WordPress Hack Cleanup: Remove Malware, Backdoors, and Redirects

Illustration of WordPress hack cleanup with malware, backdoor, redirect blocking, security shield, and cleanup brush.

A hacked WordPress site is rarely fixed by deleting one suspicious file. Modern attacks often leave several layers behind: visible malware, hidden backdoors, malicious redirects, fake admin users, poisoned database records, and reinfection triggers that wait for the next page load.

If your site redirects visitors, shows browser warnings, sends spam, or keeps getting reinfected after a “cleanup,” you need a full WordPress hack cleanup process. The goal is not only to remove what you can see, but to close every path the attacker used to come back.

RyoheiYokoyama

I’m Ryohei Yokoyama, founder of SiteFixNow. I’ve worked as an IT engineer for over 20 years and have handled many WordPress malware removal, hacked site repair, redirect hack cleanup, and security recovery cases. In this guide, I’ll explain the practical cleanup order I use to reduce data loss and reinfection risk.

What you’ll learn
  • How to start a WordPress hack cleanup without destroying evidence or backups.
  • Where malware, backdoors, and redirect scripts usually hide.
  • Which files, folders, database tables, and users to check first.
  • How to reduce the chance of the same hack coming back after cleanup.

Important: if the site is still serving malware to visitors, put it into maintenance mode or restrict public access before continuing.

On This Page

WordPress Hack Cleanup Starts With Containment

The first step is containment. Before deleting files, installing plugins, or restoring random backups, stop the damage from spreading and preserve enough evidence to understand what happened.

This matters because many site owners accidentally make the situation worse. They delete a plugin folder, clear cache, and then lose the only clue that showed where the attacker entered. Others restore an old backup, but the backup already contains the backdoor.

Do this before cleanup
  • Make a full backup of files and database, even if the site is infected.
  • Download server access logs and error logs if your host provides them.
  • Disable public access temporarily if visitors are being redirected or warned.
  • Record the first date you noticed the problem and any recent updates or uploads.
  • Do not overwrite the live site with an unknown backup yet.

A practical cleanup starts with a separate copy of the site whenever possible. Work on a staging copy or local copy first, then apply the verified fix to production. If you must work directly on the live site, keep a dated backup before every major change.

For a broader recovery overview, you can also compare this process with the SiteFixNow guide on cleaning an infected WordPress site safely.

WordPress Hack Cleanup Must Check Files, Users, and the Database

A serious WordPress hack cleanup should cover three areas: files, administrator access, and the database. If you only scan files, you may miss malicious JavaScript stored inside posts or options. If you only reset passwords, you may leave executable PHP in uploads.

Start with the most commonly abused locations. In WordPress, attackers often hide code in places that look normal at a glance: plugin folders, theme files, mu-plugins, uploads, cache folders, and configuration files.

High-risk WordPress locations
  • wp-content/uploads/ – should not normally contain executable PHP.
  • wp-content/plugins/ – check unknown plugin folders and modified plugin files.
  • wp-content/themes/ – check functions.php, header/footer files, and old unused themes.
  • wp-content/mu-plugins/ – loads automatically and is easy to overlook.
  • .htaccess and wp-config.php – common places for redirect rules and hidden includes.
  • Database tables such as wp_options, wp_posts, and wp_users.

If you have SSH access, compare file modification dates against the estimated infection date. A cluster of changed files in unrelated folders is often more useful than one obvious suspicious file.

find public_html -type f -mtime -14 -print
find public_html/wp-content/uploads -type f -name "*.php" -print
find public_html/wp-content -type f \( -name "*.php" -o -name "*.js" \) -mtime -14 -print

These commands do not clean the site by themselves. They help you identify where to inspect. If the output is large, sort the files by date and prioritize files that should not have changed recently.

WordPress Backdoor Cleanup Requires More Than Deleting Malware

A backdoor is a hidden way for the attacker to regain access after the visible malware is removed. This is why a site can look clean for one day and then become infected again.

Backdoors often use small PHP snippets that look meaningless to non-developers. They may call functions such as eval, base64_decode, gzinflate, str_rot13, assert, preg_replace with executable patterns, or remote include functions.

grep -R "base64_decode" public_html/wp-content --include="*.php"
grep -R "gzinflate" public_html/wp-content --include="*.php"
grep -R "eval(" public_html/wp-content --include="*.php"
grep -R "shell_exec" public_html/wp-content --include="*.php"

Be careful with these results. Some legitimate plugins may use encoding or system functions. The point is not to delete every match automatically. The point is to inspect the file path, modification date, surrounding code, and whether the file belongs to a real plugin or theme.

One common backdoor pattern is a fake file placed inside uploads or cache folders. Another is a tiny include added to a legitimate file so that the real malicious code loads from somewhere else.

// Suspicious examples to investigate
@include_once('/tmp/.cache/file.php');
require_once ABSPATH . 'wp-content/uploads/2026/07/system.php';
if (isset($_REQUEST['key'])) { eval($_REQUEST['key']); }

If you find code like this, do not only remove the line. Check the referenced file, the user accounts, the login history, and the plugin or theme vulnerability that allowed the change. A backdoor is usually a symptom of a deeper access problem.

For a focused guide on hidden backdoors, see how to scan WordPress for malware and hidden backdoors.

WordPress Redirect Hack Cleanup Needs .htaccess and Database Checks

Redirect hacks are especially frustrating because the site may look normal to you while visitors from Google, mobile devices, or specific countries are sent to spam pages. That behavior often means the redirect is conditional.

Check the obvious redirect locations first: .htaccess, theme header files, plugin JavaScript files, injected scripts in posts, and the siteurl or home values in the database.

# Normal WordPress rules usually look like this
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

If you see unfamiliar domains, long encoded strings, mobile user-agent conditions, or rules that redirect only search-engine visitors, investigate them carefully. A malicious .htaccess file may be placed not only in the document root, but also in subdirectories.

wp option get siteurl
wp option get home
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%<script%' LIMIT 20;"
wp db query "SELECT option_name FROM wp_options WHERE option_value LIKE '%base64%' LIMIT 20;"

These WP-CLI examples assume the table prefix is wp_. If your site uses a custom prefix, replace wp_posts and wp_options with the correct table names.

If your main problem is visitor redirection, also review the SiteFixNow article on WordPress redirect virus cleanup.

WordPress Malware Removal Should Use Clean Sources for Core, Plugins, and Themes

The safest way to clean WordPress core is to replace it with a fresh copy from wordpress.org, while preserving wp-content and wp-config.php. For plugins and themes, reinstall clean copies from trusted sources instead of trying to edit every suspicious line manually.

This approach reduces the risk of missing small changes inside large files. It also helps you separate “known clean” code from site-specific uploads, custom themes, and database content that still need inspection.

Clean replacement order
  1. Back up the current infected site and database.
  2. Replace WordPress core files from a clean official package.
  3. Reinstall plugins from the official repository or vendor account.
  4. Reinstall the active theme from a clean source, then reapply verified custom changes.
  5. Inspect uploads, mu-plugins, custom code, and the database manually.

Do not reinstall nulled themes, abandoned plugins, or ZIP files from unknown sources. If the original infection came from a vulnerable or pirated extension, restoring the same extension puts the site back in danger.

When replacing plugins, first rename the current plugin folder instead of deleting it immediately. This gives you a rollback path and preserves evidence for later review.

cd public_html/wp-content
mv plugins plugins-infected-backup
mkdir plugins

# Then reinstall only necessary plugins from trusted sources.

After reinstalling clean plugins, test the site carefully. If the site breaks, re-enable only the essential plugin you need for diagnosis. Avoid activating everything at once because that makes it harder to identify the risky component.

WordPress Hack Cleanup Is Not Complete Until Access Is Secured

A cleanup is incomplete if the attacker can still log in, upload files, or run code. After removing malware and backdoors, secure every access path that could bring the infection back.

Start with administrator users. Remove unknown accounts, reset all admin passwords, check email addresses, and confirm that no attacker-controlled email is used for password resets.

Access hardening checklist
  • Reset WordPress administrator passwords.
  • Reset hosting control panel, FTP/SFTP, database, and email passwords.
  • Remove unknown WordPress admin users and unused FTP accounts.
  • Update WordPress core, plugins, and themes after cleanup.
  • Disable PHP execution in uploads where your hosting environment allows it.
  • Set up reliable off-site backups before reopening the site fully.

If the hosting environment supports Apache .htaccess, you can restrict PHP execution inside uploads. Test this carefully because server behavior differs by host.

<FilesMatch "\.php$">
  Require all denied
</FilesMatch>

Security hardening should happen after the site is clean, not instead of cleanup. A security plugin can help reduce future risk, but it does not automatically prove that every backdoor has already been removed.

For post-cleanup hardening, read how to secure WordPress after malware removal.

WordPress Hack Cleanup Verification Before Reopening the Site

Before you consider the cleanup finished, verify the site from several angles. Check the home page, important landing pages, search-result entry points, mobile access, and direct URLs that were previously redirecting.

Also clear every cache layer after cleanup: WordPress cache plugins, server cache, CDN cache, and browser cache. A site may appear infected simply because an old cached page is still being served.

Final verification points
  • No unexpected redirects from desktop, mobile, and search-result entry points.
  • No new suspicious files appear after several page loads.
  • WordPress admin users are known and necessary.
  • Core, plugins, and themes are updated from trusted sources.
  • Google Search Console and browser warnings are reviewed after cleanup.
  • Fresh backups are running and stored outside the infected hosting account.

If malware warnings were shown in Google or browsers, cleanup alone may not remove the warning immediately. You may need to request a review through the relevant platform after confirming that the site is clean.

WordPress Hack Cleanup FAQ

Can I clean a hacked WordPress site by restoring a backup?

Sometimes, but only if the backup is from before the infection and the original vulnerability is fixed. If you restore an infected backup or keep the same vulnerable plugin, the site can be hacked again.

Why does malware come back after I delete suspicious files?

Usually because a backdoor, fake admin user, stolen FTP password, vulnerable plugin, or database injection remains. A complete cleanup must remove both visible malware and the reinfection path.

Should I install a security plugin during cleanup?

A security plugin can help with scanning, login protection, and hardening, but it should not replace manual inspection. Use tools as support, then verify files, users, database records, and server settings.

What is the most important file to check during redirect cleanup?

Start with .htaccess, theme header files, active plugins, and injected scripts in the database. Redirect hacks often use several layers, so checking only one file is not enough.

WordPress Hack Cleanup Summary

WordPress hack cleanup is not just malware deletion. A reliable cleanup contains the site, backs up evidence, checks files and database records, removes backdoors, cleans redirects, replaces compromised code from trusted sources, secures access, and verifies the result before reopening the site fully.

If the site keeps getting reinfected, assume that something is still open: a backdoor, weak credential, vulnerable extension, malicious database entry, or server-level problem. In that situation, slow down and investigate the full chain instead of repeating the same partial cleanup.

If You Can’t Secure or Recover Your WordPress Site Yourself

Ryohei Yokoyama, founder of Site Fix Now - WordPress site recovery, repair, defacement, malware removal and site hijacking specialist. Recovery in as little as 30 minutes.

If your website shows malware warnings, redirects to strange pages, or you are not sure whether it is secure,
SiteFixNow can help clean, repair, and recover your WordPress site.

Common problems we can help with
  • Your WordPress site may be infected with malware.
  • Security warnings appear in Google or browser results.
  • You found unknown admin users or suspicious files.
  • The site redirects to spam or unknown websites.
  • You need urgent WordPress hacked site repair.

We help with WordPress malware removal, hacked site repair, security cleanup, and recovery support.

Why ask for help early?
  • Reduce visitor risk and SEO damage.
  • Find hidden malware and backdoors, not only visible symptoms.
  • Recover the site safely without unnecessary data loss.

About the Author

Hello, I’m Ryohei Yokoyama, an IT engineer with over 20 years of experience.

I have received more than 776 reviews for WordPress recovery,
website repair, and online courses.

Many clients have shared comments such as:

“They restored my site so quickly!”
“They handled it the same day, which was a huge help!”

I am proud to have received a very high rating of 4.9 out of 5.0.

I have also published more than 30 books on WordPress, SEO, Microsoft Office, and related topics,
with multiple titles reaching No. 1 in sales rankings.

In addition, I have created more than 3,000 services, systems, and websites.

Through this experience, I have helped many people overcome technical problems, frustrations, and challenges.
Based on that practical perspective,
I explain complex topics in a clear and easy-to-understand way.

On This Page