Question: How do I remove malware from my WordPress site? Print

Answer:

This article explains how to identify and remove malware from a WordPress site hosted on GHFS Hosting. Malware infections can cause redirects, spam, slow performance, unauthorized logins, or a completely broken site. Follow the steps below to clean your website safely.

1. Signs Your WordPress Site May Be Infected

Common symptoms include:

• Unexpected redirects to other websites

• Unknown admin accounts appearing

• Suspicious files in wp-content or uploads

• Website extremely slow or crashing

• Visitors report security warnings

• Search engines show "This site may be hacked"

If you notice any of these, act immediately.

2. Step 1: Enable Maintenance Mode (If Possible)

If you can access WordPress:

1. Install a maintenance mode plugin

2. Enable it to prevent visitors from seeing harmful content

If WordPress admin is inaccessible, skip this step.

3. Step 2: Scan Your Website With WordPress Toolkit (Plesk)

Plesk WordPress Toolkit includes a built-in security scanner.

Steps:

1. Log in to Plesk

2. Open WordPress Toolkit

3. Select your site

4. Run a Security Scan

5. Apply all recommended fixes

This can automatically remove known malware and insecure settings.

4. Step 3: Update Everything

Outdated software is the #1 cause of malware.

Update:

• WordPress core

• Themes

• Plugins

• PHP version (if needed)

Never continue using outdated plugins or themes.

5. Step 4: Remove Suspicious Plugins and Themes

Check your WordPress installation for:

• Plugins you did not install

• Themes you do not recognize

• Items marked as "inactive" but suspicious

Delete anything you do not trust — not just deactivate.

6. Step 5: Manually Clean Files Using Plesk File Manager

Look for suspicious files in:

• /wp-content/uploads/

• /wp-content/plugins/

• /wp-content/themes/

• Root directory (/httpdocs/)

Signs of infected files:

• Random filenames (like xj38sh.php)

• Files with encoded or unreadable code

• Recently modified files you didn’t touch

Delete or replace these files with clean versions.

7. Step 6: Reinstall WordPress Core Files

In many cases, reinstalling WordPress core removes infected core files.

Steps:

1. Download a fresh copy from wordpress.org

2. Upload it using Plesk File Manager

3. Replace all WordPress core files except:

   • wp-content folder

   • wp-config.php file

This ensures a clean core installation.

8. Step 7: Scan and Clean the Database

Malware can inject code into your database.

Check for:

• Spam posts or comments

• Unknown admin users

• Code injections in wp_options or wp_posts

Plugins like Wordfence or Sucuri can help scan for database injections.

9. Step 8: Change All Passwords

After cleaning, change:

• WordPress admin passwords

• FTP/SSH passwords

• Plesk passwords

• Database user passwords

• Email passwords (if compromised)

Use strong, unique credentials.

10. Step 9: Disable XML-RPC (If Not Needed)

XML-RPC is often exploited.

Disable it by adding this line to .htaccess:

Or disable via a security plugin.

11. Step 10: Set Proper File Permissions

Correct permissions help prevent future attacks:

• Folders: 755

• Files: 644

You can fix permissions in Plesk File Manager.

12. After Cleaning: Strengthen Security

Recommended actions:

• Install a firewall plugin (Wordfence, Sucuri, etc.)

• Enable 2FA for admin users

• Limit login attempts

• Delete unused admin accounts

• Enable automatic updates in WordPress Toolkit

13. When to Contact GHFS Hosting Support

You should contact GHFS Hosting support if:

• Malware keeps returning

• WordPress admin access is blocked

• You cannot identify infected files

• Your site shows a warning in Google search

• You suspect server-level compromise

Support can:

• Scan logs

• Identify infected files

• Restore backups

• Secure your hosting environment