If you own a WordPress website, it’s essential to make sure that it’s well-secured. A vulnerable site will become an easy target for cybercriminals. They can harm your website in many ways, such as infecting it with malware.

Malware can’t be taken lightly as it continues to develop and increase each year. You can take preventive measures from this problem, like updating your site regularly, for instance.

Other than that, you should also equip yourself with WordPress and web-related insights to help you know what’s right for your site. There are plenty of articles and knowledge bases to learn from on the internet, such as HostingWiki.

However, if your website is already infected, don’t panic just yet. This article will explain what malware is, how you can remove it from your site, and prevent future attacks.


What is Malware and Why is It Dangerous?

Malware stands for Malicious Software. As the name implies, it’s a piece of software that is intended to cause harmful effects, such as stealing information or damaging a website.

It takes on many forms, and each can cause a specific problem. Here are several common types of malware that you should look out for:

  • Adware – automatically shows unwanted advertising materials on your site.
  • Spyware – steals sensitive information by gathering data discreetly.
  • Trojans – disguises as real software to trick people into executing a dangerous program. In some cases, it might change your site’s appearance and content spontaneously.
  • Virus – contains malicious code to corrupt files and replicates itself across a site. It usually comes with a sudden rise in server consumption.
  • Ransomware – locks a site until someone paid a specified amount of money.

If your site has one of the symptoms mentioned above, it might be a sign that you are experiencing a malware attack.

Furthermore, it can harm your website’s SEO (Search Engine Optimization) ranking. Google will show a warning message on sites that are considered harmful – including the ones that are infected by malware.

That’s why protecting your WordPress website from malware infection should be nothing less than a priority. It’s also important to know how to remove it, which will be covered next!


How to Remove Malware From Your Site?

Now that you’re familiar with malware let’s get on to the steps of removing it!

Put Your Site in Maintenance Mode

This is to make sure that you’re the only one who has access to the site during the fix-up process. The easiest way to do it is by using a plugin.

One of the most popular plugins for this task is SeedProd. It allows you to create a coming soon page in minutes. You can also customize the page’s fonts, colors, and layout to fit your site’s style. To cap it all off, it provides over 500.000 background images and over 50 themes for you to choose from.

With a visually appealing maintenance page, your site will look more professional. If you’re interested in using the plugin, it’s free to download. For more additional features, you can purchase the basic plan for $29.60/per year.

Perform a Site Backup

It’s essential to back up your files before making any changes so you won’t lose any data if the process doesn’t go as planned. There are several ways to do it.

You can start with your hosting provider. Some providers offer an automatic backup feature, which can be scheduled to daily or monthly based on your hosting plan. Or, you can export the site through a backup plugin.

However, if you lose access to your dashboard, you can try the manual backup through phpMyAdmin. You just need to log in to your hosting panel, then enter your phpMyAdmin dashboard.

Afterward, you can proceed by choosing your database, and click on the Export tab.

Now you can choose the quick option or the custom option. If you want to get a better view of all the data that will be exported, you can pick the custom one. Then, phpMyAdmin will send you the exported database in a .zip file.

Do Some Scanning

When you’re done backing up your data, you can start scanning your site. As a starter, use an anti-malware program – such as Malwarebytes to prevent the malware from spreading to your computer. Scan the exported database as well to make sure that it’s free from the infection.

Aside from scanning your computer, you should scan your website using a site security checker like Virus Total or Quttera. These tools will show you which security issues that your website is facing. It’ll also tell you whether search engines have blacklist your site due to malware.

The tools will also give you some suggestions to increase your site’s security. For example, installing a cloud-based WAF (Web Application Firewall) if your site is vulnerable to website hacks and DDoS attacks.

Change The Passwords of Your Hosting Panel and FTP

It’s essential to change the passwords of your hosting panel and FTP account to prevent malware from taking over your database.

If you’re using cPanel, you can change the account’s password on the Preferences section. Then go to the Files section to find your FTP account and reset the password there as well.

To make things more secure, you can also change the MySQL password by entering the Database section in your panel. Don’t forget to update the password in the wp-config.php file – by using an FTP client like FileZilla. Otherwise, you won’t be able to connect the database.

Make sure that the updated passwords contain more than eight words, numbers and special characters – such as exclamation mark (!) or ampersand (&). Then, save it somewhere safe just in case you forget it.

Eliminate Malware Infected Files

This is the most crucial part since you have to remove all the infected files thoroughly. To do that, you should enter the File Manager in your control panel. Then, click on the public_html folder, which contains WordPress installation files.

You will see plenty of files and folders. To check which files that are potentially harmful, you can sort them based on the modification date. If the files show unwanted changes, it might indicate that they have been infected.

To clean the core files, you need to delete everything within the public_html folder. However, you must leave the wp-config.php file and wp-content folder untouched since we’ll deal with them later.

It’s because the wp-config.php file contains essential information, such as the username and password of your WordPress database. The wp-content folder, however, consists of three essential folders: themes, plugins, and uploads.

Now, let’s clean up the wp-config.php file. Open both the file and wp-config-sample.php at the same time. Compare them, and remove any differences by making sure that the wp-config.php file is free from unwanted codes.

How to Remove WordPress Malware

Next, you can fix the wp-content folder. First, check the plugins folder, list all the plugins that you’ve installed, then delete the folder. Then, do the same with the theme folder. Don’t forget to remove the index.php file as well.

Last but not least, you should open the uploads folder and delete all the .php files in it. If there are any unusual files in the folder, you can remove them too.

Download and Install the Latest Version of WordPress

After cleaning your website, you can restore the infected files by installing a brand new WordPress. If your hosting provider has a one-click installer feature, you can install it right from the control panel.

On the other hand, you can do it manually. You just need to download the latest version of WordPress and install it through an FTP client.

When you’re required to create an admin password, it should be different from your previous one. Do make it harder to guess as well, such as adding numbers and special characters.

Re-Install Themes and Plugins

Remember that you’ve deleted the themes and plugins folder? Now is the time to get them back. You can install them one by one by referring to the list you’ve made.

Never upload your old themes and plugins from the exported database – unless you’re totally sure that it’s free from malware. You can use them as a reference to build your customized theme from scratch.

Restore Public Access

Now that your website is finally clean, you can make it open to the public. If you’re using a plugin for showing the maintenance mode page, simply go to the admin dashboard and disable it.

However, it might not be available to the public right away. You can check whether your hosting provider is blocking access to your site. If they are, you can request them to re-scan your website and restore its access afterward.

Show Google that You’re Not Infected

Last but not least, it’s important to remove the warning label from your site so Google can index your website in the search results page.

There are some steps you need to do to recover your site in Google:

  1. Open Google Search Console
  2. Add your website
  3. Open the Security Issues Report, and select Request a Review
  4. When submitting the review, don’t forget to mention what you did to remove policy violation on your site
  5. Once the review is done, you’ll get a notification about the result in your email

How to Protect Your Site From Future Malware Attacks?

Once your website is running normally, you have to make sure that there won’t be any malware attacks harming your website again. Here are some methods that you can do to strengthen your site’s security:

Use a Security Plugin

This is one of the easiest ways to secure your site. Simply go to the WordPress plugin directory, and install a security plugin for extra protection!

Here is a decent security plugin that can protect your site from malware attacks:

  • Wordfence Security – has a scanner that checks core files, themes, and plugins for malware, bad URLs, and code injection. You can also get a real-time firewall rule and updates for malware signature if you purchase the premium plan, which starts from $99 per year.

Don’t Forget to Update

It’s also crucial to keep your WordPress site up-to-date to get the latest security patches. Usually, you will be given a notification if your website needs an update

How to Remove WordPress Malware

Aside from the WordPress update, you should also look out for your themes and plugins. Outdated themes and plugins are potentially vulnerable. You should keep them up-to-date as well by checking the Update tab in the left sidebar of your admin dashboard.

The update page consists of three sections: WordPress, Plugin, and Theme updates. If some of your plugins or themes need an upgrade, tick the boxes next to the plugins or themes, then click the Update buttons.

You can even install an automatic update plugin such as Easy Updates Manager. It will automatically update your WordPress site, themes, and plugins with a single click.

It’ll also automatically backup your site before an update – which is essential if you want to do a major upgrade. You can get the automatic backup feature if you purchase the premium plan, which starts from $29 per year.

Keep in mind that you should check the compatibility of your plugins or themes with WordPress before an update, mainly if your site depends on third-party themes or plugins.

Backup Your Site Regularly

Backing up your site is essential to make sure that you won’t lose all your data if anything terrible happens. Now that you can access your dashboard let’s try to do a backup using a plugin!

There are three kinds of backup that are usually offered, make sure your plugin has three of them:

  • Database backup – lets you only backup the database.
  • Scheduled backup – allows you to schedule a backup so that it can run automatically at a specific time.
  • Complete backup – lets you backup the whole site.

So, which plugin has all three features? Here are some of the best backup plugins on the market:

  • UpdraftPlus – provides complete and scheduled backups on their free plan. You can upgrade it to one of the paid plans which starts from $70 per year. You’ll be given additional features such as advanced reporting and database encryption.
  • BackWPUp – offers database backup, which comes with database optimization. If you want to get additional features such as backup encryption and premium support, you can upgrade to the pro plan, which starts from $69 per year.
  • Duplicator – allows you to manually backup your whole site or parts of the website. However, if you want to do scheduled backups, you’ll need to upgrade it to one of the paid plans which starts at $59 per year.

Ready to Secure Your Site?

Now that you understand how to remove malware infections from your site and how to prevent its attacks in the future. Let’s quickly recap on the steps of malware removal:

  1. Put your site in maintenance mode – you can use a plugin like SeedProd to do the job.
  2. Perform a site backup – if you can’t access your admin dashboard, back up the database via phpMyAdmin.
  3. Do some scanning – use a site security checker like Sucuri Site Check to detect malware infection within your site.
  4. Change hosting panel and FTP passwords – enter your hosting panel and change the passwords for better protection.
  5. Eliminate malware-infected files – clean your public_html folder.
  6. Download and install the latest version of WordPress – restore your site by installing a brand new WordPress.
  7. Re-install themes and plugins – get your themes and plugins back.
  8. Restore public access – disable maintenance mode and ask your hosting provider to open your site for public access.
  9. Show Google that you’re not infected – request a review to Google to remove the warning label on your site.

So, what are you waiting for? Good luck with cleaning up your site!