Common red flags include unexpected pop-ups, strange redirects (especially on mobile), spammy pages you didn’t create, server resource spikes, admin accounts you don’t recognize, or warnings in Google Search Console such as “Hacked content” or “Deceptive site ahead.” Hosting providers may also email you about malicious files found on your account.
First Things First: Contain the Incident
Before you start cleaning, limit damage and protect visitors.
- Enable maintenance mode to prevent new infections and protect visitors.
- Take a full backup (files + database) so you can roll back if needed keep it offline.
- Temporarily disable user registrations and comments if abuse is ongoing.
- Rotate all passwords (hosting, FTP/SSH, database, CMS admins).
- If you’re on shared hosting, open a ticket so the provider can isolate the account if required.
Step-by-Step: Remove Website Malware
-
Scan and Inventory the Infection
Use a reputable malware scanner to identify infected files, injected code, and backdoors. For WordPress, services like Wordfence or Sucuri SiteCheck can help. For servers, run antivirus tools (e.g., ClamAV) to detect known signatures. Make a list of compromised paths, modified core files, and suspicious users or cron jobs.
-
Compare Core Files with Known-Good Versions
For CMS platforms (WordPress, Joomla, Drupal), the cleanest approach is to replace core files with fresh copies from the official source. Only keep the original configuration file (e.g., wp-config.php) after verifying it has no injected code.
-
Clean Themes, Plugins, and Uploads
Delete unused or nulled themes/plugins. Reinstall legitimate ones from trusted repositories. Manually inspect recently modified files in /wp-content/themes/, /wp-content/plugins/, and /wp-content/uploads/ for obfuscated PHP, strange .ico/.php combos, or base64-encoded blobs.
-
Scrub the Database
Check posts, options/settings, and user tables for injected scripts or spam links (look for <script>, iframes, or base64). Remove malicious admin accounts. Reset all user passwords. If available, restore a clean database backup taken before the compromise.
-
Check .htaccess, Web.config, and Cron Jobs
Attackers often hide redirects and reinfection code in web server configs and scheduled tasks. Review .htaccess (Apache) or web.config (IIS) for unexpected rewrite rules. Check cron jobs (or WordPress wp-cron) for unknown tasks and remove them.
-
Replace Infected Files Instead of Editing in Place
When a file is compromised, the safest fix is to replace it with a known-good copy rather than trying to edit out malicious lines. This reduces the risk of leaving backdoor fragments behind.
-
Patch Everything and Lock Down Access
Update CMS core, themes, plugins, and server packages. Disable file editing in the dashboard, enforce strong passwords and MFA, limit login attempts, and restrict SFTP/SSH/IP access where possible.
-
Re-scan, Remove Blacklist Warnings, and Request Review
Run another full scan. When clean, submit a review request: in Google Search Console, use “Security issues” → Request Review; for browser warnings (Google Safe Browsing), follow the remediation workflow. Your host may also need to re-scan and mark your account clean.
WordPress-Specific Tips (Optional but Recommended)
- Disable all plugins, then re-enable one by one after reinstalling from trusted sources.
- Regenerate WordPress SALT keys to invalidate all cookies/sessions.
- Install a reputable security plugin (e.g., Wordfence) for firewall + malware scanning.
- Harden wp-config.php and move it one level above the web root if your host allows.
- Change the default login URL and enable 2FA for all admins.
Hardening Checklist: Prevent Reinfection
- Keep automatic updates enabled for core and security releases.
- Use a Web Application Firewall (WAF) to block exploits and bots.
- Disable XML-RPC if not needed; restrict REST API exposure.
- Use least-privilege permissions (e.g., 640/750) and disable PHP execution in uploads.
- Implement daily offsite backups with versioning and immutable storage.
- Monitor file integrity and admin logins; set up real-time alerts.
- Segment your hosting (separate staging/production) and avoid shared credentials.
SEO & Reputation Recovery After Malware
Clean the site map and remove hacked URLs, then resubmit in Google Search Console. Check for injected backlinks and disavow if necessary. Update your robots.txt only if attackers modified it. Publish a brief transparency note if your brand requires it, and monitor impressions/clicks weekly to confirm recovery.
When to Call an Expert
If the infection keeps returning, affects multiple sites on the same server, or involves data theft (PII, payment info), contact a professional incident response team. You may also have legal or regulatory obligations to notify users or authorities.
FAQ: Website Malware Removal
Common causes include outdated plugins, weak passwords, insecure themes, stolen FTP credentials, or vulnerable third-party integrations.
Once malware is removed and a review is approved in Search Console, rankings typically recover. Timelines vary based on the severity and duration of the compromise.
Only if the backup is clean and the vulnerability is fixed. Otherwise, attackers will reinfect the site. Always combine restore with hardening.
Simple infections can be cleared within hours; complex or multi-site compromises may take longer, especially when database and server-level changes are required.