WordPress has become the popular website management platform in the world. It is currently powering more than 80 million websites worldwide. The reason for so much popularity is the ease at which it is managed and maintained. WordPress has been freely available since 2004 and consistently remained the best blogging and website platform.

Since 2004, there have been a series of version updates in the WordPress software and each new version is meant to resolve one or two issues, especially related to security. Over the last few years, the term “malware” suddenly found its way into WordPress websites and denotes a website that has been compromised through one of the security holes. More specifically, the term is often used in relation to websites affected with SEO spam or malicious scripts.

Malware can be a pretty big deal if you have it on your website. Google can blacklist you and if this happens, a warning signal will be displayed when people try to search for your website in Google. Depending on the type and severity of the malware, your visitors can be dealt with an entirely different page or referred to another website.

WordPress Malware Removal

So, how can you remove malware from a WordPress site? This article will address two audiences – those affected with WordPress malware and others that want to learn more about the technique of WordPress malware removal. We shall critically examine 3 sets of things to do and not to do below.

Things not to do when faced with WordPress malware


One of the worst things you can do when faced with the problem of WordPress infection is panic. Of course, having an infected website is very scary especially when the website contains vital and essential details. However, you should not allow yourself to be overcome by it. Rather, you should gain confidence with the fact that WordPress malware has a solution.

Relax and stay calm. Your problem has a solution. Most of the malware infections can be cleaned up within a few hours, leaving you with a more functional and effective website.


There are many ways by which a WordPress site can become infected with malware. The WordPress platform itself is built with a collection of secure scripts and codes that are not vulnerable or prone to malicious activities on the web.

However, the several user-installed plugins, scripts, and themes pose the major risk and vulnerability. Of course, these add-ons are a beautiful way to add more functionality and design to your website. Unfortunately, most of these add-ons are well-managed and are easily penetrated by cyber hackers.

There are several themes and plug-ins out there, especially the free ones, that have been created long ago and there has not been any critical step by the developers to update them. This makes your site vulnerable to attackers and they can easily penetrate your aged scripts and codes.

Luckily, there are advanced security plug-ins like WordFence that allows you to scan your website and detect the plug-ins and themes that are out-of-date or not supported anymore. It informs you of the latest security threats and makes necessary recommendations.

What’s more, frequently scan your website, especially your list of users, and remove anyone that is not recognized. Also, make sure you use a strong password and follow our WordPress security tips that are listed here.


Whenever people face any problem with their WordPress site, they are often too in a hurry to resolve it. Some even go to the extent of deleting their entire website or a part of it and start all over. In many cases, this is never the right solution to the cases of WordPress malware infection.

However, if need be, you can delete the features that are not unique to your website and replace them with fresh and clean contents. These items include:

WordPress Core File

This file contains WordPress default files and the information contained therein is not unique to your website. You can remove this files and folders and replace them with the default copy from the WordPress directory to replace them.

Free Plugins

If you have one or more free plug-ins on your site that are available in the WordPress Plug-in directory, you can remove them completely and replace them with fresh copies. You can also consider removing inactive plug-ins permanently from your site.

Premium Plugins

If you have any premium plug-in that is not available in the WordPress directory, you should first track the developer and obtain a fresh copy before you remove it from your WordPress site.


Theme removal is typically more complicated than plug-in removal. If you have customized and personalized your theme, you may lose these essential details if you remove the theme. However, if you made little or no personalized settings to your theme, you can remove and replace.

Things to do when faced with WordPress malware


The first and most important rule for all WordPress users is to have a backup and restore strategy in place. This is a very simple yet vital step that is often overlooked. You will very happy to have a recent backup copy of your website when it eventually becomes infected. The best practice is to run a weekly or bi-weekly backup of your site. So, in case of any issue, you can easily restore the most recent backup and continue to enjoy your site.

There are plenty of tools available that allows you to create and store a backup copy of your site. In fact, some hosting providers have this option in their c-panel for free. So, you have no reason not to keep a backup copy of your website.


The majority of WordPress websites out there are hosted on public shared hosting platforms. What this means is that your site is hosted on a public server with many other sites. There is a greater possibility of down time involved here.

If you use your WordPress website for nothing spectacular, you may continue with the shared hosting. However, if you use your WordPress website for your business or professional purposes, you should consider purchasing your own dedicated server.

Meanwhile, most hosting websites out there also understand that problems associated with shared hosting and do everything to prevent it. If you are having security issues with your current hosting provider, you may consider shopping for another reliable one. Luckily, there are lots of reviews online that can guide you in choosing the best one for your need.


If you are running a WordPress site, you should, as a matter of necessity, be updated and educated on WordPress security. If you want a safe and secure WordPress experience, you need to stay informed. Security-related topics are something people are not normally interested in because they feel it is not important.

However, the fact remains that WordPress security is like health insurance – no one feels they need it until the need arises. If you really want to keep your WordPress site safe and secure, then you must be ready to willing to read some security information and take some simple security steps.

Bottom line

WordPress security is as important as the physical security of your life and properties. A WordPress site can be one of your most very important assets, especially if you use it for business purposes. This is why you need to take the security of your website as paramount as possible. This article discusses the things to do and not to do in case of WordPress malware infection.