WordPress Malware Removal: How to Clean an Infected Site Safely

WordPress malware removal can feel overwhelming when you are not a developer. Your site may redirect visitors, show strange pop-ups, display a browser warning, or suddenly lose traffic because Google marked it as unsafe.

The important point is this: do not delete random files first. A safe cleanup starts with a backup, evidence collection, and a clear check of the files most commonly abused by malware.

RyoheiYokoyama

I am Ryohei Yokoyama, an IT engineer with over 20 years of experience in WordPress, PHP, security cleanup, and website recovery. This guide explains malware removal in a beginner-friendly order without hiding the technical details you need to check.

This article is written for beginners, but it includes concrete file names and examples because malware removal cannot be done with vague advice alone. Even if you ask a professional for help later, these checks will help you understand what is happening.

WordPress Malware Removal: Start With a Safe Backup

The first step in WordPress malware removal is to preserve the current condition of the site. Even infected files can contain clues that show when the attack started, which files were changed, and whether the database was affected.

If you delete files too early, you may remove evidence while leaving the real backdoor behind. A backup gives you a safe point to return to if a cleanup attempt breaks the site.

Back up files and database separately

A complete WordPress backup has two parts: the website files and the database. The files include WordPress core, themes, plugins, uploads, and configuration files. The database includes posts, settings, users, and many plugin settings.

public_html/ or your WordPress document root
wp-config.php
wp-content/plugins/
wp-content/themes/
wp-content/uploads/
Database export from phpMyAdmin, Adminer, or hosting control panel

Record the visible symptoms

Write down exactly what you see before making changes. Useful notes include redirect URLs, warning messages, suspicious admin users, unknown plugin names, and the date when the problem first appeared.

WordPress Malware Signs Beginners Should Check

WordPress malware often appears as visible symptoms, but the infected code may be hidden in a completely different place. For example, a homepage redirect can be caused by a plugin file, a theme file, .htaccess, or injected database content.

Beginners should focus on symptoms first, then check the most common locations one by one. This prevents random editing and reduces the risk of breaking the site.

Common malware symptoms

Files and folders to inspect first

The following locations are common starting points. You do not need to understand every line of PHP, but you should know where suspicious changes often hide.

.htaccess
wp-config.php
wp-content/plugins/
wp-content/themes/active-theme/functions.php
wp-content/uploads/
wp-includes/
Recently modified PHP files

WordPress Malware Removal: Check .htaccess and wp-config.php

.htaccess and wp-config.php are small files, but they can affect the entire site. Attackers may use them to redirect visitors, load malicious code, or hide errors.

For beginners, the goal is not to rewrite everything. The goal is to compare the file against a normal example and look for lines that do not belong.

Normal WordPress .htaccess example

On many Apache servers, a basic WordPress .htaccess file looks similar to this. If you see long encoded strings, strange redirect domains, or rules that point to unknown files, investigate carefully before deleting.

# BEGIN WordPress
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Safe wp-config.php debug example

wp-config.php should contain database settings and WordPress configuration. If you need to investigate errors during cleanup, debug logging can help, but it should not display errors publicly to visitors.

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);
@ini_set('display_errors', 0);

WordPress Malware Cleanup Steps for Beginners

A safe cleanup follows a controlled order. You isolate the infection, remove malicious code, close the entry point, then test the site again. Cleaning only the visible symptom can lead to reinfection.

Disable plugins safely without deleting them

If the dashboard is unavailable or you suspect a plugin, rename the plugins folder through FTP/SFTP or the hosting file manager. This disables plugins without deleting their files.

wp-content/plugins
wp-content/plugins-disabled

If the site loads after renaming the folder, create a new plugins folder and move plugins back one by one. This helps identify the plugin involved in the issue.

Replace WordPress core files carefully

If WordPress core files are modified, download a fresh copy from WordPress.org and replace core directories such as wp-admin and wp-includes. Do not overwrite wp-content or wp-config.php without checking them first.

Replace if infected or modified:
wp-admin/
wp-includes/
Root WordPress core files such as wp-load.php and wp-settings.php

Do not blindly overwrite:
wp-content/
wp-config.php
.htaccess

Check uploads for PHP files

The uploads folder should usually contain images, PDFs, and media files. PHP files in uploads are suspicious on most WordPress sites and should be investigated.

wp-content/uploads/2026/05/logo.php
wp-content/uploads/cache/index.php
wp-content/uploads/.hidden.php

After WordPress Malware Removal: Prevent Reinfection

Malware removal is not finished when the visible redirect disappears. You also need to close the entry point. Otherwise, the same attacker may return through an old plugin, weak password, hidden backdoor, or compromised hosting account.

After cleanup, update WordPress core, plugins, and themes. Remove unused plugins, delete unknown users, rotate passwords, and confirm that backups are working.

WordPress Malware Removal FAQ

Can beginners remove WordPress malware themselves?

Beginners can perform safe checks such as backups, password changes, plugin folder testing, and .htaccess review. If malicious PHP code, database injections, or repeated reinfection appears, professional help is safer.

Is restoring a backup enough to remove malware?

Not always. If the backup was created after the infection began, restoring it can bring the same malware back. You also need to identify the entry point and check for hidden backdoors.

Which files are most often infected?

Common locations include .htaccess, wp-config.php, theme functions.php, plugin files, wp-includes, and unexpected PHP files inside wp-content/uploads.

What should I do if Google marks my site as dangerous?

Clean the infection first, confirm the site is safe, then request a review in Google Search Console. Requesting a review before cleanup usually fails.

WordPress Malware Removal Summary

WordPress malware removal should be done in a safe order: back up the site, record symptoms, inspect common file locations, remove malicious code carefully, close the entry point, and verify the result.

For beginners, the biggest mistake is deleting files randomly because the site looks urgent. A careful process protects your data and reduces the chance of reinfection.

If You Cannot Fix WordPress Malware Removal Yourself

If your WordPress site is infected, hacked, redirecting visitors, or showing security warnings, SiteFixNow can help you investigate the cause and restore the site safely.