Seeing your WordPress site redirect to a spammy domain or finding a “Deceptive Site Ahead” warning from Google is a website owner’s worst nightmare. If you are reading this, you are likely in panic mode.
Don’t panic.
WordPress sites get hacked every day, and they can be cleaned. This guide will walk you through the exact steps to identify the infection, remove the malware, and secure your site so it doesn’t happen again. Whether you want to use a quick plugin or manually deep-clean your server, we have you covered.
Step 0: Confirm the Infection (Are You Actually Hacked?)
Before you start deleting files, confirm the hack. Malware often hides, but the symptoms are usually visible if you know where to look.
Common Signs of Infection:
- The “Red Screen of Death”: Google displays a warning that your site is deceptive or contains malware.
- Strange Redirects: Visitors are sent to gambling, pharma, or adult websites.
- New Admin Users: You see users you didn’t create (often named things like
wp_updateoradmin_user). - Sluggish Performance: Your server resources are maxed out because the malware is mining crypto or sending spam emails.
Tools to Check:
- Sucuri SiteCheck: Enter your URL to see if your site is blacklisted.
- Google Search Console: Check the “Security Issues” tab for official flags from Google.
Step 1: Prepare Your Site (Do Not Skip This)
Never try to clean a live site without a safety net.
- Put Your Site in Maintenance Mode: Use a plugin or a
.maintenancefile to prevent visitors from getting infected while you work. - Back Up Everything: It sounds counter-intuitive to back up an infected site, but if you accidentally delete a critical core file during cleanup, you will need a restore point. Label this backup “INFECTED_BACKUP” so you don’t use it by mistake later.
Method 1: The Automatic Way (Best for Beginners)
If you aren’t comfortable editing PHP files or using FTP, this is your best route. Several security plugins can scan and auto-clean infections.
Top Plugins for Removal:
- Wordfence Security: The free version is excellent for finding backdoors. The scanner compares your core files against the official WordPress repository.
- MalCare: Known for its “one-click” removal feature. It runs on its own servers, so it won’t slow down your already struggling site.
- Jetpack Scan: Great for automated daily scanning and one-click fixes, especially if you already use Jetpack.
The Process:
- Install the security plugin.
- Run a “High Sensitivity” or “Deep” scan.
- Review the list of infected files.
- Click “Repair” or “Delete” (Delete only if it’s a file you don’t recognize; Repair if it’s a core file).
Method 2: The Manual “Deep Clean” (Best for Complete Removal)
Plugins sometimes miss “Ghost” files or deep database injections. If you want to be 100% sure the malware is gone, follow this manual procedure. You will need FTP or cPanel File Manager access.
1. Reinstall WordPress Core
Malware often hides in wp-includes and wp-admin.
- Download a fresh copy of WordPress from WordPress.org.
- Connect to your server via FTP.
- Delete the
wp-adminandwp-includesfolders entirely. - Upload the fresh copies of
wp-adminandwp-includesfrom your download. - Note: Do NOT delete the
wp-contentfolder orwp-config.phpfile yet.
2. Clean wp-config.php and .htaccess
Hackers love these files.
- Open
wp-config.php. Look for strange strings of code that look like random characters (e.g.,eval(base64_decode...)). - Compare it to the default
wp-config-sample.phpfile. - Check your
.htaccessfile. If you see redirect rules sending traffic to unknown domains, delete them and regenerate the file by saving your Permalinks settings in the dashboard.
3. Audit the wp-content Folder
You cannot delete this folder, but you must inspect it.
- Themes: Open
wp-content/themes. If you have inactive themes, delete them. For your active theme, compare the files against a fresh download from the theme developer. - Plugins: The safest method is to document your active plugins, delete the
wp-content/pluginsfolder, and reinstall fresh copies of every plugin. - Uploads: Look inside
wp-content/uploads. This folder should only contain images/media. If you see PHP files (e.g.,image.php,test.php) inside your uploads folder, delete them immediately.
4. Clean the Database
Access phpMyAdmin from your hosting dashboard.
- Look for the
wp_userstable. Delete any admin accounts you don’t recognize. - Search the
wp_optionstable for “spammy” keywords (pharmaceutical terms, payday loans, etc.) to see if they have injected links into your site header/footer.
Step 3: Post-Cleanup Security (Locking the Door)
Once the malware is gone, you must close the hole they used to get in.
- Reset All Passwords: Change the password for every user, FTP account, and your hosting control panel.
- Update Salts: Go to the WordPress Salt Generator, copy the new keys, and paste them into your
wp-config.phpfile. This forces a logout for all logged-in users (including the hacker). - Update Everything: Ensure WordPress core, themes, and plugins are on the latest versions.
- Request a Review: If Google blacklisted you, go to Search Console, navigate to Security & Manual Actions, and request a review. Tell them you have cleaned the site.
FAQ: WordPress Malware Removal
Q: How much does professional malware removal cost?
A: Services like Sucuri or Wordfence charge between $100-$200/year for cleanup and protection. Freelancers on Fiverr may charge $50-$100, but quality varies.
Q: Can I just restore a backup?
A: Only if you know exactly when the hack happened. If you restore a backup from 3 days ago, but the hacker planted a “time-bomb” backdoor 2 weeks ago, the site will just get hacked again.
Q: Why does my site keep getting hacked?
A: You likely have a “backdoor” left behind (a hidden file allowing re-entry) or you are using a “Nulled” (pirated) premium plugin which often comes pre-loaded with malware.
Disclaimer: If you are uncomfortable editing server files, we highly recommend hiring a professional or using a dedicated security plugin to avoid breaking your site.