Clean and Remove Malware from your Hacked WordPress

Cleaning a Hacked WordPress Site

and Removing Malware

Warnings on your WordPress site, notifications of site suspension by your hosting provider or core integrity issues. These are just some of the symptoms that your WordPress has been hacked, let’s fix it.

Step 1


You need information to know how to clean your site: warnings on your WordPress, notifications of site suspension or other symptoms

Step 2


How to clean your site and remove all infections, malware or backdoors that hackers have done on your website, blog or e-commerce

Step 3 


Site cleaned. Now it’s time to secure and protect your WordPress site from future hacker attacks with security continuous maintenance


WordPress is one of the most used CMS. Because of that there are lots of hackers attacking websites using WordPress sites and their vulnerabilities. You must secure your website, blog or e-commerce and do a continuous maintenance to prevent from infections. If you have been hacked, the first you should do is scan your site to evaluate the damage.

Scan your WordPress Site

If you are a WeSecur’s Detect Plan user, you have been warned about the hack and have the scan result if you have the automated mode. If you execute the scan manually, scan your site to read the report.

Check Core and Theme Files

Analyze core files, wp includes and wp admin. As we mentioned before, if you doubt if they are infected, you can download WordPress again and compare the files to know if you should delete something that should not be there.

The next would be the theme files. It is one of the most used points to inject malware as hackers or attackers seek to infect as many users as possible.

We recommend to check the recently modified files as probably they give you information about which ones are the hacked ones.

Again, as a WeSecur user you have all this info and the analysis of the files in your dashboard.

Check your Plugins

The main target in which attackers or hackers hide malware or backdoors. Also check for fake Plugins: everything looks normal, it has the appearance of a plugin, but is actually the focus of all your problems.

WeSecur analysis also check plugins.

Check your Logs

Look for suspicious or unknown users or IPs into your logs to have more info about when and from where has been the attack.

WordPress Hacked Symptons

  • Blacklist warnings by Google, or other authorities
  • Weird or abnormal browser behaviors
  • Spam in search engine content
  • Notification of site suspension by your website host
  • File modifications or core integrity issues
  • Warnings in Google search results (SEO poisoning)


Clean hacked WordPress

Before executing any action remember to backup your site.

As we explained before, an effective way of finding hacked files is to compare the current state of the site with an old and clean backup. If you have a clean backup, you can use that to compare the two versions and identify what has been modified.

How to Remove a Malware Infection from your Website files

If the infection is in your core files or plugins, you can easily fix this manually, just don’t overwrite your wp-config.php file or wp-content folder. Remember this is included in WeSecur’s Clean Plan.

  1. Log into your server via SFTP or SSH.
  2. Create a backup of the site.
  3. Search your files for any reference to malicious domains or payloads.
  4. Identify suspicious or recently changed files.
  5. Restore infected files with copies from the official repository or a clean backup.
  6. Replicate any customizations made to your files.
  7. Test to verify the site is still operational after changes.

How to Clean Hacked Database Tables

To clean and remove malware from your database, use your database admin panel to connect to the database. You can also use tools like Adminer.

  1. Log into your database admin panel.
  2. Make a backup of the database.
  3. Search for suspicious content as spammy links.
  4. Open the table that contains suspicious content and remove it.
  5. Test to verify the site is still operational after changes.

You can also manually look for malicious PHP functions, such as eval, base64_decode, preg_replace, str_replace, etc. These functions are also used by plugins legitimately, so be sure you test changes to not accidentally break your website, blog or e-commerce.

Remove Hidden Backdoors

This can be one of the main reasons for reinfection. If you don’t close all backdoors your site will be reinfected. So:

  1. Look for files named similar to CMS core files but located in the wrong directory. Usually backdoors include this PHP functions: base64, str_rot13, gzuncompress, eval, exec, create_function, system, assert, stripslashes, preg_replace (with /e/), move_uploaded_file. These functions can also be used by plugins, so be sure to test any changes to not break your site by removing benign functions.
  2. Often backdoors are injected into files like wp-config.php and directories like /themes or /plugins in files named similar to WordPress core files but located in the wrong directories.

Remove Malware Warnings

For removing blacklisting or malware warnings on your site, you probably should contact with your hosting provider and ask them to remove the suspension.

  1. Fill in a review request form for each blacklisting authority as Google Search Console, Norton,McAfee SiteAdvisor or others.
  2. Wait during the review process, it can take several days.


Hackers attack WordPress with not updated software and vulnerabilities of WordPress itself, theme or plugins. But we should secure the whole website, let’s see how.

Set Backups

Backups are one of the most important things to secure your web. Here are some tips to help you with the strategy:

  • Better redundant and automatic: make sure you are doing at least one backup. The better two or three different locations and in a automatic process.
  • Test it periodically: restore your backups as part of the process just to be sure that they will work when needed.

Secure User Accounts

We always recommend to have only one admin WordPress user and use roles for the rest of users, with less privileges. But, anyway, if you have checked your logs and you have found out any unfamiliar WordPress users, remove them.

To manually remove suspicious users from WordPress:

  1. Backup your site and database.
  2. Log into WordPress as an admin and click Users.
  3. Find the suspicious new user accounts.
  4. Hover over the suspicious user and click Delete.
  5. Change all the passwords of users accounts. All.

Secure your computer

We always recommend you to manage your site from a secure terminal. So be sure to have an antivirus program installed. All the people that access to your website, blog or e-commerce must be secure. There are several free antivirus solutions as Avira or Avast, or paid as Kaspersky or Sophos.

Update WordPress Software

To manually apply updates in WordPress:

  1. Log into your server via SFTP or SSH.
  2. Backup your website and database.
  3. Manually remove the wp-admin and wp-includes directories.
  4. Replace wp-admin and wp-includes using copies from the official WordPress repository.
  5. Manually remove and replace plugins and themes with copies from official sources.
  6. Log into WordPress as an admin and click Dashboard > Updates.
  7. Apply any missing updates.
  8. Check your website is operational.


We recommend to not touch wp-config or wp-content as this will break your site

All plans

If you want us to scan, DETECT and CLEAN your site continuously

If you want us to CLEAN malware and PROTECT your site from attacks continuously

If you want that we FIX and SECURE your site after a infection or hack attack