Malware Detected: What To DoPRO
Royal Security Pro's malware scanner found infected files on your site. Don't panic - this guide will walk you through confirming the infection, cleaning your site, and preventing future attacks.
In This Guide
1. Confirm It's Real Malware
Before deleting anything, verify the detection is legitimate. Some plugin code can trigger false positives.
Signs of a True Positive
- Unknown files - Files you didn't create, especially with random names like
wp-tmp.phporclass.api.php - Modified core files - WordPress core files (wp-includes/, wp-admin/) that differ from official versions
- Obfuscated code - Long strings of encoded characters, base64, or eval() statements
- Hidden in uploads - PHP files in
/wp-content/uploads/(should only contain media) - Strange timestamps - Files modified at unusual times when no one was working on the site
Signs of a False Positive
- File is part of a known, legitimate plugin or theme
- Code is standard security/licensing protection from commercial plugins
- File hasn't been modified (check timestamps)
- Multiple scanners disagree on the detection
How to Verify
Compare with original source
Download a fresh copy of the plugin/theme from WordPress.org or the vendor. Compare the flagged file with the original.
Check the code manually
Look for suspicious patterns: eval(), base64_decode(), $_POST/$_GET without sanitization, or connections to external URLs.
Use additional scanners
Cross-reference with Sucuri SiteCheck or VirusTotal (upload the file).
Commercial plugins like Elementor Pro, WPBakery, Slider Revolution, and some security plugins use code obfuscation that can trigger scanners. If the file came with a legitimate plugin, it's likely safe.
2. Immediate Actions
If you've confirmed real malware, take these steps immediately:
Emergency Checklist
- Don't delete files yet - You need them for forensics and may delete the wrong things
- Change all passwords - WordPress admin, database, FTP, hosting panel, email
- Revoke all sessions - In WordPress: Users → Your Profile → Log Out Everywhere Else
- Enable maintenance mode - Prevent visitors from being affected while you clean
- Check for unknown admin users - Hackers often create backdoor accounts
- Contact your host - They may have additional logs or can help isolate the site
Go to Users → All Users and look for any accounts you don't recognize, especially with Administrator or Editor roles. Delete any suspicious accounts immediately.
3. Create a Backup Before Cleaning
This sounds counterintuitive, but backup your infected site before cleaning:
- Forensics - You may need to analyze how the attack happened
- Recovery - If cleaning goes wrong, you can restore and try again
- Evidence - If you need to report the breach or involve authorities
Use Royal Security's backup feature or your hosting's backup tool. Label it clearly as "INFECTED - DO NOT RESTORE".
4. Identify How You Were Hacked
Understanding the entry point helps ensure you don't get reinfected after cleaning.
Common Entry Points
- Outdated plugins/themes Critical - The #1 cause of WordPress hacks
- Weak passwords High - Brute force attacks on wp-admin
- Nulled/pirated plugins Critical - Often contain intentional backdoors
- Compromised hosting High - Shared hosting with infected neighbors
- Stolen FTP credentials High - From malware on your local computer
- Vulnerable PHP version Medium - Old PHP with known exploits
Check Your Logs
- Royal Security's Activity Log - Look for suspicious logins or file changes
- Server access logs - Look for POST requests to unusual files
- Error logs - May show exploit attempts
5. Clean the Infection
Option A: Restore from Clean Backup (Recommended)
If you have a backup from before the infection:
- Restore the entire site from the clean backup
- Update ALL plugins, themes, and WordPress core immediately
- Change all passwords
- Run a fresh malware scan to confirm it's clean
Restoring from backup is faster and more reliable than manual cleanup. You're guaranteed to remove all malware, including hidden backdoors.
Option B: Manual Cleanup
If no clean backup exists, clean manually:
Replace WordPress core files
Download fresh WordPress from wordpress.org. Replace /wp-admin/ and /wp-includes/ completely. Don't touch wp-content.
Delete and reinstall plugins
Delete all plugin folders from /wp-content/plugins/. Reinstall fresh copies from WordPress.org or vendors. Never reuse infected files.
Delete and reinstall themes
Keep only the theme you're using. Delete all others. Reinstall your active theme from a fresh source.
Clean the uploads folder
Search for PHP files in /wp-content/uploads/. There should be NONE. Delete any PHP files found:
Check wp-config.php
Look for any code that shouldn't be there, especially at the very beginning or end of the file. Malware often injects code outside the normal PHP tags.
Check .htaccess files
Look in root, wp-admin, and wp-content. Remove any suspicious redirects or code you didn't add.
Delete unknown files in root
The root should only contain standard WordPress files. Delete anything suspicious like db.php, wp-info.php, etc.
6. Check the Database
Malware can also live in the database. Check these areas:
wp_options Table
Look for suspicious entries:
wp_posts Table
Check for injected content in posts:
wp_users Table
Look for rogue admin accounts:
If you find malware in the database, be very careful with deletions. Consider hiring a professional or using a specialized tool. Deleting the wrong data can break your site.
7. Verify the Cleanup
After cleaning, confirm your site is malware-free:
Run Royal Security scan again
Do a full scan and confirm no detections.
Check external scanners
Use Sucuri SiteCheck and Google Safe Browsing to verify.
Check Google Search Console
If you were flagged, request a review after cleanup.
Monitor for 48-72 hours
Watch the activity log closely for any signs of reinfection.
8. Harden Your Site
Prevent reinfection with these measures:
Post-Cleanup Security Checklist
- Update WordPress, all plugins, and all themes to latest versions
- Delete any plugins/themes you're not actively using
- Enable Royal Security's firewall and all hardening options
- Set up two-factor authentication for all admin accounts
- Use strong, unique passwords (20+ characters)
- Change your WordPress security keys (wp-config.php)
- Ensure file permissions are correct (644 files, 755 directories)
- Enable automatic updates for plugins and themes
- Set up regular automated backups
- Consider a Web Application Firewall (WAF) like Cloudflare
Generate New Security Keys
Get new keys from WordPress Secret Key Generator and replace the ones in wp-config.php. This logs out all users and invalidates any stolen session cookies.
9. When to Hire a Professional
Consider professional malware removal if:
- You're not comfortable with FTP, databases, or code
- The site keeps getting reinfected
- You're running an e-commerce site with customer data
- The infection involves the database heavily
- You need guaranteed cleanup with a warranty
- Time is critical (business site losing money)
Recommended Professional Services
Sucuri Malware Removal
Industry leader in WordPress malware removal. Includes cleanup, blacklist removal, and ongoing protection.
Wordfence Site Cleaning
Expert cleanup service from the Wordfence security team with detailed post-cleanup report.
MalCare Cleanup
Automated + human cleanup with money-back guarantee. Good for complex infections.
10. Additional Resources
In-depth guides from trusted security experts:
Comprehensive Guides
How to Clean a Hacked WordPress Site
Extremely detailed guide covering every aspect of WordPress malware removal. The industry standard reference.
Cleaning a Hacked WordPress Site
Step-by-step walkthrough with screenshots. Covers manual cleanup and using security tools.
Beginner's Guide to Fixing a Hacked Site
Accessible guide for non-technical users. Good starting point if you're new to this.
WordPress Malware Removal Guide
Modern, up-to-date guide with focus on identifying attack vectors and preventing reinfection.
Understanding Malware Types
Sucuri Malware Research Blog
Latest malware discoveries and analysis. Helps identify what type of infection you have.
Wordfence Threat Intelligence
Real-time data on WordPress vulnerabilities and active exploit campaigns.
Free Scanning Tools
Sucuri SiteCheck
Free remote scanner. Checks for malware, blacklisting, spam, and defacements.
If you're a Royal Security Pro customer and need assistance with malware removal, contact our support team. We can help guide you through the cleanup process.