WordPress Malware Cleanup: Step-by-Step Recovery (and How to Prevent Reinfection)

WordPress Malware Cleanup: Step-by-Step Recovery (and How to Prevent Reinfection)

February 03,2026
0
72

If your WordPress site is hacked—redirecting visitors, showing spam pages, or sending unusual traffic—treat it like an incident. The goal is containment, cleanup, and prevention of reinfection.

Signs your WordPress site may be compromised

  • Unexpected redirects (especially on mobile)
  • New admin users you didn’t create
  • Spam pages indexed in Google
  • Unknown plugins/themes, or files changed recently
  • Hosting provider warnings or sudden traffic spikes

Step 1: Contain the incident

  1. Change passwords: WordPress admins, hosting panel, database, SFTP/SSH, email accounts.
  2. Force logout all sessions and remove unknown users.
  3. Disable suspicious plugins and recent changes.
  4. Put the site in maintenance mode if attackers are actively abusing it.

Step 2: Backup (for forensics and rollback)

Make a copy of the current state before deleting anything. Even if it’s infected, you may need it to find the entry point.

Step 3: Remove malware and backdoors

  • Reinstall WordPress core from a clean source.
  • Replace plugins/themes with clean versions (do not keep unknown copies).
  • Search for backdoor patterns: eval(), base64_decode(), strange files in wp-content/uploads, unexpected PHP files.
  • Check .htaccess and server config for redirect rules.

Step 4: Patch the root cause (otherwise it will come back)

  • Update WordPress, themes, plugins.
  • Remove unused plugins/themes.
  • Lock down file permissions and disable file editing in wp-config.
  • Enable MFA for admins if possible.
  • Add rate limiting / WAF rules (e.g., Cloudflare) for brute-force abuse.

Step 5: Verify the site is clean

  • Check server logs for suspicious activity.
  • Review admin users and installed plugins.
  • Run a scan to validate public-facing exposure and confirm high-risk paths are closed.

Run a scan here: https://scanner.skilledscan.com

FAQ

Why do WordPress hacks come back? Reinfection happens when the original entry point (outdated plugin, weak password, backdoor file) isn’t removed.

Should I restore from backup? Only from a known-clean backup. Otherwise you may restore the same compromise.