If your WordPress website is acting strange — like loading slowly, showing popups, or redirecting to unknown pages — it might be infected with malware. Don’t panic! Here’s a step-by-step guide to clean your website in a simple way.
Step-by-Step Cleanup Guide
Step 1: Take a Full Backup
Before doing anything, make a backup of your site. This way, if something goes wrong, you won’t lose everything.
Recommended Plugin:
Use All-in-One WP Migration – it’s easy to use and backs up everything (files + database).
Step 2: Replace WordPress Core Folders
Download a fresh copy of WordPress from wordpress.org.
Then using FTP or File Manager, replace:
wp-includeswp-admin
This ensures core files are clean and safe.
Step 3: Clean the Root Files
Go to your website’s main folder (public_html).
Delete everything except:
wp-config.php(open and check it — remove any strange code)
After deleting, copy fresh files from the clean WordPress folder to your site’s root.
Step 4: Remove Extra or Suspicious Folders
Inside public_html, if you see folders that don’t belong to WordPress (and you’re not using them), delete or move them.
This keeps your site clean from hidden malware files.
Step 5: Check Uploads Folder
Go to wp-content/uploads.
This folder should only have images or media.
If you see any PHP files there – delete them immediately.
Step 6: Reinstall/Update Plugins
Delete your current plugins and reinstall the latest versions from the official WordPress plugin directory.
This removes any corrupted or infected plugin files.
Step 7: Check Admin Users
Go to your WordPress Dashboard > Users.
Remove any admin accounts you didn’t create.
Keep only your main admin account.
Step 8: Delete Unused Themes and Plugins
If you’re not using a theme or plugin — delete it.
Inactive items can still be exploited by hackers.
Step 9: Check or Replace Theme
If you don’t have a clean copy of your theme:
- Open each file (especially
functions.php) and look for strange or long codes.
If you do have a clean copy:
- Delete the current theme and upload your clean version.
Step 10: Change Admin Password
Choose a strong, unique password for your admin login.
Example: Dmain!Secure2025#
Step 11: Refresh Permalinks
Go to WordPress Dashboard → Settings → Permalinks
Click “Save Changes” (no need to change anything).
This refreshes your URL structure.
Step 12: Scan with Wordfence
Install the Wordfence Security plugin.
Run a full scan — it will show you any infected files still left.
Step 13: Clear Cache
If you’re using a caching plugin (like W3 Total Cache, WP Super Cache, etc.), clear the cache.
This makes sure your site shows the latest clean version.
Step 14: Change Hosting & cPanel Passwords
Log in to your hosting account and change:
- cPanel password
- FTP password
- Hosting account login
This protects you from another attack.
Step 15: Backup Your Clean Website
Now that your site is fully cleaned, take a new backup using All-in-One WP Migration or your preferred tool.
Step 16: Test Your Website
Visit your pages, check your forms, links, and speed.
Make sure everything is working properly.
Final Words
Cleaning your website from malware might take some time, but if you follow these simple steps, you can get your site back on track safely.
- Always keep your site updated
- Use strong passwords
- Install a security plugin like Wordfence
If you’re ever stuck or want expert help — feel free to reach out.
Stay safe and keep building amazing websites!
– Khalid Shah