Finding malware on your WordPress site is not the hardest part. The hardest part is making sure you actually removed all of it. Most sites that go through a DIY cleanup end up re-infected within weeks — not because the attacker is sophisticated, but because the cleanup process itself was incomplete.
This guide walks through what professional WordPress malware removal actually involves, why the sequence matters, and what to harden afterward so the same attacker cannot walk straight back in.
Step 1: Do not start by deleting files
The instinct when you discover malware is to delete infected files immediately. That instinct is wrong. Delete before you document and you lose the forensic trail — the entry point, the attacker's IP, the timing of the breach, what data was accessed. For sites processing payments or personal data, that information is often legally required for breach notification.
Before anything else: take a full backup of the infected site, including the database. Yes, even though it is compromised. You need a snapshot of the attack state. Store it somewhere isolated and do not use it as a restore point.
Step 2: Isolate the site
Put the site into maintenance mode or block public access if possible. This limits damage: attackers cannot use an isolated site to redirect your visitors to phishing pages, and you prevent further data exfiltration while you are working.
If you are on shared hosting, contact your host immediately. Malware on shared servers can spread laterally across other accounts. Reputable hosts will quarantine the account; some will alert you proactively. If they do not, escalate until they do.
Step 3: Identify the infection — all of it
This is where most DIY cleanups fail. Attackers rarely plant malware in just one place. Common infection points include:
- Plugin and theme files — injected PHP in legitimate-looking files
- The uploads directory — PHP files disguised as images or documents
- wp-config.php and wp-settings.php — modified to load malicious includes
- The database — injected JavaScript in post content, options table, widget settings
- Cron jobs — malicious scheduled tasks set to re-download malware after cleanup
- Hidden admin users — accounts created during the breach for persistent access
Run a file integrity check against official WordPress core, plugin, and theme checksums. Any file that differs from the official version is a candidate for review. Tools like Wordfence's malware scanner, MalCare, or a manual diff against the plugin repository are the standard approaches. We typically run multiple scanners because no single tool catches everything.
Step 4: Find the entry point before you clean anything
The entry point is the vulnerability that let the attacker in. Clean the malware without closing the entry point and the site will be re-infected — sometimes within hours. Common entry points include:
- An outdated plugin or theme with a known, unpatched vulnerability
- Compromised admin credentials (reused passwords, no 2FA)
- A nulled or pirated plugin with malware pre-installed
- A compromised hosting account (FTP credentials exposed in a third-party breach)
- A file upload vulnerability in a form or media handler
Check your server access logs for the date of the earliest suspicious activity. Attackers typically probe before they strike — that probing is visible in logs as bursts of 404s, unusual POST requests to admin paths, or login attempts from unfamiliar IPs.
Step 5: Clean systematically, not just the obvious files
The professional approach to cleaning a WordPress site:
- Reinstall WordPress core from official source (do not copy from the infected install)
- Replace all plugins and themes with clean downloads from the official repository
- Review and clean the database — especially the
wp_optionstable (autoloaded data), post content, and widget settings - Remove all unknown admin users
- Delete all files in the uploads directory that are PHP or executable scripts
- Check for and remove malicious cron jobs via
wp cron event list - Regenerate all security keys in wp-config.php
Step 6: Harden before going live
A freshly cleaned site with the same configuration that allowed the breach is just a site waiting to be re-infected. Before restoring public access:
- Force-reset all user passwords, especially admins and editors
- Enable two-factor authentication on all admin accounts
- Close the specific entry point identified in Step 4
- Disable XML-RPC if unused
- Set proper file permissions (644 for files, 755 for directories, 600 for wp-config.php)
- Install and configure a web application firewall
Then submit a Google Search Console review request if the site was flagged as dangerous. Google typically reviews and clears flagged sites within 72 hours of a successful resubmission.
When DIY cleanup is not enough
Professional cleanup is the right call when:
- The site handles payments or customer personal data
- You cannot identify the entry point with confidence
- The site was infected more than once
- Google has flagged the site or the domain is on a blacklist
- The infection is widespread across the database and filesystem
- The site runs WooCommerce or has active customer sessions
In these situations, incomplete cleanup creates ongoing liability. A professional incident response engagement covers full forensic documentation, systematic removal, entry point closure, hardening, and Google blacklist removal — with accountability.
Already dealing with a hacked WordPress site?
Our incident response team handles full malware removal, entry point forensics, blacklist removal, and post-incident hardening. We work with businesses where the site generates revenue and downtime is not an option.
Frequently Asked Questions
How long does WordPress malware removal take?
A straightforward single-site cleanup with a known entry point typically takes 4–8 hours of professional work. More complex infections — spread across database, filesystem, and with unknown entry points — can take 1–3 days depending on site size and available logs.
Can I use a plugin to remove WordPress malware?
Plugins like Wordfence, MalCare, and Sucuri can identify and remove many common malware variants. However, they miss obfuscated injections, database-based malware, and backdoors in non-standard file locations. Plugin-based cleanup should always be followed by a manual file integrity review.
What if my hosting company cleaned the site — is that enough?
Hosting companies typically remove obvious malware from the filesystem. They rarely review the database, check for hidden admin users, close the entry point, or harden the site afterward. A hosting-level clean is a starting point, not a complete remediation.
How do I know if malware has been completely removed?
Run multiple independent scanners (not just one plugin), compare all core and plugin files against official checksums, audit the database for injected content and unknown admin users, review server access logs for post-cleanup suspicious activity, and check Google Safe Browsing and blacklist databases for your domain.
Related resources
Continue with the pages buyers usually visit next after reading this topic.