Is Your WordPress Site Under Attack? How to Spot & Delete Malware Fast!

Malware infections on WordPress websites have become an increasingly common concern for site owners. These malicious threats can compromise your site’s security, disrupt functionality, and even harm your reputation.

Hackers exploit vulnerabilities to inject harmful code, steal user data, or redirect traffic to unsafe sites.

With malware evolving in complexity, it’s crucial to understand how these infections can infiltrate your website and the potential damage they can cause.

But what should you do when your website is under attack?

1 Key Takeaways

• Identify Signs of Malware: Watch for slow performance, unauthorized changes, redirects, and unexpected pop-ups.
• Scan Your Website: Use security plugins like Wordfence, Sucuri, or Anti-Malware Security to detect malware.
• Backup First: Protect your data by creating backups of your website files and database before making changes.
• Use Security Plugins: Install and use trusted plugins for automated malware removal through scanning and cleanup features.
• Manually Remove Malware: Locate suspicious files in themes or plugin directories and clean your database using tools like phpMyAdmin.
• Replace Compromised Files: Reinstall infected themes and plugins from official sources, and replace core WordPress files with clean versions.
• Prevent Future Attacks: Regularly update WordPress, plugins, and themes. Use strong passwords, enable two-factor authentication, and install a firewall.
• Schedule Backups and Scans: Create a routine for scanning for malware and backing up your website to ensure ongoing protection.

Below are the step by step instructions on spotting and deleting malware in WordPress.

2 How to Spot Malware in WordPress

Detecting malware on a WordPress site involves both automated tools and manual inspection. Here’s how you can identify if your site has been compromised:

2.1 Common Signs of Malware Infection

• Unexpected redirects or pop-ups: Your site unexpectedly redirects to unfamiliar websites or displays pop-ups and ads.
• Slower performance: Noticeable drops in site performance or unusually slow loading times.
• Unexplained content changes: Text, images, or links have been altered without your knowledge, often pointing to suspicious destinations.
• Missing or unknown plugins/files: Legitimate plugins may be disabled or missing, while unfamiliar plugins or files appear in your directories.
• Browser warnings: Google or other browsers may flag your site as unsafe, displaying messages like “This site may be hacked.”
• Traffic spikes from unknown locations: A sudden increase in visitors, especially from regions where you typically have no audience.
• Unfamiliar user accounts: New or unknown WordPress accounts, particularly with administrator privileges.
• Suspicious login activity: Repeated failed login attempts or logins from unrecognizable IP addresses.
• Unusual files in directories: Suspicious files, such as PHP files in wp-content/uploads or wp-includes, where they don’t belong.
• Database anomalies: Unexpected entries, scripts, or malicious tags like <script> or iFrames in posts, pages, or comments.

2.2 Use Kwebby’s Google Malware Checker tool

You can use our Google Malware Checker tool to check your website for potential malware.

Just copy your affected URL or website and paste that into the input box;

Click on submit and a New popup will open from Google Transparency Report that checks your website for potential malware;

2.3 Automated Detection: Using Security Plugins

• Install a trusted security plugin: Use plugins like Wordfence, Sucuri, MalCare, Jetpack Scan, or SiteLock to enhance malware detection.
• Perform a full scan: These tools will identify unauthorized changes, malicious code, vulnerabilities, and suspicious files.

• Act on scan results: Review flagged items, categorized by severity, and use the plugin’s one-click removal options if available.

2.4 Manual Inspection Steps

• Check core files: Compare WordPress core files like wp-config.php, index.php, and .htaccess with clean versions from the official WordPress repository to detect changes.
• Inspect critical directories: Review wp-content/themes, wp-content/plugins, and wp-content/uploads for unauthorized files, particularly PHP files in inappropriate locations.
• Use comparison tools: Tools like Diffchecker or WinMerge can help compare files to backups or clean versions.
• Review your database: Examine your site database through phpMyAdmin for unusual scripts, links, or code injected into posts, comments, or other entries.
• Audit user accounts: Check WordPress user roles for unfamiliar accounts or recent changes to permissions.
• Analyze server logs: Look for irregular patterns, such as repetitive login attempts, strange IP addresses, or unauthorized file uploads.

2.5 Summary Table: Signs and Tools for Malware Detection

Sign or Tool	What to Look For
Redirects/Pop-ups	Unwanted redirects, pop-ups, or phishing ads
Content Changes	Altered text/images or links to spammy destinations
Plugins/Files	Unfamiliar, missing, or disabled plugins or files
User Accounts	New/unknown admins or suspicious role changes
Traffic Patterns	Spikes from uncommon locations or unusual IPs
Security Plugins	Tools like Wordfence, Sucuri, Jetpack Scan, MalCare
Manual File Inspection	Strange PHP files, encoded scripts (e.g., eval, base64)
Database Inspection	Injected scripts or abnormal tags in posts/comments
Server Logs	Irregular logins, uploads, or error messages

2.6 Best Practices

• Regularly scan your site with reputable security plugins.
• Keep WordPress core, themes, and plugins up to date.
• Monitor user roles, server logs, and directories for irregularities.

Spotting malware early is critical to reducing damage and simplifying recovery. Use a combination of automated tools and manual reviews for thorough detection and peace of mind.

Now you have successfully detected malware, now it’s time to remove them!

3 How to Remove Malware in WordPress

Below is a straightforward guide to removing malware, broken into easy-to-follow steps using both plugin-based and manual methods.

3.1 Step 1: Put Your Site in Maintenance Mode

Prevent visitors from accessing or interacting with a compromised site by enabling maintenance mode. Plugins like WP Maintenance Mode or LightStart make this process simple and effective.

3.2 Step 2: Backup Your Website

Before initiating any malware removal steps, create a complete backup of your site. This includes all files and your database. Plugins like UpdraftPlus or manual tools provided by your hosting provider can help ensure you have a safe restoration point if something goes wrong.

3.3 Step 3: Change All Passwords

Replace all existing passwords for your WordPress admin account, FTP, database, and hosting accounts. Use strong, unique passwords for maximum security or consider utilizing a password manager for added convenience.

3.4 Step 4: Remove Malware Using a Security Plugin

3.4.1 Recommended Plugins:

• Wordfence Security
• Sucuri Security
• MalCare
• Jetpack Scan

3.4.2 Steps to Follow:

1. Install and activate your preferred security plugin.
2. Run a full malware scan. The plugin will identify and flag problematic files or code.
3. Follow the provided instructions to quarantine or remove infected files. Many plugins even offer one-click removal for simplicity.
4. Rescan your site to confirm the malware has been eliminated.

3.5 Step 5: Manual Malware Removal

For advanced users or if plugins don’t fully remove the problem, manual cleanup may be necessary.

3.5.1 Steps to Follow:

• Backup Again: Ensure you have an updated backup before proceeding.
• Remove Suspicious Plugins and Themes: Navigate to your wp-content/plugins/ and wp-content/themes/ directories. Delete any unfamiliar or suspicious entries, and reinstall clean copies from official sources.
• Clean/Replace Files: Compare your WordPress file structure to that of a fresh installation. Replace or remove files that are modified or do not belong to the official distribution.
• Scan and Clean the Database: Use phpMyAdmin or equivalent tools to inspect database tables like wp_posts or wp_options for suspicious code (e.g., <script> tags). Delete infected entries or clean them where necessary.
• Find and Remove Backdoors: Check for hidden files or PHP scripts within directories like wp-content/uploads. These often act as backdoors for hackers. Remove any unfamiliar or harmful code.
• Update Everything: Once your site is cleaned, update WordPress core, all themes, and plugins to their latest versions to patch vulnerabilities.

3.6 Step 6: Remove Malware Warnings and Request Google Review

If your site was flagged by Google, resolve this by navigating to Google Search Console → Security Issues. After cleanup, select I have fixed these issues to submit a review request. This will help remove warnings and restore your site’s credibility.

3.7 Step 7: Strengthen Your Website’s Security

To prevent future infections, implement the following measures:

• Install a reliable security plugin with firewall features (e.g., Wordfence, Sucuri).
• Enable two-factor authentication and use strong, unique passwords.
• Regularly update WordPress core, plugins, and themes.
• Install themes and plugins only from trusted sources.
• Add .htaccess rules to block script execution in directories like wp-content/uploads.

By following these steps, you’ll not only remove existing malware but also safeguard your WordPress website from future attacks.

4 Frequently Asked Questions (FAQs)

4.10