Core files. The WordPress.org website allows you to download the WordPress file and compare it to your own. The files you have will not be needed right now, but you may want them later on in your investigation into the hack.
  • The wp-config.php file. As we will use it in the restore process, this contains the username, password, and name of your WordPress database.
  • .htaccess file. You won’t see this.   If you use an FTP program (like FileZilla) or a code editing application (like Brackets), you can only see invisible files if you have backed this up.
  •  The wp-content folder. A maximum of three folders should be found in the wp-content folder: themes, uploads, and plugins. Take a look in these folders. Have you seen your theme, plugins, and uploaded images? Having a good backup of your site is a good sign. Your site can usually be restored from this folder alone (along with the database).
  • The database. An export of your database should be in an SQL file. A backup of the database is a good idea since we won’t delete it in this process.

Step 3: Remove all files from public_html

Use the web host’s File Manager to back up your public_html folder (except the cgi-bin folder) after securing your site. It is much faster to delete files through the File Manager than via FTP. SSH will also be fast if you are familiar with it. Ensure that all compromised .htaccess files are deleted as well by viewing invisible files.

It is imperative that you backup all the sites, download the backups, and perform the steps for each of them. In the time it takes you to clean the first website, you may re-infect the one you’ve just cleaned with the other that is still infected. It should be treated as if it were the bubonic plague.

Step 4: Reinstall WordPress

If your WordPress installation was originally located in public_html, reinstall it using the one-click installer in your web hosting control panel. If you upload the new wp-config.php file, it will have new login encryption salts, and will definitely be free of any hacked code.

It is imperative that you backup all the sites, download the backups, and perform the steps for each of them. In the time it takes you to clean the first website, you may re-infect the one you’ve just cleaned with the other that is still infected. It should be treated as if it were the bubonic plague.

Step 5: Reset Passwords and Permalinks

You can reset all user names and passwords by logging in to your site. Your database has been compromised if you see any new users that you do not recognize. You need to contact a professional to make sure no unwanted code remains.

To make changes to your permalinks, go to Settings > Permalinks and click Save Changes. The URLs of your site will now work again after restoring the .htaccess file. Don’t leave behind any files when you delete them on your server. Be sure to show invisible files when you do so.

Step 6: Reinstall Plugins

The WordPress repository or the premium plugin developer’s repository should be used to reinstall all the plugins. Old plugins should not be installed. Installing no longer supported plugins is not recommended.

Step 7: Reinstall Themes

Freshly download your theme and reinstall it. Theme files customized by you can be reproduced on a fresh copy of the theme by referring to your backup files. The theme you used before may have been hacked, and you may not be aware of this.

Step 8: Take a backup and upload your images

Make sure you copy your old images over to the new wp-content > uploads folder on the server. It is important, however, to avoid copying any hacked files. FTP can be used to upload the blessed year/month folders once they have been blessed. Ensure that each year/month folder in your backup has only image files and does not contain any PHP files, JavaScript files, or anything else you did not upload to your Media Library. Examine each folder carefully.

Step 9: Scan Your Computer

Make sure your computer is free of viruses, Trojan horses, and malware by scanning it yourself.

Step 10: Configure and install security plugins

Make sure the site is thoroughly scanned with the Anti-Malware Security Program and Brute-Force Firewall. In the future, Shield will notify you if there are any changes to the core files. Make sure you didn’t miss anything by scanning the site with Malwarecare free consultation.  After ensuring the site is safe, deactivate two firewall plugins.

Frequently Asked Questions (FAQ)

Q. Why are WordPress sites hacked?

In search of vulnerable WordPress sites, malicious users search the internet. WordPress websites can be attacked if they are not protected by a WordPress firewall and are not following WordPress security best practices.

Q. What is the right way to scan WordPress plugins for malware?

Your WordPress site can be scanned for malware for free using Site Check. WordPress plugins should be updated regularly and all unused plugins removed. You can also monitor, protect, and respond to your website using our security and maintenance options.

Q. How do I find malicious code in WordPress?

Your WordPress site can be scanned for malicious code for free using Site Check. When you suspect your WordPress website is infected with malware, we recommend reinstalling the core files. Sign up for Malwarecare and submit a malware removal request if you want to make sure your website is clean.

Q. What is the best way to protect my WordPress site from malware?

A good way to secure your WordPress site is to update the software, enforce strong passwords, and implement 2FA (two-factor authentication) for login and access to third-party services such as Adobe Acrobat and Microsoft Mail Chimp.


It is highly recommended that you hire a professional to clean your WordPress admin if you are unable to log in due to the hack.

We malwarecare, understand the impact of website security, vulnerabilities, and traffic drops. That’s why we’re ready to handle all your security demands at an affordable price.

Sharif Hossain Syeed

See How We Can Secure Your Assets

Enter your email and our team will reach out to you.

Copyright © 2022. All rights reserved;