How to Scan & Remove Malware Virus from WordPress

Discovering that your WordPress site has been infected with malware is unsettling, but it is rarely the end of the world. Most infections follow predictable patterns, and with a methodical approach you can find the malicious code, remove it, and lock the door behind it. This guide walks you through detecting, cleaning, and recovering a compromised WordPress site without losing your data or your sanity.

Signs Your Site Has Been Hacked

Malware does not always announce itself. Sometimes the only clue is a slow decline in traffic. Watch for these common warning signs:

• Browser or search warnings such as “This site may be hacked” or a red interstitial from Google Safe Browsing.
• Unexpected redirects that send visitors to spammy or adult websites, especially from mobile devices or search engines.
• New admin accounts you did not create, or users with elevated privileges.
• Strange files or folders in your installation, often with random names or odd timestamps.
• Spam content injected into posts, pages, or the footer, frequently hidden with CSS.
• Server resource spikes or emails from your host warning about phishing pages or outbound spam.

Back Up Before You Touch Anything

Before you change a single file, make a complete backup of the current state, infected files included. This protects you if a cleanup step goes wrong, and it preserves evidence you may need to compare against. Download a full copy of your files and export your database. Label the backup clearly as compromised so you never restore it by accident.

Never overwrite your only good backup with an infected one. Keep at least one clean copy from before the incident if you have it.

Choose Your Scanning Approach

You have three complementary options, and using more than one improves your odds of catching everything.

Security Plugins

Dedicated WordPress security plugins such as Wordfence, Sucuri, or MalCare can scan your file system and database for known malware signatures, modified core files, and suspicious code. They are the fastest first pass and often flag the exact files that need attention.

Host-Level Scanners

Many hosting providers run their own malware scanners and will quarantine or report infected files. Check your hosting dashboard or open a support ticket; your host may already have a list of affected files waiting for you.

Manual Inspection

Automated tools miss cleverly obfuscated code, so a manual review is essential for a thorough cleanup. The sections below show you exactly where to look.

Step-by-Step Removal

1. Update everything. Update WordPress core, every theme, and every plugin to the latest version. Outdated software is the most common entry point, and updates often replace tampered files.
2. Replace core files. Download a fresh copy of WordPress matching your version and replace the wp-admin and wp-includes folders along with the root PHP files. Never overwrite wp-content or wp-config.php in this step.
3. Inspect uploads, themes, and plugins. The wp-content/uploads directory should contain media only. Any PHP file there is a red flag. Search your installation for common malicious patterns:

grep -rEl "eval(|base64_decode|gzinflate|str_rot13|shell_exec" wp-content/

find wp-content/uploads -name "*.php" -type f

Open each flagged file and review it carefully. Obfuscated one-liners, long base64 strings, and code that writes other files are typical signs of a backdoor.

4. Check wp-config.php. Confirm your database credentials are intact and look for injected code near the top or bottom of the file.
5. Audit the database. Look in wp_options for suspicious entries and scan post content for hidden links or scripts. A targeted search helps:

SELECT * FROM wp_posts WHERE post_content LIKE '%<script%';

6. Review admin users. Delete any account you do not recognize and reset passwords for every legitimate user.
7. Inspect .htaccess. Malware often hides redirect rules here. Compare it against a default WordPress .htaccess and remove anything unfamiliar.

Re-Scan and Harden

After cleaning, run your scanner again from a fresh session to confirm the site is clear. Change all passwords, including your hosting, FTP, and database accounts, and rotate your WordPress security keys. Then ask Google to review and clear any blocklist status through Search Console.

When to Call a Professional

If the infection keeps returning, spans multiple sites on the same server, or you are not confident reading PHP, bring in a specialist. A reputable malware removal service or your host’s security team can perform a deep clean and root-cause analysis far faster than trial and error.

Prevention Tips

• Keep core, themes, and plugins updated automatically where possible.
• Use strong, unique passwords and enable two-factor authentication.
• Install only reputable plugins and remove anything unused.
• Run scheduled backups stored off-server.
• Add a firewall or security plugin for continuous monitoring.

The best cure is prevention. Once your site is clean, take the time to secure your WordPress website so the same attackers cannot walk back through the same door.