How to Remove Malware from your WordPress Site?

How to Remove Malware from your WordPress website

If your WordPress website has been hacked with a Malware injection, you have come to the right place. Because I have been through the exact same ordeal a few days ago. If you are feeling worried and stressed out as I did, fret not. This article will show you how I remove ALL the malware from my WordPress Site within the same day.

I have never imagined my site would be hacked. All the security plugins have been installed and there have been no issues so far. I did every possible security enhancement measures like hiding the login page, setting a strong password, setting up 2FA, banning users who use the word “admin” and etc.

Then BAM, this happened out of nowhere after breakfast.

How to Remove Malware from your WordPress Site?

My entire site turned blood red and I got blacklisted by Google immediately.

Here is a step-by-step guide on what I did to remove the malware from my WordPress Site.

1. Put Your Site to Maintenance Mode

The first thing you need to do is to disable your website and put it under maintenance. You can download some free WordPress plugins to activate that. This is equivalent to cancelling your credit card after it has been stolen. You want to minimize damage and suspend all activities immediately.

The reason for doing this is to prevent your readers from getting infected with the malware from your site. It is also to protect your reputation and branding as it doesn’t look good if people noticed your website has been hacked.

2. Contact Your Hosting Provider

The second thing I did was to contact my hosting provider. They provided some suggestions which were rather technical for a layman. Or maybe I was not thinking straight. But I was told to download all my site content into my local desktop using FTP and scan it with an anti-virus software program. Then update all the patches and re-upload them again. Heck, I don’t even know what an FTP is.

Alternatively, you could consider ordering the Sucuri service for malware detection, malware cleanup, and malware prevention or contact your own external developer.

I didn’t want to pay for some premium security service. Neither did I have a developer. So I try to fix it by myself by googling for solutions everywhere.

Of course that didn’t work.

That’s when I know this problem is really big and serious. Because usually it can be resolved with a little bit of digging and research. In this case, I don’t even know where the malicious code resides in the database. It is hidden somewhere deep in between the codes and I am absolutely clueless on how to access them.

Feeling anxious, I re-read the suggestions again in detail and reattempt to fix it. This is what you can do and this is what I did.

3. How to Use FTP in WordPress?

Firstly, download CyberDuck. You need some sort of FTP software to transfer files from your host to your local desktop. CyberDuck is like a bridge that does that. Apparently you can’t just download your whole WordPress website into your computer. You need FTP.

Secondly, go to your hosting account and find out what is your FTP credentials. Usually, it is all stated there clearly. You need the domain name, your username, password and port number.

Thirdly, open up CyberDuck and enter your FTP credentials. This should set up a connection link to transfer your website files to your local Desktop.

Now that you have your site files on your desktop, the last step is to use your anti-virus software and scan for malware in your site files.

Unfortunately, my anti-virus software (McAfee) didn’t even detect any malware. I scanned it multiple times and it said that the files on my site are clean. Not only did McAfee said it was clean, but even the Wordfence security plugin also detected no malware on my site.

But if yours work, then great. After the anti-virus software has removed the malware, you can re-upload your files to your hosting provider through CyberDuck. Then replace it with the hacked version and it should be resolved.

4. Restoring Backup Files

If you are as unlucky as me, then try this second method.

Usually your hosting provider would have saved backup copies of your site files at different dates.

One possible way would be to use an older backup version and restore that version. This would bring your website back to the state where it was depending on which backup date you restored.

I tried this method but the malicious files were still in my database.

5. Alternative Solutions

The other solutions I looked up involve diving deep into the codebase and manually examining which lines of codes have been modified. The instructions were clearly written NOT for a layman, but a technical developer. So I know this won’t work well for me.

Furthermore, meddling the codebase can have SERIOUS implications if you messed it up. It can cause your whole site to break. This is something that I don’t want to risk happening. You should only do it if you know what you are doing.

At this point in time, I realized this is clearly a technical complex problem that requires an expert or developer to fix it. The site is still down and all the methods have been exhausted. But the malware is still alive and breathing. And I am desperate to get rid of it.

I searched online for a couple of sites that offer a one-time malware removal service for a fee. On average, it was between $150-$300. But it gets the job done. So I emailed different vendors to ask for the best quotation. I was ready to just throw in this one-time fee and get it fixed once and for all.

6. Downloading MalCare Plugin

*Affiliate Link Disclosure: At no additional cost to you, I will make a commission if you click through and make a purchase.

Just when I was about to surrender, I came across MalCare, a plugin that is designed specifically to clean malware on WordPress sites. Their premium plan is very affordable starting at $99/year for the personal one. This is much cheaper compared to Sucuri which starts at $199/year.

Wordfence is also $99/year but it can’t even detect that there is a malware lingering in my site when I did a scan. And there is no 24/7 live chat where I can talk to. That is where I think MalCare differentiates itself. Here is a quick overview of the differences between WordFence and MalCare.

6.1 Review of MalCare WordPress Plugin

WordPress Hacked: What To Do If Your WordPress Website Is Hacked?

Firstly, they have this 1-Click WordPress Malware Removal. You just have to click the auto-clean button and that would remove every bit of malware on your website.

Secondly, MalCare is designed to detect even the most unknown, hidden and complex malware. It runs a deep scan against 100+ signals that are derived from analyzing over 240,000 websites. The algorithm is highly specialised and trained to do this. Remove malware.

There have been many instances and reviews where other security plugins failed to detect or scanned the malware but MalCare did.

Thirdly, they have extremely responsive customer support which Wordfence doesn’t. In times like this, a live chat service ALWAYS wins a support ticket service.

Fourth, the scanning and cleaning of malware are performed on their server rather than on your website. This ensures that your server is not overload and your website speed is not compromised.

Fifth, it has a strong firewall that will automatically block off IP addresses with malicious intent. This is known as Geoblocking. You could do it on your own manually but it is super troublesome.

And lastly, they will refund you 3x if they failed to remove the malware from your website.

6.2 Is MalCare Plugin Worth It?

Overall, I think this is a good investment for the long-term. They have the most affordable rates out there and it is really value for money. So I went ahead to get the MalCare personal plan at $99.

Their customer service and live chat support is excellent. I immediately felt a sense of assurance and relief after knowing there is some expert I can talk to. Before that, it was just me trying to figure out how to remove malware from my WordPress site.

I would describe this feeling as to how when your body feels sick, you want to save money by not visiting the doctor. So you try all sorts of methods on the internet to recover but it didn’t work. But when you paid some money to see a doctor and they put you under proper care, you immediately feel relieved and assured. It is the exact same analogy.

At that point in time, I didn’t think much. I just want to get the malware fixed fast. So it is not a hard decision for me to make.

Furthermore, the cost is obviously more worth it than the one-time fee of $160. If I got the MalCare personal plan at $99, I am guaranteed constant protection every day for one whole year. What happens if my site got hacked again after paying for the one-time service? It is totally not worth it.

Over the years, I have learnt to be more generous in spending on cybersecurity costs. That’s why I also bought my Ledger Nano recently to ensure maximum protection on my crypto portfolio. You really don’t want to be skimping on these costs. It could potentially bring down EVERYTHING you have painstakingly built over the years. So I take it as buying insurance against your assets.

7. How to Remove Google Blacklist Warnings?

Anyways, they took 30 minutes to 1 hour to fix up everything. A script was inserted manually to inspect the database for the presence of malicious scripts in the database. These are things you clearly don’t know how to do it on your own. You need a technical person to do it.

After you have cleaned up your site, the next step is to remove yourself from Google Blacklist. To do that, simply go to your Google Search Console > Security & Manual Actions > Security Issues.

Then click on request for a review and give a detailed answer on what actions you took to resolve the security issues. After you submitted your review, request indexing from Google Search Console on your site again.

The response was pretty fast. Faster than I expected. The next morning when I woke up, I received an email from Google saying the review was successful. My site no longer contains links to harmful sites or downloads.

If you don’t have Google Search Console, then you need to download it and verify your domain. This is a must have if you are running your own website. It helps you to monitor, maintain, and troubleshoot your site’s presence in Google Search results.

8. Final Actions to Enhance Security

The last step is to enhance your site’s security. Change ALL your password on your hosting account and WordPress account. Set an extremely strong password with caps, symbols, numbers and make your password long.

How to Remove Malware from your WordPress Site?

I found a good diagram that shows you how long it will take for hackers to crack your password.

Next, update all your plugins, themes and WordPress version. Make sure they are at the latest version. Also, delete those that you are not using or those that are outdated. Plugins are vulnerable spots for hackers to hack into your site.

Additionally, you can use a safer browser such as Brave rather than Chrome. It is free to download. Brave has this “Shield” mode which you can enable to block off all 3rd party scripts, cookies and ads.

How to Remove Malware from your WordPress Site?

Finally, apply WordPress website hardening through MalCare. This is a process where you build bricks around your house to strengthen the website security. Some of the features of hardening include blocking PHP execution, disabling file editor, and disallowing plugin installations.

You can think of this as putting a lock around all your site’s files. This will prevent hackers from inserting or editing any malicious scripts on your website.

To end it off, do a final full scan on your local desktop to see if your computer is clean and clear. Then scan your website one last time on MalCare to check if your site is clean. Lastly, go to other site checkers like Sucuri and virustotal and Google Transparency Report to verify that your site is completely clean.

And that’s it! You are done! Just outsource your stress, effort and time to MalCare. Their dashboard is user-friendly and everything is automated into simple clicks. They will take care of the security of your site. You also feel assured to know that MalCare is protecting your asset (website) real-time. And there is always someone you can talk to if future incidents like this happen again.

Hope this helps for you!


  1. Hi Babylonian,

    Glad you had it fix. Did you manage to find the source of the infection?

    I also recently signed up for Malcare and I bundled it together BlogVault. My web host is doing a good job with the backup but for more granular restoration, there’s where BlogVault comes in. Also my web host only retains up to 2 weeks of backup whereas BlogVault can retain up to 90 days. I can also configured my web host to retain 90 days but it will be costly as they charge by size. The only downside is it will take a longer time to restoring from BlogVault to my webhost – this is especially true since my site is huge.

    Perhaps you might want to consider this bundle since you are also using Malcare.

    So far Malcare has pick up a incident of a malicious file and it happened repeatedly after I clean it. I am glad that they were able to advice me which is the infected file and pointed to a plugin that I am using.

    • Hey Derek, wow didn’t know you use MalCare also haha. Good to know you are also on it. Mine was located deep down in the database files. It was not from a plugin. Which web host are you using? And thanks for the info on BlogVault! Would definitely keep that in mind.

      • I am using I have tried may web hosts over the years with the last being a managed wordpress web host by Siteground. I am glad that the performance of my website is much better now. The strange part is I am actually on a lower plan now (less CPU and RAM) and yet performance is better.

Leave a Reply

Your email address will not be published.