Security
Hidden WordPress Malware: How to Find and Remove It
Hidden WordPress malware rarely announces itself with a flashing warning — it hides in plain sight, silently redirecting visitors, injecting spam links, or harvesting credentials until Google blacklists you or your host pulls the plug. The good news: most infections follow a small set of patterns, and if you know what to look for and where to look, you can find and remove the infection yourself. This guide walks you through every step — from confirming the infection to cleaning the files and locking the door behind you.
How to Know You've Actually Been Infected
Before you start deleting files, confirm the problem is malware and not a misconfigured plugin. Common signs of a real infection include:
- Google Search Console showing "Site may be hacked" or a manual action notice in the Security Issues report.
- Visitors (but not you) being redirected to spam, pharma, or gambling sites. Attackers often serve clean pages to logged-in admins to stay hidden longer.
- Google results showing Japanese, Russian, or pharmaceutical keywords under your site's name — a classic "SEO spam" injection.
- Your host suspending or quarantining your account with a notice about malicious files or outbound spam.
- New admin accounts you didn't create, or unfamiliar entries in Users → All Users.
- Pages or posts containing hidden links — often invisible to you because the CSS sets them to
display:noneor colors them white on white. - A Google Safe Browsing warning — check your domain at
transparencyreport.google.com/safe-browsing/search.
If you're seeing two or more of these, treat it as a confirmed infection and move fast. Every hour the malware runs, it can create new backdoors, send more spam, and deepen the SEO damage.
Step 1 — Back Up Before You Touch Anything
This sounds counterintuitive — why back up a compromised site? Because you need a baseline snapshot to diff against, and because an overly aggressive cleanup can take down a live site just as effectively as the malware itself. Use your host's snapshot tool or a plugin like UpdraftPlus to create a full-files-and-database backup, store it off-server, and label it clearly as "infected — do not restore without review."
Step 2 — Scan With a Dedicated Security Scanner
Run at least two scans from different tools — they catch different things.
Remote scanners (no server access needed)
- Sucuri SiteCheck (
sitecheck.sucuri.net) — scans your public-facing pages for known malware signatures, blacklist status, and injected scripts. - VirusTotal — paste your URL to check it against dozens of engines simultaneously.
Remote scanners only see what visitors see. An attacker who serves clean pages to crawlers will evade them. That's why you also need a server-side scan.
Server-side scanners
- Wordfence Security — install it, run a full scan, and review the results carefully. It compares your core files, plugins, and themes against the official WordPress.org repository checksums and flags deviations.
- MalCare — good at finding obfuscated PHP that Wordfence can miss, because it scans from its own servers rather than running entirely on yours.
Document every flagged file before you change anything. Screenshots or a plain-text list work fine.
Step 3 — Find the Injection Points
Scanners give you a hit list, but understanding where the malware lives helps you clean more thoroughly. The most common hiding spots:
WordPress core files
Attackers frequently modify wp-login.php, wp-settings.php, or files inside /wp-includes/ and /wp-admin/. Any file in core that doesn't match the official release checksum is suspect. You can verify core integrity by downloading a fresh copy of the same WordPress version from wordpress.org and diffing the files.
functions.php and theme files
The active theme's functions.php is a favourite target because it runs on every page load. Look for unfamiliar blocks of base64-encoded code — strings that start with eval(base64_decode( or eval(gzinflate( are almost always malicious.
Uploaded files directory
/wp-content/uploads/ should contain only media. PHP files in this directory are a red flag — WordPress has no legitimate reason to execute PHP from uploads. Search for them:
find /path/to/wp-content/uploads -name "*.php"
If your host provides SSH or a file manager, run this command and delete anything returned.
The database
SEO spam injections and hidden links often live in the database rather than the filesystem — usually in post content, widget data, or the wp_options table. In phpMyAdmin, use Search across all tables for strings like <a href="http in post content, or suspicious-looking encoded strings in wp_options rows like siteurl or home. Also check wp_users for admin accounts you don't recognise — delete any you didn't create.
Step 4 — Clean the Infection
Work through this in order. Skipping steps is the main reason reinfection happens within days.
- Reinstall WordPress core. In the dashboard go to Dashboard → Updates and click Re-install Now. This overwrites core files without touching your content or settings. Alternatively, delete everything except
wp-contentandwp-config.phpvia FTP and upload a fresh extract. - Reinstall every plugin from scratch. Delete each plugin folder via FTP or your host's file manager, then reinstall from wordpress.org or the original vendor. Do not restore from your infected backup. Nulled or pirated plugins are the single most common infection vector — replace them with legitimate licensed copies or free alternatives.
- Reinstall your active theme. Same principle: delete the folder, reinstall from the theme developer. If you have child-theme customisations, review them line by line before restoring.
- Clean the database. Remove any spam links or injected content you found in Step 3. Update any admin passwords stored there via Users → Your Profile. Check
wp_optionsfor rows withauto_load = yesthat contain encoded or unfamiliar data — see our post on WordPress database bloat for a safe approach to auditing that table. - Remove rogue admin accounts. Delete any users in the Administrator role you didn't create.
- Delete PHP files from uploads. Any
.phpfile in/wp-content/uploads/should be removed.
Step 5 — Find and Close the Backdoor
This is the step most DIY cleanups skip — and it's why many sites get reinfected within a week. A backdoor is a hidden file or database entry that lets the attacker re-enter even after you've cleaned everything visible. Common forms:
- A standalone PHP file with a name that looks innocent —
wp-xmlrpc-backup.php,hello.php,class-db.php— sitting in the root or insidewp-content. - A fake plugin folder in
/wp-content/plugins/containing only one or two PHP files with no readme or proper plugin header. - A malicious cron job registered in
wp_optionsundercronthat re-downloads the malware on a schedule.
After cleaning, search your entire wp-content directory for eval(, base64_decode(, gzinflate(, str_rot13(, and preg_replace with the /e modifier. Legitimate plugins use these functions occasionally, but any unexpected occurrence warrants closer inspection.
Step 6 — Harden Before You Go Live Again
Cleaning without hardening is cleaning half the job.
- Change every password — WordPress admin accounts, database user, FTP/SFTP, hosting control panel, and any API keys stored in
wp-config.php. - Regenerate your WordPress secret keys at
api.wordpress.org/secret-key/1.1/salt/and paste them intowp-config.php. This invalidates all active sessions. - Block PHP execution in uploads. Add an
.htaccessfile to/wp-content/uploads/containing:<Files *.php>deny from all</Files>. - Disable XML-RPC if you don't use it — it's a common amplification target.
- Install a firewall. Wordfence's free tier or Cloudflare's free WAF both block a large share of automated attacks before they reach WordPress.
- Enable two-factor authentication on all admin accounts.
Step 7 — Request a Review From Google and Your Host
Once you're confident the site is clean, submit a reconsideration request in Google Search Console under Security Issues → Request Review. If your host suspended the account, email their abuse team with a summary of what you found and removed — most hosts will reinstate accounts quickly once satisfied the infection is gone. Safe Browsing warnings typically clear within a few days of a successful review.
When the Infection Is Deeper Than a DIY Fix
Some infections — particularly those involving multiple backdoors, compromised server-level files outside the WordPress directory, or a database riddled with injected content — are genuinely difficult to clean completely without server-level access and forensic tooling. If you've run through these steps and the scanners are still flagging files, or if your host keeps finding malware after you've cleaned it, that's the point where professional help pays for itself.
Our full WordPress hack recovery guide covers the deeper forensic steps. Or if you'd rather hand this off entirely, Mend's Emergency Rescue is a flat-rate service where a senior engineer handles the full clean, hardens the site, and delivers a plain-English report of exactly what was found and what changed — backed by a fixed-or-your-money-back guarantee. Most jobs are done the same day.
Preventing the Next Infection
The sites that get reinfected fastest are the ones that cleaned without changing their habits. The short list of what actually reduces risk:
- Keep WordPress core, plugins, and themes updated — the majority of infections exploit known, patched vulnerabilities in outdated software.
- Use only plugins and themes from trusted sources. Nulled software almost always contains malware by design.
- Run automated daily or weekly backups stored off-server, so you always have a clean restore point.
- Use a server-side scanner (Wordfence or similar) with scheduled scans and email alerts.
- Limit admin accounts to people who genuinely need them, and use strong unique passwords with 2FA.
If you want all of that handled for you on autopilot, Mend's Care Plan covers managed updates, daily backups, security monitoring, and uptime alerting for $99/month — so a new infection gets caught in hours rather than weeks.
Frequently asked questions
My site looks fine to me but Google says it's hacked. Why?
Attackers frequently serve clean pages to logged-in admins and known crawlers while redirecting ordinary visitors to spam sites. Sign out of WordPress and visit your site in a private browser window, or use Google's "Fetch as Google" tool in Search Console to see what the crawler actually sees.
Is it safe to restore from a backup after a hack?
Only if you know the backup predates the infection — and even then, restoring without understanding how the attacker got in means they can likely get back in the same way. Always identify and close the vulnerability before restoring, or combine the restore with a full hardening pass.
Do I need to take my site offline while I clean it?
It's good practice to put the site in maintenance mode or password-protect it at the server level during cleanup, so visitors aren't exposed to malicious redirects and the attacker can't trigger the malware while you're working. Most cleanups take a few hours, so the downtime is brief.
Will reinstalling WordPress delete my content?
No. Using the built-in "Re-install Now" button in Dashboard → Updates only overwrites core PHP files. Your database, uploads, plugins, and themes are untouched. Reinstalling plugins and themes, however, will wipe any direct file edits — which is exactly the point, since those edits may contain the malware.