WordPress malware cleanup-hacked site recovery

A hacked WordPress site needs immediate attention. The longer malware is active, the more damage it can do-sending spam, infecting visitors, or blacklisting your domain in Google. Here's how to identify, clean, and recover.

Signs your WordPress site is hacked

• Site redirects visitors to spam or phishing pages
• Google Chrome shows "This site may harm your computer"
• Google Search Console flags your site for malware
• Your hosting account is sending large amounts of email
• New admin users appeared that you didn't create
• New .php files in unexpected locations (especially uploads folder)
• Site is slow or serving strange content intermittently
• Your IP or domain appears on spam blacklists

Before you start

• Change all passwords immediately: WordPress admin, cPanel, FTP, database users, email accounts
• Take a backup of the current (infected) state before cleaning-useful for forensic analysis
• Put the site in maintenance mode to protect visitors while you clean

Identifying the infection

Run a scan:

• Install Wordfence and run a full malware scan
• Check cPanel → the malware scanner included with your plan (Imunify 360 on shared hosting; ImunifyAV+ or Imunify360 on supported VPS/dedicated plans)
• Run ClamAV scan via SSH: clamscan -r --bell -i /home/username/public_html

Check for suspicious files:

This shows PHP files modified more recently than wp-config.php. Review unexpected files-especially anything in wp-content/uploads/ (PHP shouldn't be there).

Cleaning the infection

The most reliable method is a clean reinstall:

1. Export your database

   Export your database via phpMyAdmin. Scan it for malicious JavaScript (look for <script tags or base64 encoded strings in post content).

2. Download and keep only clean files

   Keep a copy of your wp-content/uploads and your theme files (after scanning them). Delete everything else from public_html.

3. Install a fresh WordPress

   Upload a fresh WordPress download and install from scratch. Use Softaculous in cPanel or install manually.

4. Install a clean theme

   Install your theme fresh from WordPress.org or the developer's site-not from your backup. If you use a custom theme, scan every file manually before restoring it.

5. Reinstall plugins from official sources

   Install each plugin fresh from WordPress.org. Never reinstall plugins from your infected backup.

6. Import your content

   Import your cleaned database. Scan post content for any injected code first.

Preventing re-infection

• Keep WordPress, plugins, and themes updated
• Use a security plugin (Wordfence)
• Set correct file permissions (see Securing WordPress)
• Use strong, unique passwords for all accounts
• Enable 2FA on the admin account
• Remove unused themes and plugins
• Set up daily automated backups

When to contact support

Open a Technical Support ticket if:

• You're unable to remove the malware manually
• Your account has been suspended due to malware sending spam
• Your cPanel password has been changed by the attacker
• You need help identifying the infection vector from server logs

Related articles