WordPress is the most common content management system (CMS) used for building websites in the world.
It’s also the most hacked one — according to Sucuri Security, 95% of malware attacks and infections take place on WordPress-based sites.
That’s why if you have a website based on this robust CMS, it’s time you pay attention to the security of your site and learn more about this topic.
And don’t worry, it’s not too difficult.
By the end of this tutorial, you’ll know everything about WordPress malware removal.
Let’s begin!
Frequently Asked Questions
Can WordPress Have Viruses?
Of course.
Like any computer software web applications like WordPress can also be infected with viruses.
In fact, they can also act as virus carriers, infecting the systems of their visitors.
There’s a reason why people are advised against clicking on spammy links.
How Do I Scan for Malware on WordPress?
Scanning for malware on WordPress can be done by installing a good malware scanning and security plugin.
Many of those plugins can also remove the file affected by malware.
What You’ll Need To Remove WordPress Malware
If you’re going to do it from your WordPress dashboard, all you need is a good malware removal plugin.
But if you’re going to do it manually, you need the following:
- An FTP account and its credentials
- FileZilla or any other FTP Client
- A code editor like Sublime, Atom, Notepad ++, etc.
- Login credentials for your hosting dashboard.
WordPress Malware Removal: Step-by-Step Instructions
Is Your WordPress Website Really Infected by Malware?
The answer to this question is pretty simple — you need to scan your site for malware using a Malware scanner to find out.
A number of options are available in the market for that, and all of them work in different ways.
There are site-level scanners that are installed on your server and scan every single file of your WordPress installation, and there are online scanners too which can crack major security threats being faced by your computer.
The difference between online and on-site scanners is that an on-site scanner can gauge the situation more accurately as it can access all the files of your WordPress installation.
Online scanners, on the other hand, can detect malware only if it’s interfering with the front-end user experience of your site.
Keeping this difference in mind, you can choose the right type of malware scanner for your website.
And once you choose it, perform a scan on your site to figure out if it’s infected with malware.
Malware Removal Plugins: When To Use Them
This depends on many factors:
- First, if your website has already been attacked by malware, then obviously you need a malware removal plugin to get rid of it.
- Second, the type of malware attack and the part of the website affected. Some malware programs attack your WordPress dashboard and make it inaccessible, so you can not remove the malware easily. If that’s the case, you won’t be able to install the malware removal plugin and would have to rely on other methods to remove the malware and access your dashboard first.
- Third, if you want other security features along with malware protection. Many of the malware removal plugins are among the best security plugins that offer firewall protection, login protection, and anti-spam solution for WordPress along with many other features.
In short, if condition #1 or #3 is true for your website, you need to use a malware removal plugin.
But if condition #2 is true, then you need to look for other methods explained below.
Best WordPress Malware Removal Plugins
There are many malware removal plugins available in the market that can detect and remove malware from your WordPress site.
The three most popular ones among them include:
- WordFence Security
- Sucuri Security
- All-In-One WP Security and Firewall
All three of them are not only malware removal plugins but total security solutions for your WordPress website.
Once you install them on your site, they scan your site for potential security threats (including malware) and if any of them are found, they either fix them on the spot or alert you against them.
Removing WordPress Malware Manually
Implementing these steps requires at least an intermediate level of technical expertise and skill in handling WordPress files.
This method is more complex than using a plugin to remove the malware, but in some cases, only this method can remove the malware from your site.
If you’re not comfortable playing with server files and code, we’d recommend you hire malware removal experts to perform these actions.
Or else, you can also hire a WordPress maintenance service.
But if you’re confident you can do it on your own, let’s see how it works:
Step 1. Prepare Your Site
Before removing malware from your WordPress site, restrict access to your site so it doesn’t keep redirecting your visitors to malicious links.
You can do this by editing the .htaccess file of your WordPress installation either through your hosting dashboard’s File Manager or an FTP client like FileZilla, WinSCP, etc.
For this tutorial, we’re going to do it using the FileZilla FTP client.
Connect to your site through FileZilla by following the procedure outlined in this guide.
Once you’re connected, navigate to the“public_html” directory and scroll down until you find your .htaccess file.
Now download the file to your computer, open it using Notepad and add this code snippet to the .htaccess file to block all incoming traffic except yours:
order allow, deny
deny from all
allow from [your_IP_address]
Now save the file and upload it back to your WordPress folder.
Your website will now become inaccessible to all other people.
Also, you too should try using a secure browser to access your hacked website.
You never know how it can affect your browser and computer.
Step 2. Reinstall WordPress
Since malware infects the core files of your WordPress installation, you need to replace the WordPress core files to make it go away.
So navigate to the “wp-content” folder within your root directory and download it by dragging and dropping it inside a folder or drive on the left side (i.e. local site).
Now log in to your hosting dashboard (i.e. cPanel) and search for “Auto Installer”.
Once you’ve found the installer, launch it and choose WordPress.
Provide additional details to set up your site (i.e. site name, tagline, email address, username, password, etc.) and hit the “Install” button.
Let the installer do its job, and wait while you get a fresh WordPress installation on your site.
Once the process is complete, go back to your FTP client and refresh the directory list.
Now upload the “wp-content” folder that you downloaded before installing this fresh version of WordPress.
This will allow you to launch your new website without losing any content.
Step 3. Check if your website got rid of malware or not
In most cases, a fresh WordPress install can rid a website of malware.
The website should be working fine now, and even if not then at least the WordPress dashboard should be accessible so you can install a Malware removal plugin to do the rest of the job.
But if your issue still persists without any improvement, follow the steps given below.
Step 4. Remove any PHP/JavaScript Files from Uploads
If your website is giving you issues even after a fresh WordPress installation, then it means that the malware exists in your “wp-content” folder too.
Open the folder using FileZilla and see if there are any PHP or JS files in your Uploads folder, because there’s no use of a PHP or JS file in that folder.
If you find any such files, remove them.
Step 5. Check Your SQL Database
Like WordPress files and content, your database can also be infected by malware.
So after doing a clean WordPress install and scanning your content for possible malicious code, now it’s time to look into your database.
Log in to your hosting cPanel and navigate to phpMyAdmin.
From there, download a backup of your database (.SQL file) to your computer.
Open the .SQL file you just downloaded using a text editor made for coders (i.e. Sublime, Atom, etc.) and search for malicious code.
If it flags any of the entries, don’t delete them from the database.
Instead, just note them down.
Step 7. Remove malicious code from posts and pages
Now login to your WordPress dashboard and start searching your pages and posts for malicious content using the WordPress editor.
You have to look into those locations that were flagged in the previous step.
Once you find any malicious code in those locations, remove it.
Also, reformat the content whenever and wherever needed also.
Step 8. Test your site
Finally, it’s time to test your site now.
By now it will definitely be free from malware and accessible to everyone.
Pro Tip: Choose a managed WordPress host if you want to avoid doing this tedious procedure again in your life.
Similar Tutorials To Check Out
- How to Check If Your Website Is Safe: There are many threats that may affect the security of a WordPress website. This tutorial explains how to analyze all of them and make sure that your site is safe.
- How to Secure a WordPress Site: Analyzing the threats is one thing, and fixing them is another. This tutorial talks about all the steps you can take to secure your WordPress site secure from all sorts of threats.
- How to Optimize WordPress Performance: Finally, this tutorial can help you optimize the performance of your WordPress website and make it load faster. Websites that load fast are loved by both users and search engines, so this is an important thing to learn.
Wrapping Up
Security threats like Malware can destroy not just your WordPress website but also the reputation of your business overnight.
That’s why it’s important to learn how to remove them.
We hope we did a fair job in explaining the whole process of doing the same.
What do you think about this subject (and also about the methods that we explained to deal with it)?
Share your feedback in the comments.
And if this tutorial helped you share it on your social media profiles because that’s one of the best things you can do for us. 🙂