How to Remove Malware from a WordPress Site in 2020

and Knowing how to remove malware from a WordPress site is a skill every webmaster should have. Malware stands for malicious software, which is a general term for harmful programs and files that can compromise a system. It can damage computers, servers, networks, and websites. In this article, you’ll learn how to remove malware from a WordPress site.

What Can a Malware Do to Your Site?

Although WordPress is well maintained and secure, it does have several vulnerabilities that can expose your site and its visitors to malware threats. Hence paying attention to your site’s security is absolutely essential.

Here are some of the risks posed by malware:

  • Unwanted changes to your content or site, whether something is added or removed without your permission.
  • Compromised sensitive data, like users’ private information.
  • Spam, whether in the form of emails or suspicious links being spread from your site.
  • Your URL getting redirected to untrustworthy websites promoting scam, inappropriate content, or malicious ads.
  • A sudden spike in server resource consumption.
  • Google marking your site as unsafe on the browser and search results.
  • Negative impact on SEO (related to the point above).

As you can see, keeping your security up to date and knowing how to remove malware from a WordPress site is an absolute must!

How to Remove Malware from a WordPress Site Manually?

The manual method may take a while and requires more technical knowledge, but it can give you insights on where the breach happened. If you would rather use a simpler alternative to remove malware from a WordPress site, try a security plugin instead.

1. Backup Your Site

Always backup your site before tweaking its core files. There are two ways to do this, depending on whether or not you’re locked out of your site.

If you’re unable to login, you can save a copy of your site’s public_html folder via your hosting file manager or FTP. Here’s how:

  • File manager – right-click on the public_html directory and select compress. Once done, save it to your computer by right-clicking on the archive and downloading it.
  • FTP – go to Site Manager -> Connect and then download the folder using the same method as used above. The only difference is that you’ll need to use an FTP client like FileZilla.

Meanwhile, if you still have access to your site, you can use plugins such as UpdraftPlus, Backup Buddy, or VaultPress to save time.

Last but not least, keep a backup of your database stored locally as well.

2. Run a Scan on Your Computer

We suggest downloading your backup using an FTP client or with the file manager then locally running a scan on the backup.

Use an anti-virus system and a malware scanner such as Kaspersky or MalwareBytes to diagnose and fix possible issues in your site’s files. If the scan is successful and helps locate and remove any issues, change your FTP password and re-upload site to remove malware form wordpress site

3. Remove the Malware Infection

There are a few actions you can take to remove malware from your WordPress site. First, you will need to access the site’s files through FTP or a file manager.

Erase every file and folder in your site’s directory except for wp-config.php and wp-content.

Afterward, open wp-config.php and compare its content with the same file from a fresh installation or wp-config-sample.php that can be found on the WordPress GitHub repository. Look for strange or suspiciously long strings of code and remove them. It’s also a good idea to change the password of your databases once you’re done inspecting the file.

Next, navigate to the wp-content directory and perform actions on these folders:

  • plugins – list all your installed plugins, and erase the subfolder. Later you can re-download and re-install them.
  • themes –  delete everything except your current theme and check for suspicious code, or just remove it altogether if you’ve saved a clean backup or don’t mind reinstallation.
  • uploads – check for anything you haven’t uploaded.
  • index.php – after you’ve deleted the plugins, erase this file.

4. Download a Fresh WordPress Copy to Install

Re-download WordPress and re-upload the content to your website via FTP or the file manager.

Go to your file manager, click Upload Files and locate the WordPress zip file. After it’s finished uploading, right-click or press the Extract button and enter a directory name to define the save location. Copy everything else besides the zip file to public_html.

Alternatively, you can use hPanel’s one-click installer and edit the database credentials in the wp-config.php file to point it to your new installation.

5. Reset WordPress Password

If multiple users are running a website, the breach might have occurred through one of their accounts. It’s recommended to reset every user’s password, log out every account, and to check for any inactive or suspicious user accounts that should be deleted.

Change the passwords into long, randomized strings that can’t be breached by brute force attacks. It’s a great idea to use a password generator.

6. Re-Install Plugins and Themes

Now that you have removed malware from your WordPress site, re-install all the removed plugins and themes you had. However, be sure to leave out plugins that are outdated and no longer maintained.

While you’re at it, we advise you to install security plugins that can protect your WordPress site and easily remove malware in the future. Use one with a proven track record such as MalCare, WordFence, or Sucuri.

How to Remove Malware from WordPress Using a Plugin?

If you prefer a quicker way to remove malware from your site and can afford a premium service, you can purchase a WordPress security plugin.

For this article, we’re going to demonstrate how to remove malware from a WordPress site using Sucuri. But first, let’s take a look at what it offers:

  • Server-side scanning (premium) and remote scanning (free). The latter only detects on-site malicious code and while the former also checks for it on the back-end.
  • Detects compromised WordPress files in your system and replaces infected ones with their original copies.
  • Runs a check on antivirus software and search engine databases to see whether your site is blacklisted.
  • Reinforces your site’s security to prevent malware attacks.
  • Notifies you whenever signs of malware activity are spotted.
  • Sets up a firewall on your website (premium).

You can get Sucuri from the WordPress plugin repository.

Once it is installed, you’ll need to go to the plugin’s dashboard and Generate an API Key to activate its features fully.
This image shows the process of generating Sucuri's API keyAfter your site is integrated with Sucuri’s API service, go to Dashboard -> Refresh Malware Scan. It will display a file log with any suspicious ones flagged. For this tutorial, we added suspicious code to our test site’s index.php file.
This displays the file log of Sucuri, showing a suspicious file as flaggedAfter running the scan, the file was flagged. You can select it and perform whichever action you prefer.

Removing the Warning Label on Google SERP

Although the malware has been removed from your WordPress site, you still need to ask Google to remove the site’s warning label:

  1. Access the Google Search Console and register your website. Skip to the third step if you have an account.
  2. After that, verify it either using Domain or URL prefix.
  3. Scroll down to find Security & Manual Actions on the left tab. Click to reveal a dropdown and select Security Issues.
  4. You will see the report on your site’s security, in which you can choose Request a review.

You must double-check whether you successfully remove malware from your WordPress site before submitting a request. Otherwise, it will get pinned as a repeat offender, and you won’t be able to request another review for 30 days.


Malware can be a major issue that removes all credibility and trust from your WordPress site while compromising you and your users. While reviewing how to remove malware from a WordPress site, we showed you two methods:

Manual removal, for which you need to:

  • Back up your site.
  • Use anti-virus and malware scanning software on the backup locally.
  • Eliminate malware by tweaking your WordPress files and deleting old or suspicious ones.
  • Reset all user passwords and check for suspicious users.
  • Reinstall plugins and themes.

Or you can use plugins to fix the issues and improve your site’s security. Additionally, we also learned how to remove the warning label that can get placed on your website by Google.

With these actions in mind, hopefully, you can restore your WordPress site ASAP and keep future threats at bay.