The following steps will help you remove malware from your WordPress website. Please keep in mind that they will require some technical expertise. Alternatively, instead of going through them all, you could with just one step — contact our WordPress team.
1. Do a complete WordPress site backup
Before you begin to remove malware from WordPress, make a complete backup of your site and databases. As an efficient option, you could use one of the numerous WP backup plugins.
2. Scan your website for malware
Now it’s time to discover the malware that is harming your website. If your WP admin dashboard is available to you, WP malware scanning plugins could very helpful. They will carefully scan your website and list all infected files.
Malware scanners are very handy and efficient but may not always be 100% accurate. To be on the safe side, it is necessary to check all the most important files manually.
3. Install the latest version of the WordPress core
As part of steps to remove malware, go to wordpress.org, get the latest version of the core, and install the wp-includes and wp-admin instead of the old ones on your website.
4. Reinstall your WordPress plugins and themes
Now you need to install all contributed plugins your website is using from wordpress.org. Reinstall the custom plugins from the backups in WP-content once they are carefully checked. We strongly recommend that you contact our WordPress team for checking the custom plugins.
Install the latest default WP theme Twenty Nineteen and see if the website is OK. Then you can get back your usual theme from the backups if no malware was found in it.
5. Change your WP passwords
Change the admin password of your WordPress website to something you have never used before. The safest way is to do it through your database.
The passwords of all users also have to be reset. In addition, change the passwords for cPanel, FTP access, and anything of this kind that you are using.
In this blog post about preventing WordPress brute-force attacks, our colleagues list weak passwords that should be avoided.
6. Check the content again
Your WP-content folder contains all the content. It can stay there if no malware has been found. You can look through it again to make sure there are no strange file extensions. For example, there have been cases of WP malware infection through .ico files.
7. Tell Google your website is clean again
You can use your Google Webmaster Tools to submit your site to Google and let the search engine know it’s time to remove any warnings about your website.