WordPress Malware Removal & Hacked-Site Recovery

To remove malware from WordPress, put the site in maintenance mode, back up the infected copy, then scan with a security plugin or your host to find the bad code. Reset every password, update everything, delete the malware and any backdoors, and re-secure the site so it cannot get reinfected.

Key takeaways

  • A hacked site usually shows clear signs: strange redirects, spam pages, browser warnings, or your host suspending the account.
  • Confirm it is really malware (harmful code) before you start, and check Google Search Console for security issues.
  • Always back up the infected site first, so you can investigate and never lose evidence.
  • The biggest mistakes are missing hidden backdoors and not changing every password — both cause the hack to return.
  • After cleaning, moving to a secure host with scanning, a firewall, and backups makes reinfection far less likely.
Disclosure: Some links on this page are affiliate links. If you buy through them, we may earn a commission at no extra cost to you. We only recommend products we believe genuinely help with the problem this page covers. Our guidance stays the same whether or not a link earns anything.

Is my site really hacked? The signs to look for

Finding out your website may be hacked is stressful. The good news: most WordPress infections can be cleaned, and your content can usually be recovered. Malware means harmful code that an attacker has slipped into your site to redirect visitors, show spam, steal data, or send junk email. Before you panic, it helps to know what a real hack looks like.

Here are the most common signs that your WordPress site has been compromised:

  • Unexpected redirects — visitors land on your site but get sent to a random or shady website.
  • Spam or pharma pages — new pages appear selling pills, fake goods, or gambling that you never created.
  • Defacement — your homepage is replaced with a hacker's message or image.
  • Google warnings — a red "this site may be hacked" or "deceptive site ahead" message appears in search results or the browser.
  • Host suspension — your hosting company disables the site because it detected malware or spam being sent.
  • Unknown admin users — accounts you do not recognise show up in your WordPress user list.
  • Injected pop-ups or ads — adverts appear on your pages that you did not add.
  • Sudden slowdowns — the site crawls because malicious scripts are eating server resources.
  • Blacklisting — email you send bounces, or security tools flag your domain as dangerous.

Who this guide is for: anyone running a WordPress site — a blog, a shop, a business site — who suspects a break-in and wants a clear, safe way to fix it. You do not need to be a developer. You do need to be careful and work in order, because the difference between a clean recovery and a repeat hack is method, not magic.

Most WordPress hacks happen the same way: an attacker finds an outdated plugin, theme, or a weak password, then uses it to slip in malicious code. That code often plants a backdoor (hidden re-entry code) so the attacker can return even after you clean up. Knowing this shapes the whole recovery — you are not just deleting bad files, you are closing the door and changing the locks.

If you are seeing one or more of these signs, treat it seriously but stay calm. This page walks you through WordPress malware removal from start to finish. If you want the wider picture first, our website security guide explains how sites get attacked and how to keep them safe.

Confirm the hack and size up the damage

Not every problem is malware. A white screen or a "500" message is often just a broken plugin or a code error, not an attack. So before you start cleaning, confirm that you are really dealing with an infection. This saves hours of wasted work.

Run these quick checks:

  • Look at your own site in a private browser window. If it redirects strangers but looks fine to you when logged in, that is a classic malware pattern.
  • Check Google Search Console. Open the Security Issues report — it tells you if Google has detected harmful content and often points to sample infected URLs.
  • Run a scan. Use a security plugin such as Wordfence, Sucuri, or MalCare, or a free online scanner, to flag suspicious files and code.
  • Search your site on Google with site:yourdomain.com. If you see spam titles or pages you never made, they have been injected.

While you check, note how bad the problem is. Is it one injected page or hundreds? Are visitors being redirected, or is data being stolen? Is email still working? This quick assessment tells you whether you can clean the site yourself in an hour or whether you will want your host or a paid service involved. Write down what you find — it makes the clean-up faster and helps anyone who assists you.

If a scan finds nothing but your site still behaves oddly, the trouble might be an ordinary fault rather than a hack. In that case, see our guides on the WordPress white screen of death and common server errors instead.

Is it your site or your host? If only your site is affected and a scanner points to changed files inside your account, the problem lives in your WordPress install — you can clean it with the steps below. If several sites on the same server are hit, or your host emails you about a server-wide infection, the issue may be at the hosting level. When in doubt, open a support ticket: your host can see server logs you cannot and will tell you which side the infection is on.

How to remove malware from WordPress, step by step

Work through these steps in order. Do not skip the backup or the password reset — they are the two steps people regret missing most.

  1. Stay calm and put the site in maintenance mode. Take a breath — this is fixable. Switching on maintenance mode (a temporary "we'll be right back" page) stops visitors seeing the hacked pages and stops the malware spreading harm while you work.
  2. Back up the current, infected site before changing anything. Yes, back up the hacked version. It keeps your content safe and lets you investigate what happened. Save the full files and database somewhere off the server. Our website backups guide shows exactly how.
  3. Scan to identify the malware. Run a security plugin such as Wordfence, Sucuri, or MalCare, or your host's built-in scanner, to list the infected files and the injected code. Write down every file it flags.
  4. Ask your host. Many hosts will scan for you, confirm whether the infection reached the server, and sometimes help clean it. They can also check logs to see how the attacker got in.
  5. Reset every password and log everyone out. Change passwords for all WordPress admins, your hosting account, FTP/SFTP, and the database. Then force every user to log out (most security plugins have a one-click option) so any stolen session is useless.
  6. Update WordPress core, themes, and plugins. Attackers usually get in through outdated software. Bring everything up to date — our guide on how to update WordPress walks through it safely.
  7. Remove the malware. Delete unknown or suspicious files, then reinstall WordPress core and any affected plugins and themes from clean, official sources. Carefully inspect wp-config.php, .htaccess, and the /wp-content/uploads/ folder for injected code, and check the database for hidden spam or scripts.
  8. Remove unknown admin users and hunt for backdoors. Delete any admin account you did not create. A backdoor is hidden code that lets the attacker back in later — look for odd files in your uploads folder, strange lines in functions.php, or scheduled tasks you never set up.
  9. If you cannot fully clean it, use a professional cleanup service. Some infections bury themselves deep. A paid service (for example, Sucuri) can clean the site for you and confirm it is clear.
  10. If Google blacklisted your site, request a review. Once the site is genuinely clean, open Google Search Console, go to Security Issues, and request a review to lift the warning. It usually takes a day or two.
  11. Re-secure everything. Harden the site so this does not happen again — strong logins, limited access, a firewall, and regular scans. Our guide on how to secure WordPress covers each step.
Faster alternative: If you have a clean backup taken before the infection, you can restore that instead of hand-cleaning each file. Restore the known-good copy, then immediately update everything and close the security hole the attacker used — otherwise they will simply walk back in. See the backups guide for how to restore safely.

Before you call it done, verify the site is clean. Run the scanner one more time, browse your own pages in a private window to confirm the redirects and spam are gone, and re-check the Security Issues report in Google Search Console. Keep a close eye on the site for the next week — if anything odd returns, a backdoor was missed and you will need to hunt again. A clean scan today plus a quiet week is the real sign the recovery worked.

Common mistakes that let the hack return

Warning: Never edit wp-config.php or delete files without a backup first. One wrong change can take the whole site offline, and without a backup there is no easy way back.

Most sites that get reinfected fall into one of these traps:

  • Cleaning without a backup. If a step goes wrong, you have nothing to fall back on — and you lose the evidence of how the attack worked.
  • Missing the backdoor. Removing the visible malware but leaving hidden re-entry code is the number-one reason a hack comes straight back within days.
  • Not changing all passwords. If the attacker still has one login — admin, database, or FTP — cleaning the files achieves nothing.
  • Reinstalling from an infected backup. Restoring a backup that was taken after the hack just puts the malware right back. Always confirm your restore point is from before the infection.
  • Rushing the review request. Asking Google to re-check the site before it is truly clean wastes time and can flag your site as slow to fix. Verify the clean-up first, then request the review once.

Avoid these four traps and you have avoided the reasons most sites get hacked twice. Slow, careful, and complete beats fast and half-done every time.

How to keep it from happening again

Once your site is clean, a little prevention saves a lot of pain. Build these habits:

  • Harden your logins. Use strong, unique passwords and turn on two-factor authentication (a second code at login). Follow the full checklist in our how to secure WordPress guide.
  • Update promptly. Keep core, themes, and plugins current — outdated software is the most common way in. See how to update WordPress.
  • Keep regular, off-site backups. Automatic backups mean that even a bad hack costs you an hour, not a website. Our backups guide explains how.
  • Use a firewall and scanner. A web application firewall (a filter that blocks bad traffic before it reaches your site) plus regular scans catch attacks early.
  • Choose a secure host. Good hosting isolates your account, scans for malware, and patches the server for you. Our guide on how to choose web hosting covers what to look for.
  • Remove what you do not use. Every extra plugin or theme is another door an attacker can try. Delete anything you are not actively using, especially old software that no longer gets updates.

None of these steps is complicated on its own. Together they turn your site from an easy target into a hard one — and most attackers simply move on to easier prey.

Frequently asked questions

How do I know if my WordPress site is hacked?

Look for tell-tale signs: unexpected redirects to other sites, spam or pharma pages you never made, a defaced homepage, a Google "this site may be hacked" warning, your host suspending the account, unknown admin users, or injected pop-ups. Confirm it by scanning with a security plugin and checking the Security Issues report in Google Search Console.

How do I remove malware from WordPress?

Put the site in maintenance mode, back up the infected copy, then scan to find the malware. Reset every password, update WordPress core, themes, and plugins, delete the malicious files, reinstall clean versions, and remove any unknown admin users and backdoors. Finish by re-securing the site so it cannot be reinfected.

Can my host clean the malware for me?

Often, yes. Many hosts offer a scan and will help remove infections, and some include this in their plans. Even if they do not clean it for you, they can confirm whether the infection reached the server and check logs to see how the attacker got in. Always open a support ticket early — it is one of the fastest ways to get answers.

Will the malware come back?

It can, if you miss a backdoor or fail to change every password. The most reliable way to stop reinfection is to remove all hidden re-entry code, reset all logins, close the security hole the attacker used, and then keep the site updated and protected by a firewall and regular scans on a secure host.

Should I just restore a backup instead?

Restoring a clean backup taken before the infection is often the fastest and safest fix. The catch: you must be sure the backup pre-dates the hack, and you must patch the entry point straight after restoring. If your only backups were made after the infection, they contain the malware too, so hand-cleaning is the safer route.

Do I need to tell Google after cleaning the site?

If Google blacklisted your site or showed a "deceptive site" warning, yes. Once the site is genuinely clean, open Google Search Console, go to the Security Issues report, and request a review. Google will re-check the site and usually lifts the warning within a day or two if no malware remains.

How long does WordPress malware removal take?

A simple infection with a clean backup can be sorted in under an hour. A deeper hack with multiple backdoors can take several hours of careful work, or a day if you use a professional cleanup service. The clean-up itself is usually quick — finding every hidden piece of malware is the part that takes patience.

Summary

A hacked WordPress site feels alarming, but the path back is clear. Confirm it is really malware, back up the infected copy, scan to find the bad code, reset every password, update everything, and remove both the visible malware and any hidden backdoors. Then re-secure the site so the attacker cannot return. Miss a backdoor or a password and the hack comes back — so be thorough, and lean on your host when you need a second pair of eyes.

Next step: once the site is clean, lock it down properly with our step-by-step guide to securing WordPress.

Thinking about a fresh start after a hack? Cleaning the malware is only half the battle — where you host the recovered site matters just as much. If your current host offered no malware scanning, no firewall, weak account isolation, and no automatic backups, the same weaknesses that let the attacker in are still there. Restoring your clean site onto a host built with malware scanning, a firewall, account isolation (so one hacked site cannot spread to others), and automatic backups makes reinfection far less likely, and it is often the safest fresh start. If that fits your situation, you can compare plans to see whether Hostinger suits you: compare Hostinger plans. If valid at the time of purchase, new users may also be able to apply a coupon such as SPECIAL15 or SPECIAL10, subject to Hostinger's terms.

See Hostinger WordPress hosting →

Affiliate disclosure: if you sign up through this link we may earn a commission, at no extra cost to you. How this works.

Clean first, then decide. Migrating an infected site simply moves the infection to a new server, and if the way in was a weak password, an outdated plugin, or a nulled theme, it will happen again wherever you host. Clean the site and close the entry point before you think about moving. For the cleanup itself, dedicated incident-response services such as Sucuri or Wordfence are more thorough than any host's built-in scanner. Consider hosting only afterwards, and only if the environment you were on genuinely offered no isolation, no scanning and no restorable backups.

References

  • WordPress.org — FAQ: My site was hacked and the Hardening WordPress documentation.
  • Google Search Central — Help, I think I've been hacked and the Search Console Security Issues report.
  • Sucuri and Wordfence public guidance on WordPress malware clean-up and site hardening.
Bitrich777 Hosting Team
About the author

The editorial team behind the Bitrich777 Hosting Help Center — practical, tested guides on web hosting, WordPress, servers, DNS, SSL, email, security and migration. Every walkthrough is reproduced on a live host before it is published.

Spotted an error? Tell us