How to Check for Malware on your WordPress Site & Get it Fixed?

Post by WPressBlog
Updated on

If you’re here because you fear that your site has been infected by malware, you’re not alone. In fact, over 90,000 hacking attacks are attempted each day on sites like yours. This is because, for hackers, every website is a potential target – irrespective of its size.

But, the good news is that thanks to the immense popularity of WordPress, website security is no longer a task to dread – with the right knowledge and tools on your side. In this article, we show you how.

Before we dive in, let’s take a quick look at how a malware attack can impact a website:

  1. A sudden drop in the incoming traffic and SEO ranking – because of the redirection of your users to other unsolicited websites or search engines like Google suspending or blocking your website from organic traffic. To learn more about it check out this guide shared by Malcare.
  2. Loss of customer conversions and revenue for your online business, resulting from loss of SEO traffic or website malfunctioning.
  3. Loss of customer records and data from your WP database, because of a successful data breach.
  4. Reducing of brand trust and customer loyalty, because of a negative experience with your business.

These are only a few of the many ways in which your online business could be impacted. Often, the overall business impact of a malware attack on your site could take weeks or even months to recover from. So, it makes simple businesses sense to always keep your website free from malware infections.

How Do You Detect and Extract Malware from Websites?

Before we begin, we recommend taking a complete backup of both your WP installation and database tables. Further, download or store your backups at an easily accessible location, from where you can easily retrieve and restore your backup to your website installation. You can use an automated backup plugin to do this.

Primarily, for malware detection and removal, you must perform the below steps:

  1. Perform a complete scan of your website for any malware.
  2. Remove the malware infection from both your WP database and installation.
  3. Perform follow-up steps to ensure that your website is not infected with malware again.

Now let us discuss each of these steps in further detail.

Step 1 – Scan or detect any malware on your WordPress site

Scan or detect any malware on your WordPress site

To perform this step, you can either go for the longer manual method or, the faster automatic way of detecting malware on your site. Let us look at each of them.

Malware scanning using automatic tools:

For WP sites, you can select various malware tools or plugins like Sucuri or MalCare. For instance, Sucuri has the free-to-download Sucuri Site check tool, using which you can scan for any malware on your site.

If you are looking to perform an extensive or more in-depth malware scan on your site, you can use the paid MalCare plugin for fast detection. Another advantage of using this plugin is that it can also remove any malware if found on your site at no extra cost.

In case your website has been suspended or blacklisted, you can use the Google Transparency Report to find out the reason for the blacklist and then take the proper corrective measures.

Manual malware scanning:

For manual malware scanning of your WP installation and database, you need to open and check each of your backend files or folders that are usually targeted by hackers. These generally include critical files like the Core WP files, along with configuration files and database tables.

Here are a few of the targeted WordPress backend files and folders:

  • wp-content folder
  • wp-config.php file
  • .htaccess file

We recommend you individually check if any of these files or folders have been recently modified using their date and time stamp.

Through either of these methods, if you detect any malware on your website or database, then move on to the next step.

Step 2 – Remove malware from your WP installation

Manual removal of malware from your WordPress is a two-step process, comprising of:

  1. Cleaning the infected files.
  2. Cleaning the hacked database tables.

Before carrying out these steps, make sure you have the latest backup of the site – or have a fresh copy of WP (downloaded from the WP repository) with the same version as your current installation.

Simultaneously, ensure that you do not overwrite your wp-config.php file or the wp-content folder’s contents during the manual process.

Here is how you can clean your infected files:

  1. Launch any FTP tool like FileZilla and connect to your WordPress installation using your FTP credentials.
  2. Identify the backend files or folders infected and replace them with the cleaner and corresponding file or folder – from your backup or downloaded copy.
  3. If you have customized any of the installation files, you need to open each of the custom files and check for any suspicious code. If found, then remove them manually from each file.

Next, here is how you can clean your database tables:

  1. Sign in to your Database admin panel and search for any spam keywords or links in each of your database tables.
  2. Delete manually any such records containing suspicious entries or delete the entire table.

This manual scanning and cleanup process is effective for standard or common malware attacks. However, hackers are constantly innovating and coming up with smart ways of infecting WP files, in which case, this manual method may not be sufficient and effective in removing the malware.

As compared to this manual process, automatic malware removal is much less technical and complicated, and far more comprehensive.

This effectively removes all malware from both your installation files and database tables.

Once you have implemented Step 2, you can request your web hosting company to restore your website operations to normal.

Step 3 – Ensure that your website is not hacked again in the future

Scanning and removing malware from your website does not mean the job’s done. You also need to ensure that it is not hacked again in the future.

Ensure that your website is not hacked again in the future

To secure your website from future attacks, here are three follow-up measures that you can implement for this step:

  • If you have used the manual process to remove malware, it is a good idea to download and reinstall a fresh WP version – along with each of your installed plugins/themes. In case you are using an old or outdated version, update it to the latest available version that contains all the latest security fixes and patches.
  • Reset all your user passwords to prevent attacks like brute force attacks, which target your login page. As a security practice, mandate the use of strong passwords with a minimum of 10 characters. Ensure that all your users are using unique usernames. Additionally, restrict the number of users with “administrator” (or admin) rights.
  • Run another malware scan on your cleaned website and database to check for any hidden malware (also known as backdoors). Backdoors contain malicious code that can infect your website in the future. As it is not easy to detect backdoors, you need a powerful backdoor scanning tool that can search every installation file and database record and then remove the backdoors for good.
  • Finally, the most effective measure that you take to prevent future malware attacks is by installing a security tool on your site. Amongst all, we recommend opting for MalCare as its advanced algorithm detects even the newest malware and is also effective against hidden backdoors. It also has an in-built web application firewall that can also block unauthorized IP requests from suspicious IP addresses, effectively fortifying your website and blocking future attacks.
(Source: MalCare)


Experiencing a hacked website time and again is unfortunate, but not the end of the world. We hope that by following the steps mentioned above, you’ll be able to clean and restore your hacked website in no time. The first shift to make is to recognize website security as an important part of your WordPress maintenance tasks.

While we’ve discussed both manual and automatic methods of scanning and removing malware from any website, we suggest choosing automatic methods. This is because manual scans and cleanups require a considerable investment of time and effort and can stop short of finding more advanced and unknown malware. Security plugins are designed exclusively for WordPress and combine several best security practices in their offerings at competitive prices.

Are there any other security concerns you have? We would love to hear from you. Good Luck!

Read Also:

Affiliate Disclosure: This page contains affiliate links. That means, when you buy a service or a product through these affiliate links, we sometimes earn a small commission without any extra cost to you. Learn More

4 thoughts on “How to Check for Malware on your WordPress Site & Get it Fixed?”

Leave a Comment