How to scan WordPress website malware and remove website malware

How to Scan WordPress Malware and Remove Website Malware (2022)

Knowing how to scan WordPress malware and remove them from your website is a skill every webmaster should have. Special background WordPress there is a high possibility of malware infection because this is a large platform, and users are usually newbies with little knowledge about virus prevention.

If you prepare create a WordPress websiteread through this article to have a certain knowledge of malware in WordPress.

If your website has been infected with malicious code, don't worry, after reading this article you can rest assured and confidently continue operating your WordPress website. This article will show you the simplest and most effective way to scan WordPress for malware. We will then proceed to remove that malicious code from your site. But first, let's learn about malware - malicious code, what is it?

What is Malware?

Malware is the English word for malicious software or malicious code. It is a general term for malicious programs and files that can compromise the system. Malicious code can damage computers, servers, networks, and websites. There are quite a few types of malware such as viruses, worms, trojans and spyware. In particular, they can compromise sensitive data, such as users' personal information. Therefore, please take care of website security.

Signs that a website is infected with malicious code?

While WordPress hosting has good maintainability and security, it also has a number of vulnerabilities that can expose your website and visitors to internet threats in general and malware in particular.

You need to check for website malware when:

  • The site has unwanted changes to the content: the addition of data or the removal of information without your permission.
  • Spam, whether in the form of emails or suspicious links, is spread from your website.
  • Your URL will redirect to untrusted websites, deceptive ads, inappropriate, malicious content.
  • Server resource consumption spiked.
  • Google will mark your site as unsafe in browser and search results.
  • Negative impact on SEO (Your SEO Score won't be high).

If you encounter the above situations, you need to quickly scan your WordPress website for malicious code and remove them from your site right away!

How to scan WordPress malware manually

The manual method can take a long time and requires more technical knowledge, but it can give you insight into where the attack happened. If you want to use a simpler alternative to remove malware from your WordPress site, go for a security plugin.

Steps to remove and scan WordPress malware:

1. Download your website backup about computers

Always website backup before modifying important website files.

There are two ways to do this. If you are unable to login to the WordPress admin page, you can save a copy of the folder public_html of the site through file manager or FTP client. Here's how to do it:

  • File manager – right click on the folder public_html and choose compress. Once done, save it to your computer by right clicking and downloading.
  • FTP - go Site Manager -> Connect and then download the folder using same method as used above. The only difference is that you will need to use an FTP client like FileZilla.

If you still have access to your site, you can use plugins like UpdraftPlus, Backup Buddyor VaultPress to save time.

Last but not least, keep a backup database Yours is stored locally.

2. Scan WordPress website malicious code on computer

We recommend that you download the backup using an FTP client or file manager and then check your website for malware with antivirus software.

Use anti-virus and anti-malware systems such as Windows Defender, Kaspersky or MalwareBytes to identify malicious code. If the scan is successful, it will help you find malicious code and remove them from your website. Then upload this new website version to your hosting.

how to scan WordPress malware

3. Remove Malware Infection

You can take several actions to remove Malware from your WordPress site. First, you need to access the website's files via FTP or file manager.

Delete all files and folders in your website directory except wp-config.php and wp-content.

Then open wp-config.php and compare its contents with the same file from a fresh install or wp-config-sample.php can be found on WordPress GitHub Repository. Look for long, strange or suspicious code and remove them. You should also change the password of the database after checking the file.

Next, go to folder wp-content and perform actions on these directories:

  • plugins – list all your installed plugins and delete subfolders. You can then download and install them again. Be careful not to download pirated or dubious plugins on the Internet.
  • themes – delete everything except your current theme and check for suspicious code, or just delete this folder completely if you are sure you have a clean backup or don't mind reinstalling.
  • uploads – check if any files that are not yours are uploaded
  • index.php – after you have deleted the plugin, delete this file.

4. Use the latest WordPress source code to re-upload to the web

Download the source code WordPress root and upload to the website your files via FTP or file manager.

Go file managerpress Upload Files and find the WordPress zip file. After upload is done, right click or button Extract and enter a folder name to specify the save location. Copy everything other than the file into the zip to public_html.

Alternatively, you can use one-click installer and edit the database credentials in the file wp-config.php to properly configure the database.

5. Reset WordPress Password

If your website is managed by multiple people, the attack may have happened through one of their accounts. You should reset passwordlog out any accounts, and check for any inactive or suspicious user accounts that need to be deleted.

Change passwords to long, random strings that cannot be penetrated by attacks. You can use the tool Create a password.

6. Reinstall Plugins and Themes

Now that you have removed the Malware from your WordPress site, reinstall all the removed plugins and themes you have. However, be sure to remove old and deprecated plugins.

We recommend installing security plugins that can protect your WordPress site and easily remove malware in the future. Use one of the proven plugins like MalCare, WordFenceor Sucuri.

How to remove and scan WordPress malware with a plugin

If you want a faster way to scan your WordPress site for malware, you can use a WordPress security plugin

With this article, we will demonstrate how to remove malicious WordPress website using Sucuri. But first let's see the feature of Sucuri malwarey removal plugin:

  • Server-side WordPress malware scanning (premium version) and remote scanning (free version). The free version only detects Malware on-site while the premium version can check your website's back-end.
  • Detects compromised WordPress files in your system and replaces infected files with their original copies.
  • Run an anti-virus software check and your website databases are not blacklisted.
  • Enhance your website's security to prevent Malware attacks.
  • Notifies you whenever Malware activity is detected.
  • Set up a firewall on your site (premium version).

You can download Sucuri from WordPress plugin repository.

Once the installation is done, you need to go to the plugin's page and Generate API key to enable full plugin features.

Generate Sucuri's API key

Once your website has been integrated with Sucuri's API service, go to the page Dashboard -> Refresh Malware Scan. It will display the file log with any suspicious files flagged. For this tutorial, we have added suspicious code to the folder index.php to the test site.

This displays the file log of Sucuri, showing a suspicious file as flagged

After running the scan, the file has been flagged. You can select it and perform any action you want.

Remove malicious warning on Google search results

Even though the Malware has been removed from your WordPress site, you still need to ask Google to remove the site's warning label:

  1. Access to Google Search Console and register your website. Go to the third step if you already have an account.
  2. Then verify it using the prefix Domain or URL prefix.
  3. Scroll down to find Security & Manual Actions on the left tab. Click to display the drop-down list and select Security Issues.
  4. You will see a report about your website security, from which you can choose Request a review(request review).

You must double check that your brother has successfully removed the Malware from your WordPress site before submitting the request. Otherwise, it will be marked as repeat offender (Recidivism), and you will not be able to request a reconsideration for 30 days.


Malware can be a big deal that takes away all of your WordPress site's credibility and trust, and affects you and your users. While looking at how to remove malware from a WordPress website, we showed you two methods:

How to remove and scan malware from WordPress, you need to do:

  1. Backup your website to your computer.
  2. Use anti-virus software and scan that WordPress backup.
  3. Remove Malware by tweaking your WordPress files and deleting old, suspicious, and detected files.
  4. Reset all user passwords and check for suspicious accounts.
  5. Reinstall plugins and themes.

Or you can use WordPress malware scanning plugins to improve the security of your site. In addition, we also showed you how to remove the warning labels that Google may place on your website. With these actions, hopefully you can restore your WordPress site as soon as possible and prevent future threats.


Huy Do. is an expert in managing and operating Website services. He has many years of experience in Hosting, Domain, Technical, CMS. His hobbies are technology, reading, traveling and mentoring young people to start a business.