WordPress Malware Removal: How to Clean a Hacked Site and Prevent Reinfection

Finding out your WordPress site has been compromised is the kind of discovery that ruins your afternoon. Maybe you noticed your homepage redirecting to a pharmaceutical spam page. Maybe Google slapped a “This site may be harmful” warning across your search listing. Or maybe your hosting provider sent an email saying they’ve suspended your account because of suspicious activity. However you found out, the important thing is that the situation is fixable. Thousands of WordPress sites are cleaned up successfully every week and yours can be too. Priority Pixels, our WordPress support services for business websites include malware removal and security hardening, so we’ve dealt with just about every type of infection you can think of. This guide walks through the entire process, from recognising the symptoms to locking things down so it doesn’t happen twice.

Attackers love WordPress because it runs so much of the internet. The core platform gets solid security updates though, so that’s rarely where things go wrong. Outdated plugins are usually the culprit, along with terrible passwords and servers that haven’t been set up properly.

Signs Your WordPress Site Has Been Hacked

Sometimes hackers wave a massive flag. Your site suddenly sells fake designer goods or sends everyone to some gambling site. But the clever ones stay hidden and that’s when you’re really in trouble. They’ll slip spam links into your code that only Google can see or plant backdoor scripts that wait months before striking.

Watch out for pages that suddenly redirect somewhere strange, Google Search Console throwing malware warnings at you or random spam content appearing on your site. Unknown admin accounts are a dead giveaway, especially ones with full access rights. And if your site crawls along for no good reason, that’s worth checking too. Your hosting company might also spot unusual server activity, which often means someone’s mining cryptocurrency on your dime.

Your emails might bounce back because spammers have got your domain blacklisted. Files get modified on dates when nobody was working. Search results show your business name next to adverts for pills and poker games. See multiple warning signs and you need to act fast instead of crossing your fingers.

How Malware Gets Into WordPress Sites

Most WordPress vulnerabilities don’t come from the core software itself but from the plugins and themes surrounding it. WordPress core has a dedicated security team keeping things tight, but Patchstack research shows the real problems live in that massive ecosystem of third-party add-ons. Understanding your attack vector before you start cleaning tells you exactly what needs fixing to stop it happening again.

Outdated plugins and themes create the biggest security holes. Plugin developers release patches when vulnerabilities surface, but here’s the catch: that patch announcement becomes a roadmap for attackers. Automated tools immediately start scanning for sites still running vulnerable versions. You might have just two weeks before your unpatched plugin becomes a target.

Weak or reused passwords hand attackers the keys. Brute force bots hammer WordPress login pages around the clock and if you’re using “password123” or recycling credentials from a breached service, you’re not facing an “if” scenario but a “when” one.

Nulled themes and plugins are pirated premium products that come with malicious code already installed. These unofficial downloads from sketchy sites always contain backdoors and there’s absolutely no legitimate reason to risk using them.

Shared hosting creates problems when server accounts aren’t isolated properly. One compromised site can spread malware to others on the same server and outdated PHP versions make things worse. File permissions get misconfigured and suddenly attackers have an easy way in.

What to Do Immediately After Discovering a Hack

Every hour counts once you’ve been hit. Visitors see malicious content, search engines start penalising you and the attacker gets more time to burrow deeper into your system. Here’s what to do first.

Password changes come first. WordPress admin, hosting control panel, SFTP, database access and any API keys in wp-config.php all need new credentials before you touch anything else. Generate long, unique passwords with a password manager and don’t reuse a single one.

Administrator accounts need attention. Delete any users you don’t recognise and consider dropping everyone except your cleanup account down to subscriber level temporarily. You can restore proper permissions once the site’s clean.

Put the site into maintenance mode. Visitors shouldn’t see malicious content while you’re sorting things out. Use a maintenance mode plugin if you can still get into the dashboard, but if that’s not possible then upload a static HTML page through SFTP. Contact your hosting provider. They might already know about the breach and could share access logs that show exactly how attackers got in.

Step-by-Step Malware Cleaning Process

Cleaning a hacked WordPress site takes patience and proper method. Skip steps or rush the process and you’ll be dealing with reinfection within days. Work through each stage systematically.

Back up the infected site first. Sounds backwards but you need that snapshot of the compromised state before changing anything. Things can go sideways during cleanup and you might accidentally delete legitimate content or break something that was working. Download everything, all files plus the database. Keep it separate from your clean backups and mark it clearly so nobody restores the infected version by mistake.

Run a server-side malware scan. Wordfence and similar tools check your WordPress files against the official versions from the repository. Any file that doesn’t match gets flagged, which catches those sneaky modifications that signature scanners often miss. Document everything the scan finds before you touch anything.

Reinstall WordPress core. Download fresh copies from wordpress.org and completely replace wp-admin and wp-includes. Don’t touch wp-config.php or wp-content yet.

Inspect wp-config.php line by line. Malware loves hiding at the top or bottom of this file where you won’t notice it straight away. Check for eval() functions, base64_decode() calls and any require statements that look suspicious. Compare yours against the default wp-config-sample.php file and flag anything that doesn’t belong there.

Replace all plugins and themes. Delete everything in wp-content/plugins and wp-content/themes, then reinstall clean versions from the official repository or developer sites. Got nulled plugins running? Time to buy proper licences or switch to alternatives because those files are often stuffed with malware.

Sweep the uploads directory. Check your wp-content/uploads folder and you should only see images, PDFs and videos. PHP files don’t belong there but attackers love dumping backdoor scripts in that directory. Hunt down any.php files and delete them immediately. Watch out for sneaky double extensions too like image.jpg.php because that’s a classic disguise trick.

Clean the database. Your wp_posts table needs checking for hidden iframes, JavaScript and spam links that shouldn’t be there. through wp_options for anything you don’t recognise, especially the siteurl and home values which are prime targets. Don’t forget wp_users where rogue accounts might be lurking. Base64-encoded strings in post content fields are basically guaranteed to be injected malware.

Hunt for backdoors. This step matters more than anything else you’ll do. Backdoors let attackers waltz back in after you’ve cleaned everything, so they hide these scripts everywhere. Check functions.php, look for fake plugin files with innocent names, scan PHP files in uploads directories and examine modified.htaccess files. Search for eval(base64_decode()), exec(), system(), passthru() and shell_exec() functions. Any file containing these that isn’t part of a recognised plugin needs serious scrutiny.

Regenerate your WordPress security salts. Grab fresh cryptographic keys from the WordPress secret key API (api.wordpress.org/secret-key/1.1/salt/) and replace the old values in wp-config.php. This kills all existing login sessions, which you need if the attacker had authenticated access to your site.

Scan again. You need to run another complete scan just to make sure nothing’s been missed. Then test everything on the front end including forms, navigation and database functionality.

Scanning Tools and Security Plugins Compared

Detection, cleanup and monitoring tools each serve different purposes. Understanding what works best for each job matters because none of them catch everything.

Wordfence handles file-level scanning brilliantly whilst Patchstack focuses on vulnerability monitoring. We typically recommend both because Wordfence spots changes to known files and Patchstack identifies vulnerable plugins then applies virtual patches to block attacks before developers even release updates. Better coverage that way.

Getting Off Google’s Blocklist

Google’s “This site may be harmful” or “Deceptive site ahead” warnings kill your organic traffic instantly. The warning shows up in search results and throws a full-screen block when people try to visit through Chrome, so you’ll need to submit a review request through Google Search Console to get it removed.

Google re-crawls your site during the review process and any remaining malware means instant rejection. Clean everything first, then head to the Security Issues section and fix every single item they’ve flagged. Your submission needs specifics about the attack vector, which files got compromised and what you’ve done to prevent it happening again. Don’t bother with vague descriptions like “we cleaned the site” because Google will reject them without a second thought. Expect to wait anywhere from a few days to several weeks for your review results and if Google spots lingering issues they’ll tell you exactly what needs sorting before you can try again.

Preventing Reinfection: A Practical Hardening Checklist

Fix the vulnerabilities that let hackers in or you’ll be back here doing this whole dance again within weeks. Cleaning malware without addressing the root cause is pointless. So what keeps your site secure going forward?

Updates need to happen regularly and without fail. WordPress core, plugins and themes all require constant attention. Auto-updates work well for minor WordPress releases and security patches, but plugin updates deserve testing first on a staging environment. Custom functionality can break unexpectedly with updates. A proper WordPress maintenance and security service runs on a schedule so nothing gets missed.

Delete what you’re not using. Deactivated plugins and themes that are just sitting there? They’re still hackable. Doesn’t matter if they’re switched off because vulnerabilities in dormant plugins work just the same as active ones. Remove them completely instead of leaving them cluttering up your server.

Enforce proper authentication. Two-factor authentication goes on every single admin and editor account. Strong passwords from a password manager, rate limiting for login attempts and individual accounts for each team member rather than everyone sharing the same login details.

Lock down file permissions. Your wp-config.php needs to be set at 440 or 400, directories at 755 and files at 644. Block PHP execution in wp-content/uploads through your server settings and make sure.htaccess is read-only at 444.

Implement a web application firewall. Plugin firewalls like Wordfence work at the application layer whilst cloud options like Cloudflare’s WAF operate at the network edge. Running both gives you proper defence in depth, which matters even more if you’re on managed WordPress hosting where someone else handles your server configuration.

Use SFTP, never FTP. Your credentials travel in plain text with standard FTP, which means anyone can intercept them. SFTP encrypts the whole connection. And if your hosting provider only offers FTP? That should tell you everything you need to know about how seriously they take security.

The vast majority of WordPress infections we investigate trace back to three things: a plugin that wasn’t updated, a password that was too weak or a nulled theme that should never have been installed. Fix those three and you’ve dealt with the most common attack vectors.

Set it up once and you’re sorted, right? Wrong. Sites that stay secure have someone checking them regularly, running updates and watching for problems on a proper schedule.

UK Data Breach Obligations Under GDPR

Nearly every WordPress site collects personal data somehow, whether through contact forms, user accounts, newsletter signups or online sales. Get hacked and you’re not just dealing with a broken website anymore. Under UK GDPR, that hack becomes a personal data breach with real legal obligations attached.

UK data protection law requires you to notify the Information Commissioner’s Office (ICO) within 72 hours if a breach might put people’s rights at risk. That’s 72 actual hours, not working days. Email addresses got exposed? Form data compromised? Payment information at risk? Better to report it than have the ICO find out later that you kept quiet when you shouldn’t have.

Document everything about the breach. What happened, when you found it, which data got affected and every action you took. UK GDPR’s accountability principle doesn’t give you a choice here.

When Professional Help Is the Right Call

Confident site administrators can tackle straightforward infections using the steps we’ve covered. But others run much deeper with multiple backdoors, database injections and server compromises that need experienced hands.

Professional help becomes necessary when infections keep coming back because you’ve missed a backdoor somewhere. Same goes when your site processes sensitive data and you need documented cleanup for compliance or when your hosting provider suspends your account until you prove the mess is sorted. And sometimes you just don’t have time for a thorough job. An experienced WordPress development team has seen hundreds of these infections and knows exactly where automated scanners fail to look. They’ll also set up monitoring and hardening to stop it happening again, which is what makes their fees worthwhile.

Professional removal costs less than letting a compromised site run wild. Lost rankings pile up alongside eroded trust, potential ICO fines and countless hours dealing with recurring infections. Working with a team that lives and breathes WordPress daily just makes sense when your site’s been compromised and needs proper fixing. The WordPress security team publishes brilliant hardening documentation that’s worth keeping handy too.