Ad goes here

Wednesday, 21 April 2021

How to remove malware from WordPress site?

Important steps to remove malware, spam, injected script.

Remove malware from WordPress

If you notice any strange text injected in your website pages or showing malware attack when you are visiting your own site, you should immediately perform a scan on your site to check for an infection.

The scan will generate reports which help to remove malware scripts. Here are the steps which you need to follow to remove malware. I have also included top WordPress security tips which I generally use to protect website against hackers and malware.

Steps for removing malware:
  • Scan your site using and
  • Review the warning message from the search result
  • Login into your server using FTP or Control Panel
  • Find the files based on warning message and edit/ remove as per needs.
  • Note the files name that have been recently modified and replace them from recent backup.
  • Core WordPress files should never be modified, so you need to check wp-admin, wp-includes and root files for recent changes. If you found any recent modification then please replace them from the fresh core files or compare them before replace.
  • Login into your database and open table that contain suspicious content and manually remove suspicious content. You may find unwanted JS code in the content which redirect pages most of the time.
  • Login into admin and check users and if you found suspicious users please delete them.
  • Please fill review request form in Google Search Console after remove all malware and make site accessible.

Note: Before making any changes please take a backup of your site and database.

Screenshot from scan portal for your reference:

Scan for Malware from Sucuri
Scan for malware from Google safe browsing
Some of the tips which will help to avoid malware attack in the future.
  • Change all credential details for Admin, FTP and Database.
  • Update WordPress, Theme and Plugins version
  • Don’t use ‘admin’ for user name and use strong password only.
  • Enable WordPress firewall using sucuri plugin or Wordfence plugin or you can use other as there are plenty of firewall plugins available.
  • Limit login attempts using firewall plugin

Note: All product names, logos, and brands are property of their respective owners.


  1. Its an important information.

  2. This was a very meaningful post, so informative and encouraging information, Thank you for this post.
    food ordering mobile app development


Contact Form


Email *

Message *