How to Remove Malware from WordPress

To clean up a WordPress site has never been an easy task for anyone. Above that, with Google enforcing a 30-day ban on site reviews in order to prevent repeat offenders from spreading malware have made cleaning up a hacked site thoroughly important. It is highly recommended that you clean your WordPress site professionally to make sure that your website remains safe and secured. In fact, there’s a comprehensive step-by-step guide for that.

What is it? 

Read on

Step #1

Deep scanning of your computer

If there’s any malware in your computer then it can infect your WordPress is a very serious way. With a virus in your system, it can definitely cause leakage of your FTP password. This is actually a pretty common problem. Hence, the first thing is first and that is nothing but scanning your computer intensely with any premium quality antivirus software. It is the foremost step without which it is not possible to remove malware from WordPress. 

Step #2

Change your C Panel/FTP Password

After the first step, now your computer is completely virus free. Your next step should be changing your cPanel and FTP password. Here, you must ensure that your password is a random one which is a perfect amalgamation of one special character, multiple lower and uppercase letters as well as numbers.

How to Remove Malware from WordPress Step By Step Guide

Step #3

Download WordPress

You are now supposed to download the latest and fresh version of WordPress from its official site. Make sure that you are not using any other website to download the WordPress version.

Step #4

Extract required files

Now, it’s time to extract files which are important to you from the zip or tar.gz which is downloaded in your computer. Leave these files as such for a while. You’ve to come back to them later on.

Step #5

Get the malware infection removed

You need to now login to your FTP or cPanel > File Manager. The WordPress installation files existing on your web host will be somehow visible to you like this:

wp-admin

wp-content

wp-includes

index.php

license.txt

readme.html

wp-activate.php

wp-blog-header.php

wp-comments-post.php

wp-config.php

wp-config-sample.php

wp-cron.php

wp-links-opml.php

wp-load.php

wp-login.php

wp-mail.php

wp-settings.php

wp-signup.php

wp-trackback.php

xmlrpc.php

Just delete everything that you will find there except the wp-content folder and wp-config.php file. After doing so, your installation will be like:

Wp-content

Wp-config.php

Next, you need to click on and do required edits in the wp-config.php file. Here, it is essential to keep in mind that there are no strange codes or anything unusual present. In case, if there is a malware present, it will seem to be a long string of random text. Keep in mind to compare it to the wp-config-sample.php file for being doubly ensured.

After that, your wp-content folder should be like :

plugins

themes

uploads

index.php

Make a listicle of all the WordPress security plugins that you are using now. All that you need to do is just remove the plugin folder and index.php file. It is required for you to re-install your plugins again after the cleaning process is done.

Further, you need to go into the themes folder and remove any such theme which you aren’t using anymore. Now, it’s time for you to check each file individually in your current theme and ensure that there remains not a bit of malware or strange codes in them.

If there’s a clean backup of your theme kept somewhere then you should delete the entire folder to be on the safer side. Don’t forget to check each and every directory which is present inside your uploads folder to ensure that you’re not missing any php file or something which you’ve not uploaded.

Step #6

Upload WordPress again

So, you’ve extracted some fresh WordPress files in the 4th step and now it’s the time to get them uploaded via FTP. In case, you’ve removed your theme then this is the step when you must upload all your clean backup theme files.

Step #7

Change the password for WordPress Admin

Finally, you are now able to access your dashboard. So, you have got a chance to change your admin password. Make sure that you are always using a random hard to guess the password. Be cautious that you are not using something very basic. Otherwise, it will again increase the chance of getting hacked.

How to create a strong and unique password?

Just pick up an uncommon phrase with at least 3 or more words. A strong password always comprises of uncommon words, 1 number (minimum), 1 special character, and a perfect mix of lower and upper case characters.

Step #8

Get rid of Google Warning

Now, your site is a safe one which is free from any malware. It’s time to submit the website to Google for removing the warning which says, “This site may harm your computer.” In the end, simply make a login or register at Google Webmaster Tools. Add your website, click ‘Health’ and then click ‘Malware’. Finish off the process while requesting for a review. That’s it!

Over to You

To keep your WordPress site safe from any harmful malware is not rocket science! Just keep the major intricacies in your mind and be technically sound enough to take the aforementioned strides. You will end up with the safest WordPress site for your business that you could ever think of.

Leave a Reply