WordPress malware removal: a real guide for 2026
Quick answer
To remove malware from WordPress, take the site offline or to maintenance mode, take a full backup of files and database, scan with a reputable tool (Wordfence, Sucuri, or MalCare), compare every core, plugin, and theme file against a known good copy, remove or replace anything modified, change every password including database and FTP, rotate salts in wp-config.php, then harden the site so it does not get reinfected. Most sites are clean within a few hours when an experienced engineer runs the process. DIY removal works for simple infections but often misses backdoors.
How to tell if your WordPress site has malware
Google or your browser warns visitors about the site.
Search results show pharma, gambling, or Japanese spam pages for your site that you did not publish.
Visitors get redirected to spammy sites, usually only on mobile or from search.
Your host suspends the site or sends an abuse notice.
wp-admin shows new admin users you did not create.
Files you did not edit have recent modification dates.
The removal process, step by step
1. Take a full backup of files and database before touching anything. You will need it if removal goes wrong.
2. Put the site in maintenance mode or take it offline so visitors do not keep getting infected.
3. Run two scanners (Wordfence and Sucuri or MalCare). Different scanners catch different infections.
4. Replace WordPress core, every plugin, and the active theme with clean copies from wordpress.org or the original developer. Do not trust the files on the server.
5. Inspect wp-content/uploads for PHP files that should not be there. Uploads should be media, never code.
6. Inspect the database for injected admin users, suspicious options entries, and base64 encoded strings.
7. Change every password: WordPress admin, hosting, SFTP, database, and any plugin licenses.
8. Rotate the salts in wp-config.php to invalidate every session.
9. Re-scan after cleanup. A clean second scan means the visible infection is gone.
Harden the site so it does not come back
Update to the latest WordPress, PHP, and database versions.
Remove every plugin and theme you are not actively using.
Install a security plugin with a web application firewall and brute force protection.
Lock down wp-admin behind two factor authentication for every user.
Move from shared hosting to a managed WordPress host with isolation between sites.
Set up monitoring that alerts you the moment a new file appears on the server.
When to call a professional
If the infection is deep enough that you cannot identify clean core files.
If the host has suspended the site and demands a clean scan to lift the suspension.
If you cannot find the backdoor and the infection keeps returning after cleanup.
If the site is a store and downtime is costing real money by the hour.
Common questions
Can I remove WordPress malware myself for free?+
Sometimes. Simple infections caught early can be cleaned by replacing core, plugins, theme, and rotating credentials. The risk with DIY is missing a backdoor and getting reinfected within days.
How much does WordPress malware removal cost?+
Professional one-off cleanup is usually 150 to 500 dollars depending on size and depth. A maintenance plan with monitoring and unlimited cleanup is often cheaper over a year.
Will malware removal cause me to lose posts or orders?+
Done correctly, no. The database stays intact. The cleanup touches files and credentials, not content. A full backup before cleanup means even a mistake is recoverable.
How long does it take to clean an infected WordPress site?+
Most sites are clean within 2 to 6 hours of focused work. Complex or deeply nested infections take longer. A second pass within a week confirms nothing came back.
Want help with this?
The pages below go deeper, by service and by city.
Want this handled for you?
Book a call and we will review your site before recommending anything.