If you have confirmed or strongly suspect malware on your WordPress site, the safest next step is not random deletion. It is a cleanup checklist that helps you preserve evidence, avoid breaking the site, and remove the real infection path instead of only the visible symptom.
Many site owners panic after seeing spam redirects, browser warnings, unfamiliar files, or strange admin users. In that moment, they often delete plugins, replace files blindly, or restore an old backup without checking whether the malware is still present. This guide gives you a practical WordPress malware cleanup checklist for site owners so you can work in a safer order and reduce the chance of reinfection.
RyoheiYokoyamaI’m Ryohei Yokoyama, founder of SiteFixNow. I’ve worked as an IT engineer for over 20 years and have handled many WordPress malware removal, hacked site repair, reinfection cleanup, and security recovery cases. In this article, I’ll show you the practical cleanup checkpoints that matter most before, during, and after malware removal.
- What to do before touching infected files or plugins
- Which WordPress files, users, and settings to check first
- How to clean malware more safely without making the site worse
- What to reset and harden after cleanup to prevent reinfection
Why a WordPress malware cleanup checklist matters before you delete anything
The main point is simple: order matters. Malware cleanup is not only about removing bad code. It is also about preserving enough information to understand how the infection entered the site, what it changed, and what might bring it back after you think the site is clean.
When site owners skip a checklist, they often delete one suspicious file, remove a plugin, or restore a partial backup while a hidden backdoor remains in wp-content/uploads, mu-plugins, or wp-config.php. That can lead to a second infection, more downtime, and lost SEO trust. A checklist keeps the work controlled and repeatable.
- Reduce the chance of deleting legitimate files by mistake
- Help you find hidden malware, not only visible symptoms
- Keep a record of suspicious files, users, and redirects
- Support a safer post-cleanup hardening process
If you are still confirming whether the infection is real, read WordPress Malware Removal: How to Clean an Infected Site Safely and WordPress Redirect Hack Fix as companion guides. They help you separate active malware symptoms from normal plugin or caching issues.
Immediate actions to take before starting WordPress malware cleanup
The first recommendation is to slow down and stabilize the situation. Before editing files, collect the minimum information you need: a backup copy, a note of suspicious behavior, and a short list of recent changes such as plugin installs, theme edits, or new administrator users.
This matters because many infections are easier to remove when you can compare the current state with what changed recently. If the site started redirecting after a plugin update or after an unfamiliar admin appeared, that clue may save hours of blind searching later.
- Create a fresh backup copy of files and database before changing anything
- Write down the visible symptoms such as redirects, warnings, or fake pages
- Check whether unknown admins, plugins, or code edits appeared recently
- Temporarily pause ad campaigns or other traffic sources if visitors are at risk
Files and locations to preserve before editing
Keep copies of the files attackers commonly modify. Even if you later replace them with clean originals, preserving the infected versions first can help you trace how the attack works and whether the same code exists elsewhere.
wp-config.php
.htaccess
wp-content/plugins/
wp-content/themes/
wp-content/mu-plugins/
wp-content/uploads/
wp-content/debug.log
server access logs
server error logsThe WordPress malware cleanup checks site owners should do first
The safest cleanup process starts with the most common infection points. In practice, that means checking files, administrator access, and redirection behavior before attempting deeper hardening. These first checks usually reveal whether the malware is isolated or widespread.
The reason to begin here is that a single visible symptom often hides a second persistence method. A spam redirect may come from .htaccess, but the rewrite could be recreated by a hidden PHP loader in uploads or a rogue admin account with full editing access.
- Administrator users: confirm every admin account is expected
- Uploads folder: look for executable PHP or unfamiliar scripts
- wp-config.php: inspect for injected includes, odd constants, or remote calls
- .htaccess: review redirects and rewrite rules for spam destinations
- Must-use plugins: check
wp-content/mu-pluginsfor hidden loaders
A practical suspicious file check
One of the fastest checks is to find executable files in places that normally should not contain them. This is especially important in wp-content/uploads, cache folders, old backup folders, and mu-plugins.
find wp-content/uploads -type f \\( -name "*.php" -o -name "*.phtml" -o -name "*.php5" \\ )
find wp-content -type f \\( -name "*.php" -o -name "*.phtml" \\ ) | grep -E "/cache/|/backup/|/old/|/tmp/"
find wp-content/mu-plugins -type f
grep -R "base64_decode" wp-content
grep -R "gzinflate" wp-contentThese results do not prove malware by themselves, but they help you narrow the review. If a strange PHP file appears in uploads or a hidden loader appears in mu-plugins, that is a strong signal to inspect that path before doing bulk replacements.
How to verify admin access during cleanup
Unknown administrators are one of the easiest ways for attackers to regain control. Even if you clean the file system, a rogue admin can reinstall malware or edit theme files again. That is why account review belongs near the start of your checklist, not at the end.
SELECT ID, user_login, user_email, user_registered
FROM wp_users
ORDER BY ID DESC;After that, compare the list against real team members in the WordPress admin area. If you see unknown users, changed email addresses, or recent privilege escalation, document those findings before removal. If broader damage already exists, also review WordPress Hacked Site Repair: What to Do Before It Gets Worse.
How to remove malware from WordPress more safely without causing extra damage
The key point here is controlled replacement, not random editing. Once you confirm suspicious files or modified rules, remove or quarantine only what you understand, then replace compromised core, theme, or plugin files with clean originals from trusted sources.
For example, if .htaccess contains redirect injections, clean the malicious directives but keep necessary WordPress rewrite rules. If a plugin folder is infected, it is often safer to replace the entire plugin from a clean download than to edit one obfuscated PHP file inside it and hope nothing else remains.
- Back up files and database
- Document suspicious files, redirects, and accounts
- Quarantine confirmed malicious files or folders
- Replace compromised files with clean originals
- Recheck the site for redirects, warnings, and hidden loaders
Example of a clean basic WordPress rewrite block
If your .htaccess was altered, compare it against a known-good version. The exact contents depend on your setup, but a basic WordPress rewrite block should look similar to this and should not include unknown external redirects.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPressIf you find unfamiliar conditions, remote destinations, or encoded strings mixed into the file, inspect them carefully before deleting. Redirect-specific clues are also covered in WordPress Redirect Hack Fix.
What to reset and harden after WordPress malware cleanup
A successful cleanup is not finished when the visible malware disappears. You also need to assume credentials, weak settings, or abandoned software helped the infection happen in the first place. Post-cleanup hardening closes those gaps and lowers the chance of the same attacker returning.
The practical version of this step includes resetting passwords, rotating salts, updating all software, removing unused plugins and themes, and blocking risky behavior such as PHP execution inside uploads if your setup does not require it.
- Reset WordPress admin, hosting, database, and FTP or SSH passwords
- Rotate WordPress salts in
wp-config.php - Update WordPress core, themes, and plugins to supported versions
- Remove inactive or abandoned plugins and themes
- Install or reconfigure security monitoring after confirming the site is stable
Useful defensive settings to review
These settings do not clean malware directly, but they make debugging and hardening safer after you remove the infection. Adjust them carefully for your environment, especially on production sites.
define( 'WP_DEBUG', false );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );
define( 'DISALLOW_FILE_EDIT', true );For prevention-focused follow-up steps, see WordPress Security Checklist for Beginners. It is useful after malware cleanup because prevention matters more once the site is stable again.
When site owners should stop DIY cleanup and ask for WordPress malware help
The final point is that not every infection is safe to handle alone. If the site keeps getting reinfected, if browser warnings return, if core files and database entries are both compromised, or if the site is business-critical, professional cleanup can be the safer decision.
That is especially true when you are unsure which files are legitimate, cannot confirm whether customer data is affected, or cannot afford another round of downtime. In those situations, the goal is not only to delete malware. It is to verify the root cause, secure the environment, and restore trust quickly. If that is your situation, a dedicated WordPress Recovery Service may save time and risk.
Frequently asked questions about WordPress malware cleanup
Summary
A strong WordPress malware cleanup checklist starts with backup and evidence preservation, moves through high-priority file and account checks, uses controlled replacement instead of panic deletion, and finishes with password resets and hardening. That order helps site owners remove malware more safely and reduces the chance of reinfection.
If You Can’t Secure or Recover Your WordPress Site Yourself
If your website shows malware warnings, redirects to strange pages, or you are not sure whether it is secure,
SiteFixNow can help clean, repair, and recover your WordPress site.
- Your WordPress site may be infected with malware.
- Security warnings appear in Google or browser results.
- You found unknown admin users or suspicious files.
- The site redirects to spam or unknown websites.
- You need urgent WordPress hacked site repair.
- Reduce visitor risk and SEO damage.
- Find hidden malware and backdoors, not only visible symptoms.
- Recover the site safely without unnecessary data loss.
