WordPress is one of the most popular website management systems in the world. According to W3Techs, it powers 34% of all websites on the internet. The popularity of WordPress is partly due to the large number of plugins and templates available that allow you to do almost anything on a website.
This wide range of features also comes with vulnerabilities. Hackers can often access code and infect WordPress sites with malware the same way they might plant malware on a router.
Malware can infect and destroy your site, so it’s important to act quickly to remove malware from your WordPress site.
How to remove malware from wordpress website?
Contact your host first
Before trying any of the suggestions below, contact your web host first. It is possible for the host server, especially if it is on a shared server, to spread malicious code from another site to yours.
Ask them to scan your server to make sure it’s not the culprit before trying to remove malware from your own site. Additionally, they can give less technical website owners suggestions on how to scan and safely remove malware from their site.
Some hosts may also offer services where they will remove it for you. And then back up your site, reducing the risk of introducing malware into your backup.
Web hosts have the experience, tools, and options to fight malware, so check with them before trying to do it yourself.
Take preventive measures
It’s always best to try to prevent threats before they happen. The most important action users should take is to ensure that they are always running the latest and most stable version of WordPress, even if they only install a test version on their computer.
New versions are usually released to fix common vulnerabilities found in older versions. The same goes for plugins and themes. Keep them up to date and delete any you don’t use.
Some of the many negative issues that malware can cause on a WordPress site include:
- Web and MySQL have increased server resource consumption.
- Unwanted advertising.
- Bulk spam.
- Theft of personal data of customers and users.
- Loss of information from your site.
- Google sanctions.
What can you do if your website is infected or Tipsed? In this article, we will outline the steps you can take to remove malware from a WordPress site.
Use WordPress Malware Removal Plugins
If you can log in and get to your WP admin area, you might not have to reload your entire site. Using a proper WordPress plugin can help remove malware from your WordPress website.
MalCare is a premium plugin that will instantly remove malware from your WP installation. Not only will it clean up a Tipsed site, but it will also protect it from future security breaches.
One of the many benefits of MalCare is that it scans your site on its own servers. Your website will not suffer any load on your resources and will continue to function properly.
There are four pricing tiers ranging from $99/year for one site (personal) to a Custom Agency Plus plan for 20+ sites.
Malcare is a comprehensive WP security plugin that includes many additional features such as:
- Real-time email alerts.
- Track changes to small files.
- Minimize false alarms.
One of the most used plugins for WP security is WordFence. It includes a malware scanner and an endpoint firewall.
From brute force attack protection to firewall blocking, the free version of WordFence is powerful enough for small websites.
If you want additional features such as two-factor authentication, filtered password protection and advanced manual lock, you can purchase a premium license. Pricing is based on the number of licenses you purchase, starting at $99 for one.
All in one WP Security & Firewall
One of the most feature-rich free security plugins is All in One WP Security & Firewall. Provides a simple visual interface using gauges and charts.
The plugin is designed for beginners and more advanced developers with its three categories: Basic, Intermediate and Advanced.
All in One WP Security will protect websites by:
- Ensure the security of files and databases.
- Improved user registry security.
- Blocking forced login attempts.
Additional features include the ability to save .wp-config and .htaccess recordings. Users can also restore these files if something goes wrong on their site.
For a complete list of all WordPress security plugins, visit WordPress.org. If you are unable to log in, you may need to reinstall your entire site.
If you’re more tech-savvy and running a site on your own server, follow the steps below carefully.
Keep in mind that backing up your site and deleting it can be dangerous and should only be attempted by highly technical website owners.
Backing up your database and all files
If you are infected and need to remove malware from your WordPress site, it is important to protect your content immediately. Before you do anything, make a full backup of your WordPress site so you can restore it if something goes wrong.
Be sure to back up a clean version of your MySQL database and FTP account. There are several ways to back up a site, including through cPanel, phpMyAdmin, and WordPress plugins (such as Vaultpress).
It is highly recommended that all WordPress users back up their site regularly. The steps below outline how to manually remove malware from your WordPress site.
Step 1: Browse your files
Once you have backed up your entire WP site, download the backup zip file to your computer. Open it by double-clicking on it. You should see the following files:
- All core WordPress files.
- .htaccess: This is a hidden file that includes your WordPress database name, username, and password. To ensure that you have backed up this file, use a code editing application or an FTP program that allows you to view hidden files. Be sure to check the show hidden files option.
- The wp-content folder which includes themes, plugins and downloads.
- SQL database.
Step 2 – Delete all files and folders in the Public_html folder
When you are sure you have a full backup of your website, go to your web hosting file manager.
Find it public_html folder and delete its contents except wp-config.php, wp content, and cgi-bin folders.
Make sure you also view invisible files, incl.htaccess since it can be compromised.
If you host multiple sites, you should assume that they too have been compromised as cross infections are common. Follow the same process for all sites hosted on the same server.
Open the wp-config.php archive and compare with a sample wp config archive. You can find this file in the WP GitHub repository.
Also check your file to see if anything looks suspicious, like long strings of code. If you’re sure something shouldn’t be there, delete it.
Go now to wp content directory and:
- Make a list of all your installed plugins, then delete them.
- Delete all themes, including the one you are using. You will reinstall it later.
- Look in your downloads folder to see if there’s anything you didn’t put there.
- To get rid of index.php after removing all plugins.
Step 3 – Install a clean version of WordPress
Go to your hosting provider’s control panel and reinstall WordPress in the same directory as the original location.
will be the public_html directory or in a subdirectory if you installed WordPress on an addon domain. Use the one-click installer or Quick setup (depending on your host) in your web hosting control panel.
Unzip the tar or zip file and upload your files to your server. You will need to create a new wp-config.php and enter your website backup details. You just need to enter the database name, password and prefix.
Step 4: Reset permalinks and passwords
Login to your WP site and reset all usernames and passwords. If there are unrecognized users, it means your database has been compromised.
You can hire a professional to clean your database and remove any malicious code.
Restart permalinksgo Settings > permalinks and so Save Changes. This process will restore the .htaccess file and fix your site URLs to work. Also reset all hosting accounts and FTP passwords.
Step 5 – Reinstall theme and plugins
Do not install old versions of your theme or plugins. Instead, get fresh uploads from the WordPress repository or premium plugin development site. Do not use plugins that are no longer supported.
If you have theme customizations from your old site, check out the backup files you downloaded to your computer and replicate the changes to the new copy.
Step 6 – Scan and reload your images and documents from your backup
This step can be tedious, but it is necessary. Carefully review your downloaded images and files before copying them back to the new wp-content > downloads folder in file manager.
Use an updated anti-virus program to scan all files and see if any of them are infected. Upload the clean files to your server using an FTP client or the file manager. Keep the same folder structure so you don’t end up with broken links.
Step 7: Inform Google
If you find that your site has been compromised by a warning from Google, you should let them know that you removed the malware so they can ignore the warning in your account.
Go to Google Search Console and sign in if you already have an account. If you don’t, register your website.
To find Security and manual actions in the left navigation. Click on the drop-down menu and select security issues.
Here you will see a report about your site’s security. To choose Request an opinion and submit it to Google.
I am Bhumi Shah, a highly skilled digital marketer with over 11 years of experience in digital marketing and content writing in the tech industry.