WPLift is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission.

WordPress Malware Removal: Your Options To Clean Your WordPress Site

Last Updated on April 13th, 2020

Published on July 11th, 2018


Share This Article

So your WordPress site has malware…what do you do? Well, obviously you need some WordPress malware removal help!

This isn’t a “do it yourself manually” post. I will link to some great resources later on if that’s what you are into. But I’m more concerned with how a regular WordPress user can go about removing malware. So expect to find:

  • WordPress malware removal services
  • Plugins that can clean malware for you
  • Other non-technical solutions

Let’s dig in so that you can get your site working smoothly again!

See If Your Host Handles WordPress Malware Removal

Ok, it’s not necessarily your host’s responsibility to clean your site of malware. But some hosts, most specifically managed WordPress hosts, do actually offer something like a “hack fix” guarantee.

That’s because part of what you’re paying a premium for with managed WordPress hosting is security, so most managed WordPress hosts already implement lots of checks to keep your site safe. As a result of taking on that responsibility, they’ll also fix any issues that do slip through.

For example, Kinsta offers a Hack fix guarantee:

kinsta wordpress malware removal guarantee

Similarly, Flywheel will also clean up your site if it gets hacked. Your managed WordPress host might, too. You’ll need to check their policies, though, because not all managed WordPress hosts do.

So before you go off to pay a service or handle things yourself, see if your host can help. Just don’t expect budget shared hosting to do everything for you – that’s the downside of budget hosting.

Pay For A WordPress Malware Removal Service

If you’re willing to crack open your wallet, there are tons of quality WordPress malware removal services that you can choose from to clean your site. The prices range from about ~$100 at the low end to $200+ on the higher end.

Article Continues Below

In my opinion, the best places to look are:

  • Security plugins – some security plugins offer paid malware removal services. Usually, the plugins offer free malware scans and then fix it for a price.
  • Maintenance/support services – many WordPress maintenance or support services can also help to clean your hacked WordPress site.

On the security plugin front, Wordfence offers a site cleaning service for $179. This price also includes a one-year subscription to Wordfence Premium:

wordfence malware removal service

Similarly, if you pay for Sucuri, you’ll get advanced monitoring as well as a malware removal service and hack repair. The cheapest tier is $199.99 per year and guarantees you a response within 12 hours. If you’re running a mission-critical site, higher tiers offer quicker response times.

And on the WordPress support/maintenance services front, some good options are:

  • Fix My Site – malware removal starts at $99.
  • FixMyWP – can restore your site to working functionality in a day. You’ll need to get a custom quote for pricing.
  • WP Fix It – prices start at $97 for same day removal service.
  • WP Security Lock – starting at $497, this one is significantly more expensive. But they have a good reputation.

Use A Security Plugin For WordPress Malware Removal

You can find a lot of free security plugins that scan your WordPress site for malware. But it’s a lot harder to find one that can actually clean your WordPress site of malware.

I already mentioned the WordPress malware removal services from Sucuri and Wordfence, but if you want a plugin that can actually remove malware for you, here are two good options. You will need to pay for both options, though. I’m not aware of any free plugin with quality malware removal.


Developed by Automattic and part of the Jetpack plan, VaultPress helps you back up, scan, and clean your site.

For suspicious files, VaultPress gives you an option to fix the issue with a single click. And for especially dangerous threats, VaultPress will automatically fix things and then shoot you an email with the details:


Article Continues Below

If you’re ok with manual issue resolution, you can stick with the $99/year Jetpack Premium plan. But if you want automatic fixes, you’ll need the $299/year Jetpack Professional plan.

Get VaultPress


MalCare is a malware monitoring and removal plugin from the same team behind BlogVault. There’s a free version listed at WordPress.org that can help you scan WordPress for malware:


But if you want one-click WordPress malware removal, you’ll need to pay for the premium version of MalCare, which starts at $99 per year for a single site.

For urgent needs, MalCare also offers an Emergency Malware Cleanup service for $249.

Get MalCare

Try To Remove WordPress Malware Yourself

If you’re not a developer or tech-savvy user, I don’t think you should try to manually clean a hacked WordPress site yourself. I consider myself pretty handy for a non-developer and even I wouldn’t feel confident cleaning things up without expert help.

So, as you probably guessed, I’m not going to give you step-by-step tutorial here.

What I will do, though, is link you to some great resources that can help out if you do feel comfortable handling things yourself.

Article Continues Below

Sucuri’s How to Clean a WordPress Hack is a great starting point. It takes you step-by-step through what you need to do. Similarly, Wordfence also has a very detailed guide on the subject.

And we also have an older guide on how to manually remove malware from WordPress.

Those three guides should be all you need to clean a hacked WordPress site yourself.

Restore Your Site From Backup (Then Secure It)

Sometimes “cleaning” your site means blowing it up and restoring from a clean backup. If you know that you have a clean backup, this is obviously a pretty easy way to fix a hacked WordPress site (remember, your backup might be infected depending on how long the issue has been around).

There’s one problem with this method, though:

It doesn’t do anything about the root issue. That is, your site is probably still vulnerable to the same issue that caused the malware in the first place.

So if you’re going to go with this approach, I don’t recommend just restoring your backup and calling it a day. You should also try to figure out how the malicious code entered your site in the first place to prevent it from happening in the future.

If you’re not a developer, I know that’s a tall order. So if you:

  • Can’t afford to pay an expert to diagnose the root issue
  • Still want to restore your site from back up

I recommend at least boosting your security after restoring your backup, maybe by using a free security plugin like Wordfence.

Wrap Up & Other Tips For WordPress Malware Removal

Beyond removing malware from your WordPress site itself, you should also make sure to run a thorough scan on your own system.

It’s possible that hackers got ahold of your WordPress site by getting your WordPress or FTP login credentials from your own computer, so make sure you don’t have any nasty malware on your computer that’s giving hackers the keys.

Combine your own computer scan with the WordPress malware removal options above and I hope you’re back to a working website in no time!

Stay informed on WordPress

Every Friday you’ll receive news, tutorials, reviews, and great deals from the WordPress space.

Invalid email address
Colin Newcomer is a freelance writer and long-time Internet marketer. He specializes in digital marketing, WordPress and B2B writing. He lives a life of danger, riding a scooter through the chaos of Hanoi. You can also follow his travel blog.