Malware detected on website showing on screen concept image for how to remove malware from my WordPress site.

WordPress powers over 40% of all websites on the internet. With so many sites utilizing the content management system, malware is common.

Though regular maintenance can prevent malicious software from infiltrating your website, there may come a time when you find yourself the victim of an attack. But before you purchase a WordPress malware removal service, you may try searching for “how to remove malware from my WordPress site.”

Luckily, there are ways to protect your data in the event of a compromised site. Here’s how to remove malware from your WordPress website in 10 easy steps. 

10 Steps that Answers Your Query: How to Remove Malware from My WordPress Site.

1. Back Up Your WordPress Core Files and Database

Not only is a hacked site a significant security issue, but it can also put essential files at risk. For this reason, you’ll want to back up your entire site to ensure you don’t eliminate any critical data when troubleshooting the malware.

Depending on the size of your site, it may take time to complete your website backup. However, doing this step will keep your files safe from malicious code. 

Running a WordPress backup plugin is an easy way to back up your site as long as you still have access to it. If not, your best action is to reach out to a professional WordPress support team that can help you get around the malware’s effects.

2. Download and Examine All Backup Files

Once you’ve entirely downloaded all backup files for your hacked WordPress site, it’s time to examine them. During your examination, there are a few things you should look for:

  • Core website files. These files come straight from the WordPress site. While you generally won’t need to use them, they can be helpful when investigating security issues on hacked WordPress sites.
  • The wp-config.php file. This file includes the username and password to your WordPress site and will be needed to gain access to the password reset in later steps.
  • The .htaccess file. This is an invisible file and can only be detected if you’re an FTP client with access to a hidden file view.
  • The wp-content folder. This folder should contain themes, plugins and uploaded files.
  • Your database. A SQL file containing your WordPress database should be included in this file. This and the wp-content folder are essential for restoring your entire website.

WordPress website backup concept image.

3. Delete All Files in the public_html Folder

Once you’ve backed up your core WordPress files, it’s time to remove malware, beginning with deleting all files in the public_html folder. Using File Manager offered by your hosting provider is generally the fastest way to do this.

Malicious code can contaminate data across sites, so it’s important to follow these steps for all WordPress websites you host to prevent the malware infection from spreading.

4. Reinstall WordPress

Reinstalling your WordPress site manually is the next step. As a WordPress site owner, you’ll have access to an admin panel with a one-click installer option.

When downloading the site, edit the wp-config.php file to use the database from your former website. This will connect the new file to your existing website, minus any infected files.

5. Reset Passwords and Permalinks

Once WordPress installation is complete, you’ll need to reset your username, passwords and permalinks. If you notice any unknown WordPress user accounts at this time, you’ll need to find a professional WordPress security partner who can detect hidden malware and remove unwanted admin accounts.

If you’ve reset your username and password successfully, go into your settings, click the button for permalinks and select “Save changes.” This restores your .htaccess file and keeps your URLs running correctly.

6. Reinstall Plugins

Next, you’ll want to reinstall all WordPress plugins.

All your installed plugins should be downloaded fresh from the WordPress repository or plugin developer. This ensures you don’t accidentally reinstall hacked files.

Typing the password concept image for password security for your WordPress site.

7. Reinstall Themes

Reinstalling your themes is the next step in malware removal. Again, be sure to use a fresh download, as your old theme may contain security vulnerabilities or undetected malware.

If you previously used custom theme files, you’ll need to reference your backup database to manually recreate them in your new site to avoid infecting it with WordPress malware.

8. Upload Images From Backup Files

After reinstalling plugins and themes, you’ll need to re-upload all image files to your new site. Unfortunately, this can be tricky, as you can’t copy any files previously uploaded to your hacked website.

At this point, you’ll need to examine every year and month folder in your backup database one by one. As you do so, make sure each folder contains only image files — no JavaScript or PHP files that could contain malware infections.

Once you’ve examined and approved every folder, you can re-upload images to your new web server.

9. Scan Your Computer

You’ll need to scan your computer to detect malware or viruses you may have missed in your search. You can use a malware scanner to identify malware manually and ensure you didn’t miss any malicious code in the previous steps.

If your security scanner detects any vulnerabilities, you’ll want to go back through the previous steps to identify previously missed malware.

10. Install and Run Security Plugins

After taking these steps to remove malware from WordPress, you’ll want to install and run a security plugin. A free plugin can alert you to malware attacks and security breaches to ensure your WordPress website doesn’t become a victim again.

Additionally, many WordPress users benefit from a WordPress malware removal plugin. Malware removal plugins incorporate file integrity monitoring and a web application firewall to prevent malware from infiltrating your website.

Scanning for malware concept image.

Keep Your WordPress Website Running Smoothly With WP SitePlan

The best way to keep your website safe is to opt for professional WordPress security services. By purchasing specialized services, you can rest easy knowing your WordPress website is safe from malicious code.

WP SitePlan is just the perfect WordPress maintenance and support partner you need to create your dream WordPress site, from choosing the proper WordPress malware removal plugins to providing fail-proof WordPress website backups.

Don’t risk compromising your website data with time-consuming malware troubleshooting. Contact us today via email or by phone at 866-956-2330 and keep your site protected for good.