WordPress Malware Removal: A Step-by-Step Guide for Irish Business Owners

Finding out your WordPress site has been hacked is one of the worst feelings a business owner can experience. Your website — your digital shopfront, your credibility, your marketing engine — has been compromised.

Take a breath. This guide will walk you through exactly what to do, whether you’re handling it yourself or bringing in professionals.

How to Know If Your Site Is Infected

Sometimes malware is obvious. Other times, it’s deliberately hidden. Here are the common signs:

Visible Signs

• Defaced homepage — Content replaced with hacker messages
• Spam content — Pharmaceutical ads, casino links, or adult content appearing on your pages
• Redirects — Visitors sent to suspicious websites
• Pop-ups — Aggressive advertising that you didn’t add
• Slow loading — Site becomes unusually slow

Hidden Signs

• Google warnings — “This site may be hacked” in search results
• Browser warnings — Chrome or Firefox blocking access with red warning pages
• Hosting suspension — Your host disables your site for security reasons
• Unknown admin users — User accounts you didn’t create
• Modified files — Core WordPress files with recent change dates
• Strange server activity — Unusual bandwidth usage or processing load

Technical Indicators

• Unknown files in your WordPress installation
• Obfuscated code (long strings of random characters)
• Base64-encoded content in theme or plugin files
• Modified .htaccess file with strange redirects
• New scheduled tasks (cron jobs) you didn’t create

Step 1: Don’t Panic, But Act Fast

Malware can spread and cause more damage the longer it remains. But rushing into cleanup without a plan often makes things worse.

Immediately:

• Don’t delete anything yet
• Document what you’re seeing (screenshots)
• Note when you first noticed the problem
• Check if you have recent clean backups

Step 2: Put Your Site in Maintenance Mode

You don’t want visitors seeing malware or Google continuing to crawl infected pages.

Create a simple maintenance page or use a maintenance mode plugin. If your site is actively redirecting visitors to malicious sites, consider taking it offline entirely by renaming the index.php file temporarily.

Step 3: Reset All Passwords

Before you even start cleaning, assume all credentials are compromised:

• WordPress admin passwords — All user accounts, not just yours
• Database password — In your wp-config.php file
• FTP/SFTP passwords — File access credentials
• Hosting control panel — cPanel, Plesk, or similar
• Associated email accounts — Especially if used for password resets

Use strong, unique passwords for each. A password manager like 1Password or Bitwarden is essential.

Step 4: Identify the Infection

Before you can clean malware, you need to find it. There are several approaches:

Use a Security Scanner

Wordfence (free version):

1. Install and activate Wordfence
2. Go to Wordfence > Scan
3. Run a full scan
4. Review flagged files

Sucuri SiteCheck (free):

1. Visit sitecheck.sucuri.net
2. Enter your website URL
3. Review the report for malware indicators

Manual File Inspection

For those comfortable with file access:

1. Connect via SFTP (not regular FTP)
2. Look for recently modified files (last 30 days)
3. Check common infection points:
   • wp-config.php
   • .htaccess
   • index.php in root and wp-includes
   • Files in wp-content/uploads (PHP files shouldn’t be here)
   • Unknown files in theme folders

Compare Against Clean WordPress

Download a fresh copy of your WordPress version from wordpress.org and compare core files. Any differences in wp-includes or wp-admin folders indicate tampering.

Step 5: Clean the Infection

Option A: Restore from Clean Backup

If you have a backup from before the infection:

1. Confirm the backup is clean by scanning it
2. Restore files and database
3. Update all passwords (malware might have captured them)
4. Update WordPress, themes, and plugins immediately

Warning: If you don’t know when the infection started, your backup might also be compromised.

Option B: Manual Cleanup

If you don’t have clean backups, you’ll need to clean manually:

Replace WordPress Core:

1. Download fresh WordPress from wordpress.org
2. Delete wp-includes and wp-admin folders entirely
3. Upload the fresh versions
4. Compare and replace individual files in the root directory

Clean wp-content:

1. Replace plugins with fresh downloads from wordpress.org
2. Replace themes with fresh downloads
3. Check uploads folder for PHP files (delete any you find)
4. Review wp-content for unknown folders

Clean the Database:

1. Check for unknown admin users (delete them)
2. Look for spam content in posts and comments
3. Review wp_options for suspicious entries
4. Check for unknown scheduled events

Review wp-config.php:

1. Compare against a fresh wp-config-sample.php
2. Remove any code that doesn’t belong
3. Generate new security salts at api.wordpress.org/secret-key

Step 6: Identify and Close the Entry Point

Cleaning malware without fixing how it got in means you’ll be reinfected. Common entry points:

Outdated Software

Check if any themes or plugins were outdated when the hack occurred. Update everything now.

Weak Passwords

If any admin account had a weak password, that’s likely how attackers got in.

Vulnerable Plugins

Some plugins have known vulnerabilities. Check if any of your plugins appear on vulnerability databases like WPScan.

Compromised Computer

If your local computer has malware, it can capture your FTP or WordPress credentials. Run a full antivirus scan.

Insecure Hosting

Shared hosting with poor isolation can allow one compromised site to affect others. Consider managed WordPress hosting with proper security isolation.

Step 7: Implement Protection

Once clean, prevent future infections:

Essential Security Measures

1. Keep everything updated — WordPress core, themes, and plugins
2. Use strong passwords — For everyone with access
3. Enable two-factor authentication — For all admin accounts
4. Install a security plugin/firewall — Wordfence, Sucuri, or Patchstack
5. Regular backups — Daily at minimum, stored off-site

Advanced Protection

1. Web Application Firewall (WAF) — Blocks malicious requests
2. File integrity monitoring — Alerts you to unexpected changes
3. Login attempt limiting — Stops brute force attacks
4. Security headers — Prevent clickjacking and XSS attacks

Step 8: Request Review from Google

If Google flagged your site as hacked:

1. Log into Google Search Console
2. Go to Security & Manual Actions > Security Issues
3. Review the detected issues
4. Once clean, click “Request Review”
5. Wait for Google to re-crawl (can take days to weeks)

When to Call Professionals

Consider professional malware removal if:

• The infection is complex or keeps returning
• You’re not comfortable with file-level access
• Your site handles sensitive customer data
• You can’t afford extended downtime
• You’re not sure the infection is fully removed

Professional services typically cost €200-500 for thorough cleanup and security hardening.

What SparkHost Does Differently

Our WordPress security services don’t wait for infections to happen. On our Managed plans:

• Proactive monitoring — We detect suspicious changes before they become problems
• Automatic updates — Core, themes, and plugins kept current
• Patchstack protection — Virtual patching for known vulnerabilities
• Daily backups — Clean restore points always available
• Hack recovery — If something does get through, cleanup is included

Prevention is always cheaper than cure.

Lessons Learned

Most WordPress infections are preventable. They happen because of:

1. Outdated software left unpatched
2. Weak or reused passwords
3. Pirated (“nulled”) themes or plugins
4. Poor hosting security
5. No monitoring or early detection

Don’t let this happen again. Invest in proper WordPress maintenance now, or budget for cleanup later.

Take Action Today

If your site is currently infected:

1. Follow this guide step by step
2. Consider professional help if needed
3. Document everything for future reference

If your site is currently clean:

1. Run a security scan anyway
2. Verify your backup system is working
3. Enable two-factor authentication
4. Review your security measures

The best time to fix your security was before the hack. The second best time is right now. For a comprehensive overview of all security measures, see our WordPress security audit checklist.