WordPress Malware Removal — Infected CMS Analysis and Manual Cleanup Guide
> cd .. / HUB_EDITORIALE
Sistemi Operativi & Sicurezza

WordPress Malware Removal — Infected CMS Analysis and Manual Cleanup Guide

[2026-07-17] Author: Ing. Calogero Bono
> share
Zenithby Meteora Web The operating system for your business. Social, clients, bookings and invoices in one platform. Gyms, barbers, professionals. Discover Zenith Free demo · no card

Your WordPress site loads slowly, shows strange banners, or Google labels it as "dangerous". You've tried security plugins, but nothing changed. The issue is that without understanding how the malware entered, surface cleaning is useless. We at Meteora Web have cleaned dozens of compromised installations since 2017. This guide takes you into the core of the operation: infection analysis, manual removal, backdoor hunting. Zero academic theory. Only concrete actions to regain control of your CMS.

What happens when malware infects WordPress?

Malware isn't magic. It's PHP, JavaScript, or SQL code that modifies files, creates new admin users, sends spam, steals data, or launches attacks on other servers. Most infections start from vulnerable plugins/themes, weak passwords, or shared hosting without isolation. Once inside, malware hides in places a superficial scan never sees.

Classic signs something is wrong

Don't wait for Google to tell you "This site may be hacked". If you notice:

  • Unusual traffic spikes (especially at night)
  • Files with modification dates out of context (e.g., footer.php modified at 3 AM)
  • HTTP requests to unknown IPs (check Wordfence report or server logs)
  • New admin users you didn't create

then it's time to act. Do not uninstall plugins without making a forensic backup. Every trace may be useful.

Sponsored Protocol

Action now: Put the site in maintenance mode (via plugin or .htaccess). Disconnect all users except yourself. Download a complete copy of files and database via FTP and phpMyAdmin. Then read the next section.

How to analyze the infection with free tools?

Before cleaning, we need to understand what we're dealing with. We start with three steps.

1. Scan with security plugins

Wordfence Security (free) and Sucuri Scanner (free) are the first to run. But beware: don't trust them 100%. Advanced malware can disguise itself as legitimate plugins. The scan is a starting point, not the absolute truth.

2. Manual search for suspicious files

Connect via SSH or use cPanel to browse the wp-content/ directory. Look for:

  • PHP files with recent dates you didn't upload (e.g., seo.php, sitemap.php, xmlrpc-fake.php)
  • Images with .php extension (e.g., banner.jpg.php)
  • Inactive plugins or themes containing obfuscated code
# SSH command to find PHP files modified in the last 7 days
find /var/www/html -type f -name "*.php" -mtime -7 -ls

3. Database analysis for unexpected users and posts

Many infections add admin users or insert spam content in posts. Run these queries in phpMyAdmin:

-- Find admin users you don't recognize
SELECT * FROM wp_users WHERE user_login NOT IN ('admin', 'your_user');

-- Find posts with suspicious content (e.g., links to online pharmacies)
SELECT ID, post_title, post_content FROM wp_posts WHERE post_content LIKE '%viagra%' OR post_content LIKE '%casino%';

Action now: Save the list of suspicious files and rows in a report file. Don't delete anything yet. You need to verify if those files are backdoors or false positives.

Sponsored Protocol

How to manually remove malware from WordPress?

Manual removal is the only way to be sure you've cleaned thoroughly. Automatic plugins miss backdoors nested in core files. Here's the proven procedure.

1. Replace the WordPress core

Download the latest WordPress from wordpress.org, extract, and replace ALL files in the root except wp-content and wp-config.php. Don't skip this step: many malware hide in system files (wp-includes, wp-admin).

# Example SSH command to replace core
cd /var/www/html
mv wp-content /tmp/wp-content-backup
mv wp-config.php /tmp/
wget https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gz
mv wordpress/* .
rm -rf wordpress latest.tar.gz
mv /tmp/wp-content-backup wp-content
mv /tmp/wp-config.php .

2. Clean wp-content

Inside wp-content, malware hides especially in uploads/ (PHP files disguised as images), themes/ and plugins/. Delete themes and plugins you don't use. For active ones, compare files with original versions from official repositories. Also check for a hidden .htaccess in uploads: it often contains redirects to malicious sites.

Sponsored Protocol

# Find PHP files inside uploads (generally forbidden)
find wp-content/uploads -type f -name "*.php" -exec rm -fv {} \;

3. Clean the database

Remove suspicious users, change their role if needed. Clean options and posts containing PHP code or malicious links. Beware: some backdoors hide in wp_options (e.g., 'active_plugins' or 'theme_mods'). Search for base64_decode, eval, system, exec, base64.

-- Find options with malicious code
SELECT option_name, option_value FROM wp_options WHERE option_value LIKE '%base64_decode%' OR option_value LIKE '%eval(%';

Action now: After cleaning, reinstall all plugins and themes from official versions. Change ALL passwords (admin, FTP, database). Generate new salts in wp-config.php. Enable extended logging for monitoring.

What backdoors to look for after the main cleanup?

The worst mistake is thinking you're done when a secondary backdoor is still active. The sneakiest malware creates files that look like legitimate plugins (e.g., woocommerce-helper.php). Here are the most common techniques.

Backdoor via WP-Cron and uploads

Malware schedules periodic script execution via wp-cron. Check the wp_options table for 'cron' and look for URLs or PHP commands. Alternatively, a .php file in uploads/2023/ is called by an injected JS.

Sponsored Protocol

Backdoor in database via user meta

Malicious code can be stored in wp_usermeta under a harmless meta_key like 'session_tokens'. When the admin logs in, it executes.

-- Search for unusually long meta values
SELECT * FROM wp_usermeta WHERE LENGTH(meta_value) > 1000;

Backdoor via themes/functions.php

In the active theme's functions.php, you might find a line like:

add_action('wp_head', function() { eval(base64_decode('...')); });

Don't trust nulled themes or those from unofficial sources. Only use official repositories or a child theme developed from scratch.

Action now: After cleanup, run a new scan with Wordfence and a cross-check manual review. If you still find anomalies, repeat the analysis from scratch.

How to prevent reinfection after malware removal?

Cleaning is exhausting. Doing it twice is unacceptable. Here are the measures we apply to all our clients.

  • Automatic updates for core, plugins, and themes. Configure auto-update in functions.php or use a plugin like Easy Updates Manager.
  • Disable file editing from admin. Add to wp-config.php: define('DISALLOW_FILE_EDIT', true);
  • Use an application-level firewall. Wordfence or Sucuri (paid) block malicious traffic before it reaches WordPress.
  • HTTPS + HSTS + Content Security Policy. Security headers reduce the attack surface.
  • Frequent backups stored off-site. We use UpdraftPlus to Amazon S3 or a separate server. A clean backup is your last resort.

Immediate actions: Block login attempts from unknown IPs with a limit login plugin (e.g., Limit Login Attempts Reloaded). Change file permissions: directories 755, files 644. Ensure wp-config.php is outside the web root if possible.

Sponsored Protocol

In summary

Removing malware from WordPress isn't impossible, but requires method. Recap of key steps:

  1. Isolate the site — enter maintenance, disconnect users, take forensic backup.
  2. Analyze — plugins, manual file search, database queries. Document everything.
  3. Clean — replace core, delete suspicious PHP files from uploads/themes/plugins, clean database.
  4. Hunt backdoors — wp-cron, user_meta, functions.php, base64 options.
  5. Harden security — passwords, updates, firewall, backups, permissions.

If after all this the site still shows signs of infection, deeper intervention may be needed (system log analysis, server-side scan from hosting provider). In that case, talk to your hosting provider or contact us at Meteora Web. We deal with these cases daily.

For a broader approach to WordPress security, read our Pillar Guide on WordPress Security.

> share
Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Ingegnere informatico, fondatore di Meteora Web e Zenith OS. System administrator e progettista di piattaforme, app e CMS proprietari, con esperienza in sviluppo full-stack, marketing digitale ed ecosistema Google.
[ Read Full Dossier ]

> METEORA_WEB // DIGITAL AGENCY

We build the digital presence your business deserves.

Websites, social media, online advertising, e-commerce and high-performance hosting, engineered with method by computer engineers in Sciacca, for all of Italy.

> MW_JOURNAL

> READ_ALL()