To remove malware from WordPress, put the site in maintenance mode, back up the infected copy, then scan with a security plugin or your host to find the bad code. Reset every password, update everything, delete the malware and any backdoors, and re-secure the site so it cannot get reinfected.
Finding out your website may be hacked is stressful. The good news: most WordPress infections can be cleaned, and your content can usually be recovered. Malware means harmful code that an attacker has slipped into your site to redirect visitors, show spam, steal data, or send junk email. Before you panic, it helps to know what a real hack looks like.
Here are the most common signs that your WordPress site has been compromised:
Who this guide is for: anyone running a WordPress site — a blog, a shop, a business site — who suspects a break-in and wants a clear, safe way to fix it. You do not need to be a developer. You do need to be careful and work in order, because the difference between a clean recovery and a repeat hack is method, not magic.
Most WordPress hacks happen the same way: an attacker finds an outdated plugin, theme, or a weak password, then uses it to slip in malicious code. That code often plants a backdoor (hidden re-entry code) so the attacker can return even after you clean up. Knowing this shapes the whole recovery — you are not just deleting bad files, you are closing the door and changing the locks.
If you are seeing one or more of these signs, treat it seriously but stay calm. This page walks you through WordPress malware removal from start to finish. If you want the wider picture first, our website security guide explains how sites get attacked and how to keep them safe.
Not every problem is malware. A white screen or a "500" message is often just a broken plugin or a code error, not an attack. So before you start cleaning, confirm that you are really dealing with an infection. This saves hours of wasted work.
Run these quick checks:
site:yourdomain.com. If you see spam titles or pages you never made, they have been injected.While you check, note how bad the problem is. Is it one injected page or hundreds? Are visitors being redirected, or is data being stolen? Is email still working? This quick assessment tells you whether you can clean the site yourself in an hour or whether you will want your host or a paid service involved. Write down what you find — it makes the clean-up faster and helps anyone who assists you.
If a scan finds nothing but your site still behaves oddly, the trouble might be an ordinary fault rather than a hack. In that case, see our guides on the WordPress white screen of death and common server errors instead.
Work through these steps in order. Do not skip the backup or the password reset — they are the two steps people regret missing most.
FTP/SFTP, and the database. Then force every user to log out (most security plugins have a one-click option) so any stolen session is useless.wp-config.php, .htaccess, and the /wp-content/uploads/ folder for injected code, and check the database for hidden spam or scripts.functions.php, or scheduled tasks you never set up.Before you call it done, verify the site is clean. Run the scanner one more time, browse your own pages in a private window to confirm the redirects and spam are gone, and re-check the Security Issues report in Google Search Console. Keep a close eye on the site for the next week — if anything odd returns, a backdoor was missed and you will need to hunt again. A clean scan today plus a quiet week is the real sign the recovery worked.
wp-config.php or delete files without a backup first. One wrong change can take the whole site offline, and without a backup there is no easy way back.Most sites that get reinfected fall into one of these traps:
Avoid these four traps and you have avoided the reasons most sites get hacked twice. Slow, careful, and complete beats fast and half-done every time.
Once your site is clean, a little prevention saves a lot of pain. Build these habits:
None of these steps is complicated on its own. Together they turn your site from an easy target into a hard one — and most attackers simply move on to easier prey.
Look for tell-tale signs: unexpected redirects to other sites, spam or pharma pages you never made, a defaced homepage, a Google "this site may be hacked" warning, your host suspending the account, unknown admin users, or injected pop-ups. Confirm it by scanning with a security plugin and checking the Security Issues report in Google Search Console.
Put the site in maintenance mode, back up the infected copy, then scan to find the malware. Reset every password, update WordPress core, themes, and plugins, delete the malicious files, reinstall clean versions, and remove any unknown admin users and backdoors. Finish by re-securing the site so it cannot be reinfected.
Often, yes. Many hosts offer a scan and will help remove infections, and some include this in their plans. Even if they do not clean it for you, they can confirm whether the infection reached the server and check logs to see how the attacker got in. Always open a support ticket early — it is one of the fastest ways to get answers.
It can, if you miss a backdoor or fail to change every password. The most reliable way to stop reinfection is to remove all hidden re-entry code, reset all logins, close the security hole the attacker used, and then keep the site updated and protected by a firewall and regular scans on a secure host.
Restoring a clean backup taken before the infection is often the fastest and safest fix. The catch: you must be sure the backup pre-dates the hack, and you must patch the entry point straight after restoring. If your only backups were made after the infection, they contain the malware too, so hand-cleaning is the safer route.
If Google blacklisted your site or showed a "deceptive site" warning, yes. Once the site is genuinely clean, open Google Search Console, go to the Security Issues report, and request a review. Google will re-check the site and usually lifts the warning within a day or two if no malware remains.
A simple infection with a clean backup can be sorted in under an hour. A deeper hack with multiple backdoors can take several hours of careful work, or a day if you use a professional cleanup service. The clean-up itself is usually quick — finding every hidden piece of malware is the part that takes patience.
A hacked WordPress site feels alarming, but the path back is clear. Confirm it is really malware, back up the infected copy, scan to find the bad code, reset every password, update everything, and remove both the visible malware and any hidden backdoors. Then re-secure the site so the attacker cannot return. Miss a backdoor or a password and the hack comes back — so be thorough, and lean on your host when you need a second pair of eyes.
Next step: once the site is clean, lock it down properly with our step-by-step guide to securing WordPress.
Thinking about a fresh start after a hack? Cleaning the malware is only half the battle — where you host the recovered site matters just as much. If your current host offered no malware scanning, no firewall, weak account isolation, and no automatic backups, the same weaknesses that let the attacker in are still there. Restoring your clean site onto a host built with malware scanning, a firewall, account isolation (so one hacked site cannot spread to others), and automatic backups makes reinfection far less likely, and it is often the safest fresh start. If that fits your situation, you can compare plans to see whether Hostinger suits you: compare Hostinger plans. If valid at the time of purchase, new users may also be able to apply a coupon such as SPECIAL15 or SPECIAL10, subject to Hostinger's terms.
Affiliate disclosure: if you sign up through this link we may earn a commission, at no extra cost to you. How this works.
Clean first, then decide. Migrating an infected site simply moves the infection to a new server, and if the way in was a weak password, an outdated plugin, or a nulled theme, it will happen again wherever you host. Clean the site and close the entry point before you think about moving. For the cleanup itself, dedicated incident-response services such as Sucuri or Wordfence are more thorough than any host's built-in scanner. Consider hosting only afterwards, and only if the environment you were on genuinely offered no isolation, no scanning and no restorable backups.
The editorial team behind the Bitrich777 Hosting Help Center — practical, tested guides on web hosting, WordPress, servers, DNS, SSL, email, security and migration. Every walkthrough is reproduced on a live host before it is published.
View all guides by the Hosting Team Spotted an error? Tell us