How to Remove Malware from WordPress

Here are the steps to remove Malware that keeps infecting your WordPress website once and for all!

  1. Backup your website

    backup points

    If you make a mistake, your website is gone forever. So back it up somewhere safe! If your hosting does not offer an automated backup setting, download your website locally to your computer. Don’t worry; the Malware will not harm your computer. Compress the folder after downloading just to be safe.

  2. Download WordPress

    download wordpress

    Download a fresh copy of WordPress.ORG: official site. This new copy will be used to overwrite the infected code on your website.

  3. Eliminating the Malware

    eliminate malware

    Login to your website via FTP or cPanel’s File Manager. Delete everything EXCEPT for the wp-content folder and the wp-config.php file. I repeat: DO NOT, by any circumstances, delete wp-content or wp-config!

    Wp-content is where your website stores all of its digital assets: media (photos), plugins, and themes. Wp-config.php is the credentials to the database of your website.

    This step will break your website installation, but that is ok because it is redirecting for showing a hacked version you don’t want clients and customers to see. It’s better they see a 404 page than abusive content.

  4. Identify out-of-place Files and Folders

    Malware Example

    Check the files and folders for random/odd-looking files or code.

    Odd-looking code is a string of generated letters and numbers used for a file’s name or injected into the file’s head.

    WordPress salts/passwords are ok to have a string of letters and numbers for a password. When in doubt, check the clean copy of the WordPress installation files you downloaded.

    Remove back doors

    Check wp-config.php for random code injected into the file.

  5. Remove infected Plugins

    plugins

    Delete and upload a fresh copy of your plugins.

  6. Remove infected Themes

    themes

    Remove any themes you aren’t currently using. Be careful that you don’t permanently remove any parent themes used by children themes.

    If you have a clean copy of your theme, please upload it, overwriting the infected copy.

  7. Upload a clean version of WordPress

    wordpress files

    Upload everything in the fresh WordPress download except for wp-content (this is the file you downloaded in step 2). I repeat: DO NOT replace/overwrite the wp-content folder. I usually delete the wp-content folder from my computer, so I don’t accidentally upload it to the server.

  8. Remove the .htaccess file

    htaccess

    Delete the htaccess file and resave your permalinks (unless it looks clean). If you don’t see the file in your directory, ensure you have “view invisible files” turned on in your FTP client.

  9. Change Passwords + Remove Unrecognized Users.

    wp users

    Change the passwords for your users. Removing any users, you do not recognize.

  10. Check file permissions

    file permissions

    The most critical step. Folders need to be set to 755, Files 644, wp-config.php 600, .htaccess 600.

    If your files are set to 777, hackers can easily access your website.

    If you understand SSH, you can use the settings below to automate the process of updating your folder permissions. Update the commands based on your server file structure.

  11. Install a Security Plugin

    WP Security Plugin

    Add a security plugin to your WordPress website, select the option to harden the WordPress settings.

  12. Re-Check in a day or two

    How-to: Remove Malware from WordPress

    After 24-48 hours have passed, check your WordPress file structure for odd-ducks. Anything other than these files and those files could be Malware getting back into your website from an unfixed vulnerability.

    wp-admin
    wp-content
    wp-includes
    index.php
    license.txt
    readme.html
    wp-activate.php
    wp-blog-header.php
    wp-comments-post.php
    wp-config.php
    wp-config-sample.php
    wp-cron.php
    wp-links-opml.php
    wp-load.php
    wp-login.php
    wp-mail.php
    wp-settings.php
    wp-signup.php
    wp-trackback.php
    xmlrpc.php

If you are still unable to stop hackers, please message us for assistance on how we can assist with Risk management services.


Published on: 2021-03-12
Updated on: 2021-09-03

Avatar for Isaac Adams-Hands

Isaac Adams-Hands

Isaac Adams-Hands is SEO Director with SEO North, where he helps the team plan marketing goals that are keyword-optimized and measurable for over 30 clients simultaneously. He has worked at Microsoft, The institute of chartered accountants in Australia, Auto Trader, Le Cordon Bleu, and Algonquin College in various Digital Marketing Roles. Isaac is qualified as a Full-stack developer, Server Administrator, and Cyber Security expert, adding additional experience to his Search Engine Optimization knowledge. His Inuit heritage brought him to the Arctic to hunt and fish for most summers, which grew his passion for 4-wheelers and dirtbikes.