How to Remove Malware from WordPress

Backup your website

If you make a mistake, your website is gone forever. So back it up somewhere safe! If your hosting does not offer an automated backup setting, download your website locally to your computer. Don’t worry; the Malware will not harm your computer. Compress the folder after downloading just to be safe.

Download WordPress

Download a fresh copy of WordPress.ORG: official site. This new copy will be used to overwrite the infected code on your website.

Eliminating the Malware

Login to your website via FTP or cPanel’s File Manager. Delete everything EXCEPT for the wp-content folder and the wp-config.php file. I repeat: DO NOT, by any circumstances, delete wp-content or wp-config!

Wp-content is where your website stores all of its digital assets: media (photos), plugins, and themes. Wp-config.php is the credentials to the database of your website.

This step will break your website installation, but that is ok because it is redirecting for showing a hacked version you don’t want clients and customers to see. It’s better they see a 404 page than abusive content.

Identify out-of-place Files and Folders

Check the files and folders for random/odd-looking files or code.

Odd-looking code is a string of generated letters and numbers used for a file’s name or injected into the file’s head.

WordPress salts/passwords are ok to have a string of letters and numbers for a password. When in doubt, check the clean copy of the WordPress installation files you downloaded.

Remove back doors

Check wp-config.php for random code injected into the file.

Remove infected Plugins

Delete and upload a fresh copy of your plugins.

Remove infected Themes

Remove any themes you aren’t currently using. Be careful that you don’t permanently remove any parent themes used by children themes.

If you have a clean copy of your theme, please upload it, overwriting the infected copy.

Upload a clean version of WordPress

Upload everything in the fresh WordPress download except for wp-content (this is the file you downloaded in step 2). I repeat: DO NOT replace/overwrite the wp-content folder. I usually delete the wp-content folder from my computer, so I don’t accidentally upload it to the server.

Remove the .htaccess file

Delete the htaccess file and resave your permalinks (unless it looks clean). If you don’t see the file in your directory, ensure you have “view invisible files” turned on in your FTP client.

Change Passwords + Remove Unrecognized Users.

Change the passwords for your users. Removing any users, you do not recognize.

Check file permissions

The most critical step. Folders need to be set to 755, Files 644, wp-config.php 600, .htaccess 600.

If your files are set to 777, hackers can easily access your website.

If you understand SSH, you can use the settings below to automate the process of updating your folder permissions. Update the commands based on your server file structure.

Install a Security Plugin

Add a security plugin to your WordPress website, select the option to harden the WordPress settings.

Re-Check in a day or two

After 24-48 hours have passed, check your WordPress file structure for odd-ducks. Anything other than these files and those files could be Malware getting back into your website from an unfixed vulnerability.

wp-admin
wp-content
wp-includes
index.php
license.txt
readme.html
wp-activate.php
wp-blog-header.php
wp-comments-post.php
wp-config.php
wp-config-sample.php
wp-cron.php
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php