How I Removed Malware From my WordPress Site

So, a strange thing happened yesterday. Like every other day, I went to my office and open TechWiser, first thing in the morning. But, when the site finished loading, I was shocked to see dozens of spam links all over the web page. These URLs were linking to shady torrent sites and making the entire blog unreadable to visitors.


At first, this was a bit confusing. I was unable to figure out how this could have happened. I have taken all the basic precautions, like enabling 2-factor authentication for WordPress login and using popular security plugin, which makes it difficult for anyone to hack website from outside. So, the culprit has to be someone from inside, like a plugin, theme or SQL injection of some sought.

This usually happens, if you are using free plugins or themes and the owner has pushed a malicious update to make quick money. Or sometimes, a hacker is simply doing it for fun. And they usually do this by modifying the PHP or javascript file, by pushing an update.

Malware attack is a serious problem. It can happen to any website and if it happens, you need to respond quickly. So, it’s always good to have the information handy.

Now, I am no malware removal expert but after having a first-hand experience and spend the entire day researching it, I do know a thing or two about it. And here I’ll share what I have learned so far. Like things you should do, precautions you should take and most importantly how you should respond step by step. So let’s get started.

If your site has a malware:
– you’ll see shady links,
– the users will be redirected to different URL,
– the web browser will give a warning,
– search engines will blacklist your website.

Usually, if your website has malware, you’ll see it right away. And you can confirm it with Google Safe Browsing. But sometimes, the impact of malware is not visible in plain sight. For instance, the spam links will be hidden inside other links. In such cases, you need a crawler to check every outbound links on your site. I use screaming frog SEO spider for that.


Once you are sure, there is malware, here is how you can remove it.

Remove Malware for WordPress

1. The first thing you need to do is, change all your passwords (WordPress, FTP, and web hosting, etc) to something more complex. In my case, I use 2FA authentication with my password, so there is no way, someone has got access from the front gate but I update my password anyway.

2. Next, you can restore the backup, to temporary solve the problem. And, if you don’t have any current backup, take one immediately. Because some malware can delete the entire website or corrupt your database. Even your hosting provider can shut down a website if they detect malware, especially on shared hosting.

However, restoring the backup is just a temporary solution. Even if you rollback to the previous day, chances are, your files may still contain that malicious code in it. So, you need to make sure, everything is clean.

3. Now, to find where the malware is coming from, start by checking the source code of your website. Press CTRL+F and look for any piece of javascript of a PHP file, that you can’t identify. If you find something shady, look for the plugin or theme it’s linking to and delete it.

Though, this easier said than done. If you don’t have a programming background, it’ll be hard to read the source code and most hackers do not leave any footprints.

4. Next, you can try, disabling all the plugins one by one, and see if the malware is gone. Use incognito or do a hard refresh (CTR + Shift + R) to see the changes. If nothing happens, repeat this with your theme. That’s uploading a fresh copy of your theme downloaded from the original source and use live preview to see changes. If the malware is gone, then the problem is with your current theme. Change that.

5. Disabling plugins are not enough. Because they often leave leftover files. So, you need to completely delete all unused plugins, themes, or anything on your web server that don’t recognize, like a zip file. Though, make sure you have the backup before you do that and then use an FTP client.

Delete plugins with filezilla

Deleting plugins or inactivated themes, won’t have any major impact on your site functionality. For instance, if you delete the YARRP plugin, there will be no related post at the end of the article, but everything else will function properly.

6. You can also contact your hosting provider and ask them for help. However, in my case, this didn’t work. I have a fully managed VPS from HostGator, but they quote me $37, just to find the root cause. That’s definitely too high, so I didn’t go take this route.

7. Another popular way to scan malware is by using malware detection plugins. There are many free ones in the WordPress repository. I tried Anti-malware for goals one, which gave me a lot of fake warnings. And when I deleted those files nothing happens.


8. Finally, after 3 hours of trying every free workaround, I eventually brought the sucuri business plan. It cost me $225 (after discount) for one year.

So this is how it works, you buy a plan from them. The minimum subscription is for one year, and there is no free trial. Now, once you pay for the subscription, you need to log in to your account and open a new ticket. A person will be assigned to you, who will ask for your web server and FTP details and then they will solve your issue in the time frame according to your plan.

And fortunately, this works out for me. Securi team removed all the malware from my site within 12 hours (though my plan was for 6 hours). All the torrents links were gone and other than that, there were no changes in the site functionality.

securi wordpress security

Next, you need to enable cloud proxy firewall to prevent future attacks. It’s included in every plan. To do this, you need to replace your nameserver with theirs, so that all the traffic goes through them. If you are not sure how to do that, they can do it for you.

What next?

Once all the malware are gone, you need to —

Update your WordPress version, plugins, and themes

Never installed free themes or plugins, in the future. If you really need it, only use the one from the popular developer, who has set the monetization model.

Check if your site is safe by using Google safe browsing. If there is malware error on your site, request a review from google webmaster tool.

Take a fresh backup. I have switched from free BackWPup to paid Vaultpress plugin. For $5/month, they provide the best backup service in the industries. Totally worth it.

Vaultpress backup for wordpress

Closing words

Malware is bad and you need to remove them fast. Or you’ll lose your daily revenue and Google will also blacklist your website. This is both short and long-term loss. So, if there is a malware attack on your site, solving it should be your first priority.

Now, If you are lucky enough, the free tools will be able to remove malware. But if that doesn’t work, then don’t waste your time and get professional help ASAP.

Sucuri is one of the best services for removing malware. Although their service is pretty expensive, it’s worth it in the long run. You get a piece of mind, knowing your website is secure from any attacks and concentrate on what you are good at.

About Mrinal Saha

Mrinal is a tech geek who spends half of his day reading and writing about tech. While the nights are spent on shooting or editing YouTube videos. Feel free to geek out with him on-