WPLift is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission.

How to Remove Malware from Your WordPress Site (2021)

Last Updated on November 19th, 2021

Tags: ,

As a business owner, having a WordPress site is one of the most crucial steps for growing your business. And the reason is simple. WordPress and its related features make it easy for you to inform, entertain, and educate your readers or followers. 

But despite its many benefits, WordPress has several security vulnerabilities. This is why it is critical to understand what malware is and how to remove malware from a WordPress site. 

Knowing how to remove malware from a WordPress site is a skill every webmaster should have. Malware stands for malicious software, a general term for harmful programs and files that can compromise a system. It can damage computers, servers, networks, and websites.

Today, you’ll learn how to identify and how to remove malware from a WordPress site.

In a hurry? Looking for a solid solution? Check out Malcare.

Go to MalCare

Identifying the Malware on your WordPress Site

It’s safe to say you don’t want your dream WordPress site to be hacked or have to deal with any unwelcome scenarios that compromise your WordPress site’s security. But, unfortunately, every WordPress site owner faces security vulnerabilities, whether you run a large or small online business. 

As a result, now is the best time to run a malware and malicious code scan on your WordPress site. Because many beginners don’t immediately install a WordPress security scanner, malware or malicious code can go undetected for a long time. Even if your WordPress site is not hacked or affected, you should still learn how to scan your WordPress site for malicious code. It will help you protect your website against future attacks.

Before we go any further, let’s look at how you can tell if your website has been hacked. These steps will help you identify malware and prepare you for resolving possible critical issues in the future.

Make use of a URL Scanner

A URL scanner is a useful tool to use if you suspect your website is infected with malware. VirusTotal, which uses over 60 antivirus scanners and URL/domain blacklisting services to see if your URL has been flagged for malware, is one of several websites that will scan any URL for free. If your website has been flagged for malware and you want to figure out where the infection came from, start by looking at the code.

Make a backup of your WordPress site 

It’s quite important to have a backup file of your website before doing anything. You could lose all of your important files and data if you don’t, so ensure you have a solid backup of your WordPress site. 

Article Continues Below

You can do this in two ways, depending on whether you have access to your site or not. If you don’t have access to your site, follow these steps: 

  • Go to File Manager and right-click the public_html directory, then choose Compress. Then, by right-clicking on the archive and downloading it, save it to your computer.
  • After that, go to Site Manager > Connect Navigate to the document root of your website in the left box. Right-click the public_html directory in the right box and select Archive. Once the archive has been created, right-click it and choose Download.

Alternatively, if you do have access to your site, then you have to use any WordPress backup plugin, in this case. And then follow the instructions.

Keep an eye out for any changes

Keeping frequent backups of your website is a best practice for all website owners. This has several benefits, including the ability to restore your site in the event of a cyberattack. Additionally, knowing how your website’s clean, normal code looks can assist you in spotting the signs of potential malware. 

But what if something goes wrong and you don’t have a clean backup? You can check your database, files, and source code for signs of malware if you are familiar enough with your website or content management system (CMS) code to review it for suspicious content.

Check for database malware

To check for malware in your databases, you will need access to a database administration tool offered by your web host. Once you have access to the tool, check for signs of malware using this list of the common syntax used by cybercriminals.

Examine your source code for malware 

If you’re looking for malware in your source code, you’ll want to look at two types of attributes: script attributes and iframe attributes. Check for lines that begin with “script src=>” and any unfamiliar URLs or file names that follow. In the same way, look for unusual URLs in iframe src=”URL”>. If anything doesn’t look right, or the URL doesn’t look right, it’s probably a sign of cybercrime.

Check for malware in your files

We suggest downloading your backup using an FTP client or with the file manager, then locally running a scan on the backup. 

To diagnose and fix possible issues in your site’s files, use an anti-virus system and a malware scanner like Kaspersky or Malwarebytes. Change your FTP password and re-upload site files if the scan successfully identifies and removes any issues.

Removing the Malware from Your WordPress Site

How to remove malware from your WordPress site manually

You have a few options for removing malware from your WordPress site. To begin, you’ll need to connect to the site’s files via FTP or a file manager. 

  • Delete every file and folder in your site’s directory, except for wp-config.php and wp-content. 
  • After that, open wp-config.php and compare its contents to wp-config-sample.php from the WordPress GitHub repository or the same file from a fresh installation.
  • Remove any suspiciously long strings of code. 
  • Once you’ve finished inspecting the file, it’s also a good idea to change the password for your databases.

Navigate to the wp-content directory and perform the above actions on these folders: 

Article Continues Below

  • Plugins – list all your installed plugins, and erase the subfolder. You can re-download and re-install them at a later time. 
  • Themes – if you have a clean backup or don’t mind reinstalling, delete everything except your current theme and check for suspicious code, or just remove it entirely if you haven’t saved a clean backup. 
  • Check your uploads for anything you haven’t done yet. 
  • After you’ve deleted the plugins, delete the index.php file.

How to remove malware from your WordPress site using a plugin

Installing a WordPress malware removal plugin is one of the simplest ways to remove malware. The best plugins can scan your WordPress site for malware and other malicious code, then identify and remove it. 

They also look for other security flaws on your site and assist you in resolving them. You do not, however, want to use just any plugin for this. You’ll want to use effective plugins if you’re trying to get rid of malware on your site or set up ongoing protection. 

To help you, we decided to compile a list of the best WordPress malware removal plugins and came up with a top-six list. Learn how to use these plugins to remove malware from your WordPress site.

MalCare Security Plugin

MalCare provides the quickest malware removal service available. Ticket-based cleaning is available with most WordPress security services. If your website is hacked, you must first submit a ticket, pay the malware removal fee, and then wait for security personnel to clean your site and respond. This is a time-consuming process that entails granting third-party access to your website. 

MalCare’s Cleaner works uniquely. Time is of the essence after a hack. The longer it takes, the more likely your website will be blacklisted by Google or suspended by your web host. To clean a hacked website, MalCare offers an instant WordPress malware removal service. All you have to do is press a button, relax, and wait for the plugin to clean your site in a matter of minutes.

How to Use MalCare?

  • You must first download and install the MalCare plugin on your website before using it. 
  • Then go to the MalCare dashboard and add your site. The plugin will begin scanning your website immediately. It will notify you if it discovers any malicious files on your website. 
  • Using MalCare’s Auto-Clean button, you can clean your site right away.

Go to MalCare Security Plugin

Wordfence Security Plugin

Wordfence, unlike many other plugins, is updated on a regular basis. This means it guards you against the most recent threats. 

Wordfence comes with a full-featured firewall. This means it protects your website from attacks, malware, and backdoor vulnerabilities. Defense Against Threats Wordfence will be armed with the most up-to-date firewall rules, malware signatures, and malicious IP addresses it requires to keep your website safe. Wordfence is the most comprehensive WordPress security solution available, with 2FA and a suite of additional features.

How to use Wordfence Security Plugin?

Article Continues Below

  • Simply press the Start New Scan button to have the plugin.
  • Begin performing the series of checks on your site (3). 
  • When it’s finished, the Results Found (4) tab will show you a long list of potential issues with the site. These are coded green/yellow/red and range in priority from low to high.
  • For serious threats, such as hidden malware or unknown files, press the Delete all Deletable Files (5) button, and those will be taken care of for you.

Go to Wordfence Security Plugin

Sucuri Security

This plugin provides website monitoring, malware removal, and all other website security services you might require. In a nutshell, these are the web’s superheroes who will save the day for any website owner.

The Sucuri site check scanner scans your website automatically to ensure it is free of malware, suspicious redirects, iframes, and link injections, among other things. You can manually control how often the scanner checks for malware and blacklisting, as well as content changes in core files, WHOIS changes, and DNS changes. Furthermore, the security scanner ensures that your website is not blacklisted by Google, Norton, PhishTank, Opera, SiteAdvisor, Yandex, and, of course, Sucuri.

How to use Succuri Security?

  • Use the Sucuri plugin to scan your system’s core files and replace or delete any that have been modified or are no longer needed. 
  • Replace all free plugins, reset user passwords, and reset encryption salts using the Sucuri plugin’s Post Hack tab and Site Audit tab. 
  • Premium plugins should be re-uploaded. 
  • With a fine-tooth comb, go over the contents of each folder in the wp-content folder (except the individual plugin folders which you would have replaced in step 2 above). 
  • Evaluate each and every theme file carefully. 
  • Delete unused themes and plugins. 
  • Comb through your uploads folder carefully. 
  • Examine your .htaccess file and any other files in the public HTML folder that you didn’t replace manually.

Go to Sucuri Security

Protecting Your WordPress Site From Malware in the Future

Keep WordPress up-to-date 

WordPress is an open-source program that is updated and maintained regularly. WordPress installs minor updates automatically by default. You must manually start the update for major releases. 

WordPress also comes with a library of thousands of plugins and themes that you can use to customize your site. Third-party developers maintain these plugins and themes, and they release updates regularly. 

These WordPress updates are critical for your WordPress site’s security and stability. Check to see if your WordPress core, plugins, and themes are all up to date.

Reset user passwords 

It’s critical that you change the passwords for all of your WordPress site’s access points. This includes your database, FTP/SFTP, SSH, cPanel, and WordPress user accounts. 

For all of your systems, you should keep the number of admin accounts to a bare minimum. Apply the principle of least privilege. Give people only the access they need to complete the task at hand for as long as they need it.

Set regular backups

Website backups, like computer backups, should be done on a regular basis. It’s pointless to restore your site from a backup that’s several years old. 

Backups should be done on a daily or weekly basis in the best-case scenario. The frequency with which you update your website will determine whether you use daily or weekly updates. If you only publish a single blog post per week, and that’s the only update you make to your site, then weekly backups will suffice.

It’s difficult to imagine how it feels to lose all of your website data until you’ve experienced it firsthand. Whatever the case may be, it isn’t a pleasurable experience. More importantly, it’s something that can be completely avoided if you use the right online backup software.

Use official platforms only

Keep in mind that WordPress is an open-source platform, so you shouldn’t be surprised if you encounter unsecured plugins and themes. Because they’re free, these are appealing to new website owners. 

The ones in public collections, on the other hand, should not be used. Instead, use plugins from the WP plugin directory, which includes both free and paid plugins. You can also purchase a license from a reputable developer who will keep you up to date with security patches and updates.

Invest in a reliable WordPress hosting service

Server-level firewalls and intrusion detection systems should be installed prior to installing WordPress on the server to ensure that it is well-protected even during the WordPress installation and website development phases. To maintain optimal performance, all software installed on the machine to protect WordPress content should be compatible with the latest database management systems.

Scan your website

You should check your site for malware if you notice a sudden drop in traffic, strange performance issues, or suspicious behavior. 

Even if everything appears to be in order, it’s a good idea to run a malware scan on a regular basis. 

Some hacks operate invisibly behind the scenes, so webmasters may be unaware that something is wrong. That is until the damage is done, such as Google removing your site from search results due to security issues or being blacklisted, resulting in a significant loss of revenue and reputation. 

That’s why it’s critical to scan your website for malware on a regular basis.

Enable WordPress firewall

Setting up a web application firewall is another important WordPress security measure (WAF). Your WAF is the first line of defense against malicious attacks, stopping them before they reach your website. 

WordPress firewall plugins defend your site from hacking, brute-force attacks, and DDoS attacks.

Make Sure You Have an SSL Certificate Installed

This is a basic but essential security measure for most websites. It safeguards data by encrypting the data you and your users use and transfer via a website. For example, when someone submits a contact form or uses login in web pages, the transferred data remains encrypted. With SSL installed on a website, secure login can be ensured even while traveling. While some hosts and hosting plans provide this for free, others require you to use a separate SSL plugin for that purpose.

Wrapping Up!

Being proactive about your website’s security is your best defense as cybercrime and malware evolve. Whether you use manual methods to check for malware or use an automatic website scanner, learning the various ways to look for malware will help your website become more secure.

Incorporating all the information above will make an extreme, positive impact on your business/website. Learn more about caring for your website by following us.

Let us know if you have any questions or suggestions!

Would you like to learn more about WordPress?

Sign up for our Weekly WordPress Newsletter.

Every Friday you’ll receive news, tutorials, reviews, and great deals from the WordPress space.

Invalid email address
A team of WordPress experts that love to test out new WordPress related software, WordPress plugins and WordPress themes.