Did you know over 70% of WordPress websites are vulnerable to security breaches due to diverse themes, plugins, and custom code?
Only about 1% of all sites may be actively infected with malware at any moment. Even a single breach can disrupt traffic, jeopardize data, or mine cryptocurrency on your visitors’ browsers.
In this step-by-step tutorial, you’ll learn how to remove malware from your WordPress site safely. We’ll walk through backups, scanning, file cleanup, database sanitization, and steps to lock down your setup.

1. Backup Your Site

Before you dive into removal, back up your entire site. This safety net lets you restore everything if something breaks.

Backup Files

  • Connect via SFTP or SSH and download the wp-content folder plus any custom directories
  • Or install a backup plugin like UpdraftPlus to automate file backups

Backup Database

  • Use phpMyAdmin to export your full database as an SQL file
  • Or run WP-CLI from your terminal
wp db export backup.sql

Always verify your backups before proceeding.

2. Scan for Malware

Malware in database

Next you’re going to run a WordPress malware scan to pinpoint infected files.
Need a scanner that won’t slow down your site?

Install a Scanner

  • MalCare (signal-based detection, zero performance impact)
  • Wordfence (free scanner with premium firewall)
  • Sucuri Security (premium malware removal service)
  • Astra Security Suite (scheduled scans, manual cleanups)
  • CleanTalk Security (basic scanner)

Run a Malware Scan

  1. Activate your chosen plugin
  2. Start a full site scan
  3. Review the report and note any infected file paths

3. Remove Infected Files

Now you’ll remove the malicious code that’s hiding on your server. This is the core of WordPress malware removal.

Delete Unauthorized Code

  • Connect via SFTP and navigate to each infected file path
  • Open files in a code editor and delete suspicious snippets (usually between <?php tags)
  • If you’re unsure, overwrite the file with a fresh copy from WordPress.org

Replace Compromised Plugins and Themes

  • Delete any nullified or pirated plugins and themes from wp-content/plugins/ and wp-content/themes/
  • Download clean versions from official sources
  • Reinstall via your WordPress dashboard

4. Clean the Database

Malware often hides in your database, setting up redirects or injecting spam links. Cleaning it fixes those issues.

Identify Malicious Entries

  • In wp_users, look for unexpected admin accounts
  • In wp_options, search for spammy URLs or base64-encoded code
  • In wp_posts, check for unauthorized <iframe> or <script> tags

Run SQL Cleanup Queries

Test queries on your backup before running on live data:

DELETE FROM wp_options WHERE option_name LIKE '%spam%';
UPDATE wp_posts 
SET post_content = REPLACE(post_content, '<iframe malicious code>', '');

5. Update and Secure

With a clean site, it’s time to lock down vulnerabilities so this doesn’t happen again.

Update WordPress Core, Plugins, Themes

  • Go to Dashboard > Updates
  • Apply all available updates
  • Remove any plugins or themes you no longer use

Strengthen Security Measures

  • Change all passwords to strong, unique variants
  • Install a firewall plugin like Wordfence or Sucuri
  • Enable two-factor authentication for admin users
  • Review the WordPress security checklist for more hardening tips

Congratulations, you’ve successfully removed malware from your WordPress site. Got questions or a tip of your own? Share it in the comments below and be sure to bookmark this guide.