How to scan WordPress website malware and remove website malware

How to Scan WordPress Malware and Remove Website Malware (2022)

Knowing how to scan WordPress malware and remove them from your website is a skill every webmaster should have. Especially, the WordPress platform has a high chance of being infected with malicious code because it is a large platform, and users are often newbies with little knowledge about virus prevention. If you are about to create a WordPress website, read through this article to have a certain knowledge about malware in WordPress.

If your website has been infected with malicious code, don’t worry, after reading this article you can rest assured and confidently continue to operate your WordPress website or safely create a new WordPress website without having to worry about problems. its risks too. This article will show you the simplest and most effective way to scan WordPress for malware. We will then proceed to remove that malicious code from your site. But first, let’s understand malware – malicious code, what is it?

What is Malware?

Malware is the English word for malicious software or malicious code. It is a general term for malicious programs and files that can compromise the system. Malicious code can damage computers, servers, networks, and websites. There are quite a few types of malware such as viruses, worms, trojans and spyware. In particular, they can compromise sensitive data, such as users’ personal information. Therefore, please take care of website security.

Signs that a website is infected with malicious code?

While WordPress hosting has good maintainability and security, it also has a number of vulnerabilities that can expose your website and visitors to internet threats in general and malware in particular.

You need to check your website for malware when:

  • The site has unwanted changes to the content: adding facts or removing information without your permission.
  • Spam, whether in the form of emails or suspicious links, is spread from your website.
  • Your URL will redirect to untrusted websites, deceptive ads, inappropriate, malicious content.
  • The server resource consumption spiked.
  • Google will mark your site as unsafe in browser and search results.
  • Negative impact on SEO (Your SEO Score won’t be high).

If you encounter the above situations, you need to quickly scan your WordPress website for malicious code and remove them from your site right away!

How to manually scan WordPress malware

The manual method can take a long time and requires more technical knowledge, but it can give you insight into where the attack happened. If you want to use a simpler alternative to remove malware from your WordPress site, go for a security plugin.

Steps to remove and scan WordPress malware:

1. Download your website backup about computers

Always website backup before modifying important website files.

There are two ways to do this. If you are unable to login to the WordPress admin page, you can save a copy of the folder public_html of the site through file manager or FTP client. Here’s how to do it:

  • File manager – right click on the folder public_html and choose compress. Once done, save it to your computer by right clicking and download it.
  • FTP – go Site Manager -> Connect and then download the folder using same method as used above. The only difference is that you will need to use an FTP client like FileZilla.

If you still have access to your site, you can use plugins like UpdraftPlus, Backup Buddy, or VaultPress to save time.

Last but not least, keep a backup database Yours is stored locally.

2. Scan WordPress website malicious code on computer

We recommend that you download the backup using an FTP client or file manager and then check your website for malware with anti-virus software.

Use anti-virus and anti-malware systems such as Windows Defender, Kaspersky or MalwareBytes to identify malicious code. If the scan is successful, it will help you find malicious code and remove them from your website. Then upload this new website version to your hosting.

how to scan WordPress malware

3. Remove Malware Infection

You can take several actions to remove Malware from your WordPress site. First, you need to access the website’s files via FTP or file manager.

Delete all files and folders in your website directory except wp-config.php and wp-content.

Then open wp-config.php and compare its contents with the same file from a fresh install or wp-config-sample.php can be found on WordPress GitHub Repository. Look for long, strange or suspicious code and remove them. You should also change the password of the database after checking the file.

Next, go to the folder wp-content and perform actions on these directories:

  • plugins – list all your installed plugins and delete subfolders. You can then download and install them again. Be careful not to download pirated or unknown plugins on the Internet.
  • themes – delete everything but your current themes and check for suspicious code snippets, or just delete this folder completely if you are sure you have a clean backup or don’t mind reinstalling.
  • uploads – check if there are any files that are not yours uploaded
  • index.php – after you have deleted the plugin, delete this file.

4. Use the latest WordPress source code to re-upload to the web

Download the source code WordPress root and upload to your website via FTP or file manager.

Go file manager, Press Upload Files and find the WordPress zip file. After upload is done, right click or button Extract and enter a folder name to specify the save location. Copy everything other than the file into the zip to public_html.

Alternatively, you can use the one-click installer and edit the database credentials in the file wp-config.php to properly configure the database.

5. Reset WordPress Password

If your website is managed by multiple people, the attack may have happened through one of their accounts. You should reset password, sign out of any accounts, and check for any inactive or suspicious user accounts that need to be deleted.

Change passwords to long, random strings that cannot be penetrated by attacks. You can use the tool Create a password.

6. Reinstall Plugins and Themes

Now that you have removed the Malware from your WordPress site, reinstall all the removed plugins and themes you have. However, be sure to remove old and deprecated plugins.

We recommend installing security plugins that can protect your WordPress site and easily remove malware in the future. Use one of the proven plugins like MalCare, WordFence, or Juices.

How to remove and scan WordPress malware with a plugin

If you want a faster way to scan your WordPress site for malware, you can use a WordPress security plugin

With this article, we will demonstrate how to remove malware from a WordPress website using Sucuri. But first let’s see the feature of Sucuri malwarey removal plugin:

  • Server-side WordPress malware scanning (premium version) and remote scanning (free version). The free version only detects Malware on-site while the premium version can check the back-end of your website.
  • Detects compromised WordPress files in your system and replaces infected files with their original copies.
  • Run an anti-virus software check and your website databases are blacklisted or not.
  • Enhance your website’s security to prevent Malware attacks.
  • Notifies you whenever Malware activity is detected.
  • Set up a firewall on your site (premium version).

You can download Sucuri from Kho plugin WordPress.

Once the installation is done, you need to go to the plugin’s page and Generate API key to enable full plugin features.

Generate Sucuri's API key

Once your website has been integrated with Sucuri’s API service, go to the page Dashboard -> Refresh Malware Scan. It will display the file log with any suspicious files flagged. For this tutorial, we have added suspicious code to the folder index.php to the test site.

This displays the file log of Sucuri, showing a suspicious file as flagged

After running the scan, the file was flagged. You can select it and perform any action you want.

Remove malicious warning on Google search results

Even though the Malware has been removed from your WordPress site, you still need to ask Google to remove the site’s warning label:

  1. Access to Google Search Console and register your website. Go to the third step if you already have an account.
  2. Then verify it using the prefix Domain or URL prefix.
  3. Scroll down to find Security & Manual Actions on the left tab. Click to display the drop-down list and select Security Issues.
  4. You will see a report about your website security, from which you can choose Request a review(request review).

You must double-check that your brother has successfully removed the Malware from your WordPress site before submitting your request. Otherwise, it will be marked as repeat offender (Recidivism), and you will not be able to request a reconsideration for 30 days.


Malware can be a huge problem that takes away all of your WordPress site’s credibility and trust, and affects you and your users. While looking at how to remove malware from a WordPress website, we showed you two methods:

How to remove and scan malware from WordPress, you need to do:

  1. Backup your website to your computer.
  2. Use anti-virus software and scan that WordPress backup.
  3. Remove Malware by tweaking your WordPress files and deleting old, suspicious, and detected files.
  4. Reset all user passwords and check for suspicious accounts.
  5. Reinstall plugins and themes.

Or you can use WordPress malware scanning plugins to improve the security of your site. In addition, we also showed you how to remove the warning labels that Google may place on your website. With these actions, hopefully you can restore your WordPress site as soon as possible and prevent future threats.


Huy Do. is an expert in managing and operating Website services. He has many years of experience in Hosting, Domain, Technical, CMS. His hobbies are technology, reading, traveling and mentoring young people to start a business.

By Nguyen Manh Cuong

Nguyen Manh Cuong is the author and founder of the nguyendiep blog. With over 14 years of experience in Online Marketing, he now runs a number of successful websites, and occasionally shares his experience & knowledge on this blog.

Leave a comment

Your email address will not be published. Required fields are marked *