How to Remove WordPress Malware – DIY Security Tutorial

Last Updated: August 20, 2022

The majority of bloggers regardless of their background/expertise use WordPress day in, day out and so WordPress security is of paramount importance to all of us.

They say experience is a great teacher and it is so true especially when you go through something as horrific as malware attacks and there is nobody out there to help you.

You contact your host and he sends you a cookie-cutter list to fix the malware yourself.

You contact Google and again you are given a cookie-cutter list to fix malware yourself.

You follow these cookie-cutter guidelines and sometimes actually fix the malware issues on your own. But most of the time these lists don’t work.

There are two main reasons for this:

First, to follow the instructions given in such a list, you must have a good understanding of your CMS (Content Management System).

You must know what you are playing with and how it will affect the website’s performance. One wrong move and you may end up deleting your website files or the entire database.

Second, you must know exactly where to look and what needs to be done to fix the malware issue.

With recent attacks of malware from Russian websites despite using security services, I was pretty much convinced that I can’t rely on such services anymore.

These services claim to protect your website from malware which I have found to be a marketing scam. They do scan your website and alert you of malware but they don’t do anything to prevent your site from being infected in the first place. Most of them scan your website only once a day and one day is good enough for a hacker to inject malware into your website.

One day is also good enough for Google to issue malware warnings for your website.

In fact, none of these services can alert you of malware issues faster than Google according to my experience.

I have hired several of these so-called malware protection companies and they all failed miserably in finding and alerting me of malware issues on time.

In fact, the best malware scanner out there at the moment is Google Chrome.

Google Chrome sniffs malware faster than any paid malware scanner out there.

I did a lot of work and research to make sure that my website is safe and secure for our visitors. What I am going to present to you next is what I actually do to find and fix malware issues.

Take down your website

As soon as you detect malware on your website, take it down to prevent hackers from further abusing it.

There is no point working on a live website while hackers are busy injecting malicious code at the same time from the other end.

Follow the steps below to put your website under maintenance in an SEO friendly manner:

Step-1: Create a ‘website under maintenance’ web page and name it as 503.php.

Put following PHP code at the very top of the page (before the <html> tag:


header(“HTTP/1.1 503 Service Temporarily Unavailable”);

header(“Status: 503 Service Temporarily Unavailable”);

header(“Retry-After: 3600”);


This code will return 503 response header which tells the search engine that your website is temporarily unavailable.

The ‘Retry After’ parameter tells the search engines to try to crawl the website after 3600 seconds (or 1 hour).

Note: Google also recommends returning 503 status code when your website is under maintenance.

Also, insert Google Analytics tracking code in the head section of the 503.php page to keep track of the website visitors during the downtime.

Step-2: Add the following lines of code at the top, in your .htaccess file:

RewriteEngine on

RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111

RewriteCond %{REQUEST_URI} !/503.php$ [NC]

RewriteRule .* /503.php [R=302,L]

The code in the .htaccess file will redirect all the pages on your website to the 503.php page.

So no matter from what page a visitor accesses your website, they will be automatically redirected to the 503.php page.

Change all the passwords

In order to prevent hackers from further abusing your website, change the passwords associated with your WordPress admin panel, hosting control panel, FTP account and especially your database.

You can change your database password by going to the database section in your hosting control panel.

When you change your database password, you should immediately edit your wp-config.php file and update the database password there too.

Failing to do so will result in the error message “error establishing a database connection” when you try to access your website via a web browser.

Open your ‘wp-config.php’ file via ‘File Manager’ and locate the section that looks like this example:

/* The name of the database for WordPress */

define(‘DB_NAME’, ‘putyourdbnamehere’);

/* MySQL database username /

define(‘DB_USER’, ‘usernamehere’);

/* MySQL database password /

define(‘DB_PASSWORD’, ‘yourpasswordhere’); <=Update your password here

/* MySQL hostname */

define(‘DB_HOST’, ‘localhost’);

Change WordPress security keys and salts

WordPress uses four different security keys to encrypt information stored in users’ cookies and to make your website harder to crack.

These secret keys are randomly generated character strings and are used along with four different types of salts (which are also randomly generated character strings).

You can see the security keys and salts by opening your wp-config.php file:


You should change all these security keys and salts in order to invalidate all the cookies set up for your website and make your website harder to hack again.

One caveat here is that all the users who can log in to your website will then have to login again.

You don’t need to remember or store these keys like your regular passwords. But make sure that you don’t share them either.

You can change the value of these keys either manually (by using a long and complex randomly generated character string like shown in the image above) or by using the official WordPress Security Keys generator:

Note: I used the official WordPress security key generator to randomly generate security keys for this blog post (used in the image above). These are not the security keys I use for Don’t use these keys for your website. 

Take a backup of your WordPress theme files and other important files

Although your website has been infected it still contains valuable data. You don’t want to lose this data if something goes wrong during the clean-up process and you end up deleting/corrupting all your files.

If you want to take a backup of your WordPress site then first take a backup of the folder /wp-content/ via your FTP. This folder contains all your plug-ins, themes, images and videos.

Then take a backup of the following files which are unique to particular WordPress installation:

  1. /wp-config.php – This file stores your database information like database name, database username, database password etc. It is a very important file. You can find this file in the root folder via your FTP.
  2. /.htaccess – Another important file for server access control. You can find this file in the root folder via your FTP.
  3. /favicon.ico – This is your website favicon file. You can find this file in the root folder via your FTP.
  4. /robots.txt – This file is used to give instructions about your site to web crawlers/bots. You can find this file in the root folder via your FTP.

Take a backup of the WordPress database

Your WordPress database contains all your pages, blog posts, and comments. If your database gets corrupted or deleted, you will lose all your pages, blog posts and comments for good.

To take back up of your database go to your database section in the hosting control panel and then click on the icon for the type of database (MYSQL or MSSQL) you want to backup:


From the Actions Menu select ‘Backup’:


Note down the backup name file and the file location. The file location is generally /_db_backups.

Once the backup is finished go to the folder where your database file is located (in our case /_db_backups) via your FTP and download this file.

Make sure you have the most recently updated database file in your folder before you download it via FTP.

For manual backup, check out this post:

Take back up of your website, database, and other important files at least once every month and/or before upgrading to the latest version of WordPress.

Make at least two copies of the backup files/folders and store them on different hard disks in case one backup gets deleted/corrupted.

Use Google Chrome and Google Webmaster Tools to quickly identify malware issues

Google Chrome detects malware faster than any expensive malware scanner out there.

Always use Google Chrome to browse your website and other websites just for this reason.

It can sniff malware very fast, sometimes much earlier than the malware warning turns on in Google Webmaster Tools.

Sometimes you can prevent Google from labeling your website from being infected, if you take prompt actions and immediately remove the malicious code/files from your server.

Visit the Google Safe Browsing diagnostics page for your site:

Replace with your domain name.

Through this page, you can get some clues about the malware issues.

For example:

Remove WordPress Malware

Here the malicious software is hosted on the websites enclosed in the rectangle above and the links to these websites have been secretly inserted into your website somewhere by the hackers.

You need to find these links and remove them from your files. Hackers generally put these links somewhere in your WordPress theme files.

Sometimes they upload their own files onto your server.

You can either remove the malicious code/files manually or you can use some software that can do this for you.

Here I found one interesting thing about Google.

If you visit the safe diagnostic page for, you can see that Google itself is infected with malware and so ideally it should block itself. But Google has chosen not to label itself as infected website


Anyways, now log into Google webmaster tools to get more details about your malware issues.

Go to Health > Malware and see the sample of URLs with malware.

Sometimes through these URL samples, you can quickly find and remove the malicious files on your server.

Use Fetch as Google tool (under the Health menu in Google Search Console Tool) to detect malware that you can’t detect otherwise through a browser but the one which was served to Google.

Note:  You can also use the free website malware scanner to get some information about the type of malware and the type of infection.

Check folders for malicious files on your web server

1. Download a fresh copy of the latest WordPress and store it on your hard disk.

2. Now browse the WordPress files in the various folders on your hard disk to get a feel and awareness of the files which are generally included in a typical WordPress installation.

3. Once you have browsed the folders, access your web server via FTP and look for suspicious files (files which should not be there but are there) in /wp-content/, /wp-admin/ and /wp-includes/ folders.

For example, the file css.php is generally not present in the /wp-includes/css/ folder of a typical WordPress installation. But if you find one, then it is most probably a malware.

Take a backup of this file and then remove it from the server so that if something bad happens to your website functionality, you can restore the file.

Comparing the name and number of files on your server with the name and number of files in the fresh WordPress installation is a very good way to find malicious files.

The ‘upload’ folder under /wp-content/ is one of the favorite places for hackers to store malicious files.

So always check this folder.

Check files for malicious code on your web server

Sometimes hackers don’t upload malicious files, instead, they insert malicious code into your existing WordPress files.

Hackers especially target those files for inserting malicious code which can survive WordPress updates/re-installation like your theme files.

Malicious codes are generally inserted via IFRAMES and NOSCRIPT tags. So especially look for these elements in your files.

The malicious code can be in the form of a link to an executable file (like .exe, .cmd, etc) or it can be a script which downloads malware or redirect users to the sites which host malware.

Look for invisible IFRAMES

Look for IFRAME tags with width=0 and height=0 in the HTML code of your web pages. These are invisible IFRAMES and are generally placed at the very top or very bottom of the HTML code of a web page.

Look for strange-looking Code

Look for unintelligible blocks of numbers, letters and symbols in your files’ code and remove them.

For e.g.


This is encrypted code, commonly used by Hackers to hide malware.

Use ‘custom filters’ of Screaming Frog SEO Spider to find malicious codes.

Scan user-generated areas of your website

Users generate areas like comments are commonly used to inject malware.

Use ‘custom filters’ of  Screaming Frog SEO Spider to search for spam words (like viagra, buy, porn, casino, insurance, work at home, etc) on your website.

You can also use the site: search command on to find spam on your website. For example, viagra will return all the pages (if any) that contain the word ‘viagra’ on your website.

Also, keep an eye on search queries reports in Google webmaster tools.

If your website is getting a lot of impressions for search terms like ‘casino’ then your website may be affected with malware/spam.

Scan your internal and external links

Scan all of your internal and external links and look for links to unfamiliar sites.

Generally, the website hosting malware has got some unintelligible name like bacxwq and it ends with .ru (sorry Russia).

You can scan your links through screaming frog SEO spider, Google Webmaster tools or through tools like ‘open site explorer’.

Check for open redirects

Open redirects are the redirects that are left open to an arbitrary destination. They are commonly abused by hackers to redirect your website visitors to websites which host malware.

Look out for URLs like

I have not found any easy way to fix the open redirect issues. You need to get the help of your web developer or system administrator.

Check where your website is sending traffic

If you do Exit tracking (or outbound links tracking) on a site level you can easily find out where your website is sending traffic.

Check your .htaccess file

This file is one of the favorites of hackers and is commonly used to add malicious code.

The code is generally added to redirect your website visitors to the website which hosts malware.

While checking this file for malicious code, make sure that you check the entire file from top to bottom. Sometimes the malicious code starts after hundreds of empty lines in your .htaccess file. This is done to avoid the code from being detected.

Check your wp-config.php file

This file generally contains 92 lines of code and end with the following code:


Hackers generally insert malicious code after that line of code.

Again while checking this file for malicious code, make sure that you check the entire file from top to bottom. Sometimes the malicious code starts after hundreds of empty lines in your wp-config.php file.

Check index.php file

In this file the malicious code is generally added between:



So delete everything between these two lines of code.

Check all downloadable files

Check all the files which can be downloaded from your website. Sometimes hackers alter these files to add malicious code.

Also, look for and remove the following files from your web server. They all are some sort of malicious files and are used to deliver malware:

  1. wp-includes/xmlrpc.php
  2. wp-includes/css/css.php
  3. wp-includes/css/style.php
  4. /wp-includes/js/jquery/jquery.js
  5. /wp-content/upd.php
  6. /wp-content/themes/[theme’s name]/temp/e9815adced6d3.php (or similar)
  7. wp-admin/upd.php
  8. Remove all the image files, zip files and other files that are no longer required. They could have been compromised.
  9. Remove all the plugins which are no longer used. These plugins could have been compromised
  10. Remove all those WordPress themes (from the /wp-content/ folder) which are not used anymore.

Note: Use Robotto ( tool to monitor any changes in your robots.txt file

Check your plugins for using Timthumb

Timthumb is a PHP script that is used to resize web images in blogs. This script is not malicious on its own but is commonly used by hackers as a delivery mechanism for the malware.

Some WordPress plugins use Timthumb and are therefore vulnerable to being compromised by hackers.

Use the ‘TimThumb Vulnerability Scanner’ WordPress plugin to identify those WordPress plugins which use Timthumb.

You should either remove such plugins or update them to the latest version.


The Timthumb scanner plugin scans your /wp-content/ folder to find any instances of outdated or insecure versions of the timThumb script which can be abused by hackers to deliver malware.

Once you have installed this plugin, make sure that you use it by going to ‘Tools menu > Tim Thumb Scanner’ and then click on the ‘scan’ button.

This plugin doesn’t automatically start working once you have installed it.

Check for hidden administrators on your website

Check for users who have admin privileges but you don’t recognize. Sometimes hackers gain admin rights in order to insert malicious code/files onto your server.

If you find such administrators, delete them.

Find backdoors and remove them

Once your website got hacked, the very first that happens is the installation of a malicious code called ‘backdoor’. These backdoors are developed in such a way that a hacker can use them to regain access to your site.

Sometimes several backdoors are installed in case one is lost in a manual removal or upgrade.

If your website has ever got hacked, there is always a possibility that there may be a backdoor installed on your website which can be used to regain access.

You need to check each and every WordPress template file, plugin and the database to find such backdoors. But this is very time consuming and not very effective.

If you miss something, you left your backdoor open for hackers.

What I suggest is that you take back up of your theme files, database and other important files (like .htaccess, robots.txt, wp-config.php) and then delete all the files, plugins and folders in your WordPress directory.

Completely delete the entire directory structure your blog is in and then install the fresh and latest version of WordPress.

Don’t rely on reinstalling or upgrading your WordPress. While reinstalling/upgrading may replace files with malicious codes with the fresh code, it does not always remove the malicious files which have already been placed on your web server.

Scan your theme files, database file, and other important files through anti-virus/ anti-malware software installed on your system before you upload them back on your web server.

I recommend ‘Spybot search and destroy

Change your web hosting service provider

This is what I did after GoDaddy made me learn every trick in the book to get rid of malware.

When you ask GoDaddy to help you with removing malware, you get the following pathetic copy-paste response from them:

We cannot assist you with removing malware from your server.

Consider taking your site down immediately to prevent infecting visitors, and take action quickly to identify/remove it. – LOL GoDaddy

To annoy you even further, they never forget to add the following line at the end of each email:

Please let us know if we can assist you in any other way



Online Support Technician

Sometimes vulnerabilities lie with the web hosting service provider. These vulnerabilities can be in the form of server misconfiguration or security loopholes in the hosting platform which make your website vulnerable to being abused by the hackers again and again.

Choose a web host that is local (so that you can easily call them in case of emergency) and is a medium-sized business.

Avoid web hosts that boast of having tens of thousands of clients. Their turnaround time is painfully slow and to be honest, the majority of them don’t care about you.

If you run a WordPress website, choose a host that specializes in WordPress hosting. This can help you a lot in sorting out specific WordPress issues. You will deal with staff that are well versed in WordPress.

Avoid using shared hosting if possible.

Shared hosting accounts are nowhere as safe as dedicated hosting accounts.

The ultimate solution – penetration testing

Even if you follow all the steps explained so far to remove malicious code/files from your website there is still no guarantee that your website cannot be hacked again.

Hackers can create new backdoors to regain access by exploiting security loopholes in your WordPress theme, hosting platform or network.

To prevent your website from getting hacked again, you need to hire a person/company that is an expert in penetration testing. These guys will evaluate the security of your WordPress theme, hosting platform and network by deliberately exploiting the security vulnerabilities.

Such type of testing is also known as ethical hacking because the testers act as hackers to find security loopholes in your website.

Penetration testing is a onetime fee and it can help you greatly in preventing further malware attacks.

Once you feel confident that your website is free from malware, change all your passwords, WordPress security keys and salts once again. Remove the ‘website maintenance page’ and make your website live.

Submit a request in Google webmaster tools to review your website by going to Health > Malware > Request a Review.

Within a day or so, Google will remove malware warning from your website provided it can’t detect any malware.

Otherwise, malware warning will remain and you will be notified via Google webmaster tools ‘Review Status’.

Secure your email accounts from getting hacked

If your domain name/hosting is registered via Google/Yahoo e-mail account then you must make sure that you can recover them in case they are hacked.

Add security questions, alternative email address and phone numbers to your email account so that you can recover them in case the password is changed.

Someone hacked my old yahoo email account (which was registered with a domain name) and I wasn’t able to recover it because I didn’t remember the answer to my security question, I didn’t add any phone number and the hacker also hacked my alternate email address.

Had I added a phone number to my email account, I would have recovered that email account.

Scan your computer regularly

Scan your computer regularly to find and remove malicious files, Trojans, and viruses. Sometimes your website files get infected /re-infected due to malware present on your computer hard disk.

Note: There is a common misconception among webmasters that they can stop malware bots via robots.txt. Malware/spam bots ignore robots.txt

Last but not least – use ‘CodeGuard’

I am not an affiliate of CodeGuard but I am a fan. is the only service I have found useful so far to diagnose malware issues on time.

Whenever it detects any change in your website code, it automatically takes a new backup and alerts you via email.

You will get email alerts when you add a new blog post because there is the addition of a file(s) on your web server. You will get email alerts when you add/remove plugins because again there is addition/removal of a file(s) on your web server. And of course, you will get email alerts if someone secretly adds a malicious file on your web server.

You should pay special attention to these emails and never overlook them. I did it and paid the price.

Look for any changes which look malicious or unfamiliar. For example, if a file like css.php is added somewhere in your web server, you should immediately find and remove it because it is not a standard WordPress file and is most probably a malware.

Register for the FREE TRAINING...

"How to use Digital Analytics to generate floods of new Sales and Customers without spending years figuring everything out on your own."

Here’s what we’re going to cover in this training…

#1 Why digital analytics is the key to online business success.

​#2 The number 1 reason why most marketers are not able to scale their advertising and maximize sales.

#3 Why Google and Facebook ads don’t work for most businesses & how to make them work.

#4 ​Why you won’t get any competitive advantage in the marketplace just by knowing Google Analytics.

#5 The number 1 reason why conversion optimization is not working for your business.

#6 How to advertise on any marketing platform for FREE with an unlimited budget.

​#7 How to learn and master digital analytics and conversion optimization in record time.


My best selling books on Digital Analytics and Conversion Optimization

Maths and Stats for Web Analytics and Conversion Optimization
This expert guide will teach you how to leverage the knowledge of maths and statistics in order to accurately interpret data and take actions, which can quickly improve the bottom-line of your online business.

Master the Essentials of Email Marketing Analytics
This book focuses solely on the ‘analytics’ that power your email marketing optimization program and will help you dramatically reduce your cost per acquisition and increase marketing ROI by tracking the performance of the various KPIs and metrics used for email marketing.

Attribution Modelling in Google Analytics and BeyondSECOND EDITION OUT NOW!
Attribution modelling is the process of determining the most effective marketing channels for investment. This book has been written to help you implement attribution modelling. It will teach you how to leverage the knowledge of attribution modelling in order to allocate marketing budget and understand buying behaviour.

Attribution Modelling in Google Ads and Facebook
This book has been written to help you implement attribution modelling in Google Ads (Google AdWords) and Facebook. It will teach you, how to leverage the knowledge of attribution modelling in order to understand the customer purchasing journey and determine the most effective marketing channels for investment.

About the Author

Himanshu Sharma

  • Founder,
  • Over 15 years of experience in digital analytics and marketing
  • Author of four best-selling books on digital analytics and conversion optimization
  • Nominated for Digital Analytics Association Awards for Excellence
  • Runs one of the most popular blogs in the world on digital analytics
  • Consultant to countless small and big businesses over the decade

Get My Step-By-Step Blueprint For Finding The Best KPIs (32 pages ebook)

error: Alert: Content is protected !!