WordPress malware removal

Free WordPress Malware Removal Guidebook (3 steps discussed)

In this guidebook, we will be discussing all the best WordPress Malware removal Processes.

I know the feeling of owning a website that is full of malware. It is painful and disgusting. 53% of website owners do not even know that their website is malware-infected. In most of the cases, if a page of a website is affected, it takes no time to spread the malware across the whole website. Sometimes, it has been seen that if multiple websites are hosted in a single hosting account, all the websites get affected by the malware. this is called cross-site contamination. So, it is always recommended for all websites to use some precautions beforehand.

WordPress Malware removal Process


There are 3 ways to remove malware from your website. Some of them are free and some of them are paid. I’ll discuss both. But first, let me start with the free one.

If you still can access WP-Admin

If you still can access the admin area of your website i.e you can open the link yourwebsite.com/wp-admin in the browser, you still can add plugins in your WordPress website.

These are the best WordPress malware removal plugins.

  1. Wordfence Security – Firewall & Malware Scan
  2. Sucuri Security – Auditing, Malware Scanner and Security Hardening
  3. Anti-Malware Security and Brute-Force Firewall

Wordfence Security – Firewall & Malware Scan

This is by far the best plugin to remove existing malware on a WordPress website. It gives you a Free firewall and security scanner. In this guidebook, we tried to explain the WordPress Malware removal process using this plugin mostly. Follow these steps with me.

  • Install the plugin and Go to Scan as shown in the pic below
Free Wordpress Malware Removal Guidebook (3 steps discussed) 1
Admin Area-> Wordfence->Scan
  • Ignore the Premium warning and Go to Scan Options and Scheduling.
  • Change the Basic Scan Type options to High Sensitivity.
Free Wordpress Malware Removal Guidebook (3 steps discussed) 2
Change the Basic Scan Type here
  • Click on the ‘Save Changes’ button.
  • Now click the ‘Start New Scan’ button.
Free Wordpress Malware Removal Guidebook (3 steps discussed) 3
Click ‘Start New Scan’ button.
  • The scan will take some time to complete.
  • Once the scan is complete, it will show you options to ‘Delete All Deleteable Files’ and Repair All Repairable Files’.
Free Wordpress Malware Removal Guidebook (3 steps discussed) 4
A warning is shown here
  • Click on these two buttons once at a time.
  • Warning: Make sure you are not deleting any WordPress core files until you are sure that it will not kill your website completely.
  • If your website’s feature.php file is affected then open the file from your hosting’s File Manager and open with a PHP editor. Look for the Commenting part of the code. Most of the good and reputed WordPress theme makers will use Commenting as part of the Coding standard. See the example below
Free Wordpress Malware Removal Guidebook (3 steps discussed) 5
  • You will get to know where the theme code has started.
  • Delete any code above the Comment’ of your theme. (In the picture above //Start_wp_theme_tmp is where the theme code starts.)
  • If you are not comfortable doing these, seek professional help.

If you can’t access WP-Admin

If you are not able to access WP-Admin anymore, Plugin can not help you anymore. Please follow the below steps:

Delete Malware from Files

how to scan wordpress site for malware step 1
  • Verify if it shows any warning or not. Make a note of the warning.
  • Check if there is any backlisting warning.
  • Connect your website with FTP or open hosting file manager.
  • Sort with ‘Recently Modified date’ and see if there is any suspicious modification in your WordPress core files. (Please check the same in Wp-Includes, Wp-Content folder as well.)
Image result for wordpress files
  • Replace any affected WordPress core files with WordPress repository files. (Download the WordPress repository files from wordpress.org
  • Do not make any changes in the wp-config.php file and wp-content folder.
  • Any custom files (plugin files) can be replaced with the latest back-up files or fresh plugin files. (download the plugin zip file from wordpress.org and replace that particular affected file with the plugin file that you have just downloaded)

Delete Malware from Database

Image result for wordpress database
WordPress data tables
  • Look for any table name that looks suspicious.
  • Browse the table.
  • Verify what type of data the table holds.
  • If the data and the table name both look suspicious, delete the table. (Backup everything before you make any changes).

If you perform the above operations, chances are high that you will get back your website. But, if you are not sure, I would always suggest you seek professional help.

Best-Paid Option

There are multiple services that offer this malware removal service. But, the best will always be the service of your hosting provider. Every major hosting provider provides a service to remove malware from your website and that is undoubtedly the best option.

Another service that stands out and provides the best service is Sucuri.



We are not affiliated with Sucuri and we don’t get paid any amount for any signup.

They provide the best service when it comes to website security. With their annual plan, you get a professional WordPress malware removal process and one-year website security including a firewall service.

Sucuri is the industry’s best website security platform and some of the biggest company’s websites rely upon them. So, if you are not comfortable enough with the above steps, you can always take help from WordPress malware removal service companies.

For more related to website Security, Click here.

Leave a Comment

Your email address will not be published. Required fields are marked *