How to Clean up a WordPress Site from Malware

by Corey Philip
February 6, 2020

Do you see spam appearing on your WordPress page? Have you received reports from your users that they are being redirected to a different website whenever they try to open your site? Did you notice something different from your page content or did you see something you don't remember having? Did your hosting provider send you a report about them noticing something malicious on your website? Then your WordPress has been hacked.

Having malware can ruin your website. It can get your website blacklisted from search engines and other online services, which means all the effort you put into perfecting your website will be wasted.

Before anything else, you should first know what kind of malware you have on your site. Backdoors, drive-by downloads, pharma hacks, and malicious redirects are the 4 most common types of malware that can be found on WordPress sites. By knowing what kind of malware has infected your website, you will know how to fix it or to prevent the problem from happening again.

Eliminating malware from a hacked WordPress site is not the easiest task. If you can't do this by yourself, it is highly recommended to call a professional to clean your website. But if you want to go DIY, here are steps you can follow to clean up your site from a malware attack:

How to Clean Your Site from a Malware Attack


Identify the infection

As we've already mentioned before, identifying what kind of infection has attacked your WordPress site is completely necessary to figure out what approach to take. You can use a site scanner to get the information you need. Because cyber crime is becoming more common, a lot of websites offer free site scans for WordPress. Just make sure to carefully check that you install from a reliable website to prevent additional issues.

Here are some of the common threats you may encounter in WordPress: 

  • Pharma hacks insert spam into your folders or database. 
  • Drive-by download malware is a malicious file that secretly downloads without the user being aware of it. 
  • Redirects send the visitors from your website to another page that the hacker owns and tricks people into downloading malicious files
  • Backdoor is a program that gives hackers access to your WordPress admin dashboard.
  • Phishing is when hackers trick people into releasing sensitive information like usernames, passwords, etc. They use the provided information to access your account and make use of it, like your bank or PayPal.

Backup files and your database then delete hacked files

So you finally figured out what kind of malware attacked your website. What's next?

It is time to back up all your WordPress files before cleaning everything (because you don't want all you have written in it to vanish forever, right?). This step needs to be done thoroughly, and if your website is quite large, it will take some time to download everything. You can use your hosting provider's backup system, or you can try installing a backup plugin to download a duplicate of your entire page.

Your hosting provider might delete your WordPress site after reporting that it has been hacked. They usually do this to prevent other users from becoming infected, so make sure to back your site up as soon as possible.

Once the backup is completed, delete all the files inside your public_html folder (except CGI-folder and other folders that do not contain hacked files). If you are handling other sites that are hosted on the same account that has been hacked, you should also clean them using the same process mentioned earlier.


Reinstall and reset everything

Reinstall your WordPress, then change your passwords and permalinks. Try to use a strong password if you can, and make sure you don't reuse your old ones. Check your database thoroughly and make sure that there is no unwanted code left in it. Reinstall freshly downloaded plugins and themes. Remember, do not upload your old plugins and themes. Old plugins have security holes that hackers can easily use. Delete the folder and reinstall only those the site needs.


Clean the database

Review your database for infected files. You can do this by using an installed scanner like WordFence, or you check your database manually. Delete files in your database related to the plugins and themes you also deleted. Make sure that everything is clean and normal. If you deleted the wrong file, you might lose it forever, so be careful.

If you are not sure about using your old database, creating a new one is the safest thing you can do. Although it requires a lot more work, at least you are sure that your website is clean.


Install security plugins

Although WordPress already has security, you can't just sit still and do nothing after you get hacked. Try and install trusted security plugins for your WordPress's website that can provide real-time detection.

You can use iThemes Security, as it has a lot of features you can freely configure, like:

  • Adding your IP address
  • Banning users that are trying to look for your website's vulnerability
  • Change admin username from time to time
  • And more

Change your hosting provider

If your hosting provider's security is not tight enough for your needs, maybe it is time to move on to a better one. After suffering from stress of a malware attack on your website, you don't want to put yourself through any more problems, right? Although it is not entirely their fault, having a great server with well-established security is completely necessary so your website can stay up and running.

If you are handling a website, you should always make sure to check that your hosting provider is implementing all security methods, that your plugins are working well, and that your website is up-to-date. As we all know, prevention is better than cure, so be aware of everything that is happening on your website before you even run into any issues.

Always remember, prevention is better than cure.

About the author

Corey Philip

Corey Philip is a small business owner / investor with a focus on home service businesses.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}