Last Updated on Apr 24, 2026 by Nurul Afsar
A hacked WordPress site can lose search rankings, get blacklisted by Google, and drive away customers in minutes. The good news is that with the right process, you can remove malware, restore your site, and lock things down so it does not happen again. This guide walks you through every step clearly, whether you are handling it yourself or deciding when to call in professional help.
- Google shows a “This site may be hacked” warning in search results
- Your hosting provider has suspended your account
- Visitors are redirected to unknown or spam websites
- You notice unfamiliar admin users or files you did not create
- Your site loads slowly or crashes without explanation
- Browsers flag your site as dangerous
Step 1: Put Your Site Into Maintenance Mode
Before you do anything else, take your site offline or enable maintenance mode. This prevents visitors from landing on infected pages and stops the malware from spreading to users who visit while you are cleaning up. Most security plugins and managed hosting dashboards include a one-click maintenance mode option. If your site is too compromised to access the dashboard, contact your hosting provider and ask them to restrict public access temporarily.
Step 2: Back Up Your Site (Even the Infected Version)
This might seem counterintuitive, but backing up your site before cleaning it gives you a restore point if something goes wrong during the cleanup process. Download a full backup of your files and database through your hosting control panel or a backup plugin. Label it clearly so you do not accidentally restore it over a clean version later.
Step 3: Scan Your Site for Malware
Use a dedicated WordPress security scanner to identify infected files and database entries. Several reliable tools are available:
| Tool | Type | Best For |
|---|---|---|
| Wordfence | Plugin (on-server) | Deep file scanning and firewall |
| Sucuri SiteCheck | Remote scanner | Quick surface-level check |
| MalCare | Plugin (cloud-based scan) | Auto-clean with one click |
| Google Search Console | Free dashboard | Checking blacklist and security issues |
Install a scanner, run a full site scan, and export the results so you have a list of every flagged file and database entry to work through. We have a detailed breakdown of how Wordfence works in our complete Wordfence guide, which is a good starting point if you are not familiar with the tool.
Step 4: Remove Infected Files and Database Entries
Once you have the scan results, it is time to clean. Work through each flagged item systematically:
WordPress Core Files
Download a fresh copy of WordPress from wordpress.org and replace all core files, except the wp-content folder and wp-config.php. Do not edit core files individually as malware is often injected across dozens of them at once. A full replacement is faster and more reliable.
Themes and Plugins
Delete every inactive theme and plugin immediately. For active ones, reinstall them fresh from the official WordPress repository or from your licensed provider. Do not attempt to manually edit infected plugin or theme files as hidden backdoors are often layered throughout.
The wp-content/uploads Folder
This folder should only contain images and media files. If your scanner finds PHP files or executable scripts here, delete them. Attackers commonly plant backdoors inside uploads folders because they know site owners rarely check them.
The Database
Log into phpMyAdmin and review your database for suspicious content. Common targets include the wp_options table (look for unfamiliar site URLs or injected scripts in the siteurl or home fields), the wp_posts table (spam links or hidden iframe code in post content), and the wp_users table (admin accounts you did not create). Remove any entries that should not be there.
Step 5: Reset All Passwords and Review User Accounts
After cleaning the files and database, change every password connected to your site. This includes your WordPress admin password, database password, FTP and SFTP credentials, hosting control panel password, and any connected email addresses. Delete any admin user accounts you do not recognise. Attackers often create hidden admin users so they can regain access even after a cleanup.
Step 6: Reinstall WordPress, Themes, and Plugins from Clean Sources
Once everything suspicious has been removed, reinstall WordPress core through the dashboard (Dashboard → Updates → Reinstall). Then reinstall every active plugin and theme from their original sources. Avoid restoring from your backup at this stage as it may still contain infected files.
Step 7: Request a Google Review
If Google blacklisted your site, you will need to request a manual review to have the warning removed. Log into Google Search Console, go to Security Issues, confirm you have fixed the problems, and submit a review request. Google typically processes these within a few days to a week. Until the warning is lifted, your organic traffic and click-through rates will remain affected, so do not skip this step.
If the infection is complex, recurring, or affecting your WooCommerce store, professional cleanup is the faster and safer option. The Numinix team provides WooCommerce malware removal that includes complete code cleanup, backdoor removal, and post-cleanup hardening so the same attack cannot happen again.
Step 8: Harden Your WordPress Site Against Future Attacks
Cleaning up is only half the job. Once your site is running cleanly, take these steps to reduce the risk of reinfection:
- Install a security plugin with a firewall. A properly configured firewall blocks malicious traffic before it reaches your site. Tools like Wordfence provide real-time protection, login security, and ongoing malware scanning.
- Keep everything updated. Outdated plugins, themes, and WordPress core are the most common entry points for attackers. Enable automatic updates for minor releases and check for updates weekly.
- Use strong, unique passwords with two-factor authentication. Brute force attacks target weak login credentials. Enable two-factor authentication for all admin accounts.
- Limit login attempts. Restricting the number of failed login attempts before an IP is blocked stops automated password-guessing attacks.
- Remove unused plugins and themes. Every inactive plugin is a potential entry point. Delete anything you are not actively using.
- Set up regular automated backups. Store backups off-site so you always have a clean restore point available.
- Consider Cloudflare. Adding Cloudflare in front of your site provides DDoS protection, bot filtering, and an additional layer of traffic security.
If you want a comprehensive security setup handled for you, the Numinix WordPress Security Package covers firewall configuration, login hardening, file permissions, and ongoing monitoring so your site stays protected without the manual overhead.
Recurring malware infections are almost always caused by an overlooked backdoor, a compromised user account, or vulnerable hosting environment. If you have cleaned your site more than once and the infection keeps returning, a professional audit is the right next step. Contact the Numinix security team for a full investigation and permanent cleanup.
Final Thoughts
Removing malware from WordPress is a methodical process. Take your site offline, scan thoroughly, remove infected files and database entries, reset all credentials, and then harden your setup before bringing it back online. The steps above cover the majority of common infection types, but every site is different and complex infections may require expert hands.
Whether you need a second opinion, a professional cleanup, or a full security overhaul, Numinix has the WordPress expertise to get your site clean and keep it that way. Explore our WordPress Security Package or get in touch to discuss your situation directly.
Need Professional Help?
Get Your WordPress Site Cleaned by Experts
The Numinix team specialises in WordPress malware removal, security hardening, and ongoing protection for business websites and WooCommerce stores.
View Malware Removal Service