Close Menu
    Security & Maintenance

    How to Remove Malware from WordPress: 2026 Guide

    By Updated:No Comments6 Mins Read
    wordpress malware removal — WPMytics

    A WordPress site hit by malware shows visible warning signs to visitors and browsers. Chrome flags the site with a red “Deceptive Site Ahead” warning. Some pages redirect to spam offers. Others show pharma keywords injected into content. The site might also send spam from the contact form or run a hidden cryptominer in visitor browsers.

    This tutorial covers WordPress malware removal end to end. You put the site in maintenance mode first. A security plugin scan finds infected files. Flagged files get deleted manually. Secret keys regenerate to invalidate stolen sessions. A review request to Google Safe Browsing clears the warning. The full flow takes 90 minutes for an average compromise.

    What You’ll Need

    • WordPress version: 6.5 or newer (older versions miss security patches that closed common attack vectors).
    • Permissions needed: Administrator on the WordPress dashboard, plus FTP or SSH access on the hosting server.
    • Time to complete: 90 minutes for a typical compromise. Allow up to 4 hours for sites with deep file injections.
    • Difficulty level: Intermediate. You delete files via FTP and edit wp-config.php directly.
    • Prerequisites: Recent backup file from before the infection, plus FTP credentials from the hosting panel.

    Step 1: Put the Site in Maintenance Mode

    Open the WordPress dashboard. Navigate to Plugins → Add New. Search for “WP Maintenance Mode & Coming Soon” by Designmodo. Install and activate the plugin. Go to Settings → WP Maintenance Mode. Set Status to Activated. Pick a short maintenance message in the General tab.

    [SCREENSHOT: wp-maintenance-mode-activate]

    Click Save Settings. Visit the live site in an incognito browser to confirm the maintenance page renders for logged-out visitors. This stops new visitors from triggering more infection symptoms during cleanup. Logged-in admins still see the normal site so cleanup work continues. Set the Design tab to a simple white background to avoid loading any compromised theme files. Skip the email signup field if it sources from a vulnerable form plugin. Save the settings panel before continuing to Step 2.

    Step 2: Run a Security Plugin Scan with Wordfence

    Stay in the WordPress dashboard. Navigate to Plugins → Add New. Install and activate Wordfence Security. Click the Wordfence menu in the left sidebar. Pick the free license option for now. Click Get a License, then Install on This Site.

    [SCREENSHOT: wordfence-license-install]

    Go to Wordfence → Scan. Click Start New Scan. The scan checks core files, themes, plugins, and the database against known malware signatures. Initial scans take 10 to 30 minutes. The result page lists every infected file with Wordfence severity ratings ranging from Critical down to Low.

    Step 3: Review and Delete Flagged Files

    Click each finding row to expand details. Look at the file path: theme, plugin, or core directory. Click View File Contents to inspect the suspicious code. Common patterns include base64-encoded strings, eval() calls, and references to external domains inside PHP files.

    [SCREENSHOT: wordfence-flagged-file-detail]

    Pick Delete File for confirmed malware inside /wp-content/. Pick Restore Original for modified core files inside /wp-admin/ or /wp-includes/. Repeat for every flagged row. After each batch, run another scan to confirm the file count drops. Stop when the scan returns zero infected files.

    Step 4: Change All Passwords and Regenerate Secret Keys

    Navigate to Users → All Users in the WordPress dashboard. Click Edit on every user. Click Set New Password and let WordPress generate a strong one. Save changes for each user. Email each team member a forced password reset link.

    [SCREENSHOT: wordpress-users-set-new-password]

    Open the WordPress secret key generator at api.wordpress.org/secret-key/1.1/salt/. Copy all eight lines into your clipboard. Open wp-config.php via the hosting file manager.

    What this does: Replaces the eight secret keys WordPress uses to sign login cookies. Replacing them invalidates every active session, including any cookie an attacker stole.

    define('AUTH_KEY',         'paste new key here');
define('SECURE_AUTH_KEY',  'paste new key here');
define('LOGGED_IN_KEY',    'paste new key here');
define('NONCE_KEY',        'paste new key here');
define('AUTH_SALT',        'paste new key here');
define('SECURE_AUTH_SALT', 'paste new key here');
define('LOGGED_IN_SALT',   'paste new key here');
define('NONCE_SALT',       'paste new key here');

    Save the file. All users get logged out automatically and must log in again with the new passwords from this step.

    Step 5: Submit a Review Request to Google Safe Browsing

    Open Google Search Console for your site. Navigate to Security & Manual Actions → Security Issues. The screen lists every detected malware type. Click Request Review.

    [SCREENSHOT: search-console-request-review]

    Fill in the response form. Describe the cleanup steps from this tutorial in plain language. Include the dates of the scan, file deletion, and password reset. Click Submit. Google reviews most requests within 72 hours and removes the warning when no infection signs remain. Visit the live site in an incognito browser after the review clears to confirm the red warning is gone.

    Troubleshooting

    Error: The Wordfence scan keeps finding the same files after deletion.
    Fix: The infection is regenerating files via a backdoor. Run a Premium scan or restore from a clean backup taken before the infection date.

    Error: FTP or SFTP connection refused by the hosting server.
    Fix: The host has blocked FTP after detecting suspicious activity. Open a hosting support ticket to request a temporary unblock with the reason “malware cleanup in progress”.

    Error: Google still shows the red warning 5 days after submitting the review request.
    Fix: Reopen the security issue and run a fresh scan. Re-infection often delays clearance. Submit a second review with new scan timestamps.

    Error: Some flagged files sit inside a paid plugin and cannot be deleted directly.
    Fix: Delete the entire plugin folder via FTP. Reinstall the paid plugin from the original vendor’s download portal to replace with clean copies.

    Quick Recap

    • Activated WP Maintenance Mode to block new visitor exposure during cleanup.
    • Installed Wordfence Free and ran a full scan that flagged every infected file.
    • Deleted malicious files in /wp-content/ and restored original core files.
    • Changed every user password and regenerated the eight wp-config.php secret keys.
    • Submitted a security review to Google Search Console to clear the browser warning.

    Pair this with the WordPress hardening guide to close the door. Official Wordfence cleanup documentation lives at wordfence.com/help.

    Share.

    Lena Kovac writes data-driven analysis and security coverage for WPMytics. She's the person behind the quarterly market reports and monthly trend pieces, using public data from WordPress.org, W3Techs, BuiltWith, and her own testing to map what's happening in the WordPress ecosystem.

    Related Posts

    Comments are closed.