Can I clean a hacked WordPress site myself?

For mild infections, yes. For complex infections where files are deeply modified or the database is heavily affected, professional help reduces the risk of missing something.

How long does malware cleanup take?

A simple cleanup takes a few hours. A complex infection with database modifications and multiple entry points can take longer.

Will my search rankings recover after malware cleanup?

Usually yes, once Google confirms the site is clean and removes the security warning. Recovery time depends on how long the infection was active and what damage was done.

How do I stop my WordPress site from getting hacked again?

Keep everything updated, use strong unique passwords, delete unused plugins and themes, set up a firewall, and run regular malware scans.

WordPress

WordPress Malware Cleanup: What Site Owners Should Know

By Syed Saud Ahsan · February 18, 2026

What to do when your WordPress site is infected with malware. Practical steps for cleanup, recovery, and hardening to prevent repeat attacks.

A hacked WordPress site is stressful. You might notice strange redirects, spam links appearing in your content, a Google warning in search results, or your hosting company suspending the account. Whatever the trigger, the process for cleaning up is similar and it starts with staying calm and working through the steps.

How WordPress sites get infected

The most common entry points are:

Outdated plugins or themes with known vulnerabilities
Weak admin passwords that get brute-forced
Nulled themes or plugins that contain hidden malware
Compromised hosting accounts where one infected site spreads to others
Old WordPress installations that were not updated for a long time

Most infections are automated. Bots scan millions of sites looking for known vulnerabilities and exploit them when they find one.

Signs your WordPress site has malware

Your site redirects visitors to spam or ad sites
Google Search Console shows a security warning
Your hosting company sent a malware alert
You see unfamiliar admin users in the WordPress dashboard
Strange files appear in your file manager
Google search results show spam content under your domain

Steps to clean a WordPress site

Step 1: Back up everything before touching anything

Before you delete a single file, create a full backup of the site files and database. Even a compromised backup is useful for comparison later.

Step 2: Scan for infected files

Use a security plugin like Wordfence or MalCare to scan the site. These tools compare your core WordPress files against the official versions and flag anything that has been changed or added unexpectedly.

Also check the file manager in cPanel for recently modified files, especially in the uploads folder, wp-content, and root directory.

Step 3: Remove infected files and code

Delete files that should not be there. For core WordPress files that have been modified, replace them with fresh copies from wordpress.org.

Check the database for injected spam links or hidden redirects in the wp_options table, especially the siteurl, home, and any widget or theme options fields.

Step 4: Find and close the entry point

Cleaning the infection without fixing the entry point means it will come back. Check for outdated plugins, themes, and WordPress version. Look for PHP file upload vulnerabilities and unauthorized admin accounts.

Delete any admin users you did not create. Change all passwords including WordPress admin, FTP, cPanel, and the database password.

Step 5: Harden the site after cleanup

After cleanup, take steps to reduce future risk:

Update WordPress, all themes, and all plugins
Delete deactivated plugins and themes
Change the database table prefix if it is the default wp_
Add two-factor authentication to the admin login
Set file permissions correctly: 644 for files, 755 for folders
Block PHP execution in the uploads directory using an .htaccess rule
Set up a basic web application firewall through Cloudflare or a security plugin

Step 6: Request a Google review if flagged

If Google flagged your site with a Safe Browsing warning, fix the malware first, then request a review through Google Search Console under the Security Issues section. Google typically reviews within a few days.

Key takeaway

WordPress malware cleanup is a process, not a one-click fix. The goal is to remove all infected code, close the entry point, harden the site, and set up monitoring so you catch any repeat issues quickly.