How to Delete Malware from Your WordPress Site

Step 1: Save All Site Files and Database Backup

• You need to download a backup of the full site. It's even better when you're using the web host's site snapshot feature. That feature can keep a thorough backup of your whole server. Just be ready with a coffee or good music as it may take a while to download.
• It'll all be fine when you can login to your own account. If you can't login anymore and you think cyber criminals has taken over your website, it's better to consult a professional malware removal expert on how to delete the malware and deal with the problem.
• Create another backup using these steps: if you can login and access your website, also use Tools > Export to export an XML file of all your content.

Some backups could be over 1GB. The wp-content folder is the most important folder on your server as it has all your uploads. If you can't use a backup plugin and your web host doesn't have a “snapshots” feature, then utilize the web host’s File Manager to create a zip archive of your wp-content folder and then download that zip file.

You’ll want to back up each one of your Wordpress on the server if they're many.

A friendly reminder about .htaccess file: Tag along your .htaccess file and download it. You might forget this one since it's an invisible file, then you so you can only see it in the web host’s File Manager if you choose to show invisibles when you launch the File Manager. Change the name of this file to take away the period at the beginning to make it visible, or else it'll be hidden on your computer. You may need a back up of the .htaccess file in case it contained content you’ll need to copy back over to your clean site. Some hosts use the .htaccess for identifying the PHP version you are using, so the site will be inoperable without that. Some people put 301 SEO redirects in their .htaccess file. Also the .htaccess file could have been compromised, so you’ll want to analyze it later.

Step 2: You Need to Examine the Backup Files

When you're done with the site backup tasks, you need to download the backup to your computer. You'll be able to see a zip file which you'll open to see these:

• The entire WordPress Core Files. You will be able to download WordPress from WordPress.org and scrutinize the files in the download and match them to your own. You don't really need these files, but it's better to have them later when you're doing an investigation.
• htaccess file. You won't see this right away as it's an invisible file. The only way to know if you backed this up is to view your backup folder using an FTP program or code editing application that allows you see invisible files (check the Show Hidden Files option) within the application’s interface.
• The wp-config.php file. This is essential during the recovering process. It has the name, username, and password to your WordPress database.
• The database. An SQL file is a must-have as it's an export of your database. You won't delete the database, yet it's always good to have a backup as a guarantee.
• The wp-content folder. When you open the wp-content folder, you'll see 3 folders namely a.) themes, b.) uploads, and c.) plugins. Check these folders out. If you can see your theme, plugins, and uploaded images, then that's a positive sign that you have a proper backup of your site. This is commonly the only vital folder you need to restore your site (in addition to the database).

Step 3: Delete All the Files in the public_html folder

After the tedious job of downloading a completely good backup of your site, you need to delete all the files that you can see in the public_html folder (except the cgi-bin folder and any server related folders that are clearly free of hacked files). You should be using the web host’s File Manager for that one. It's a lot faster to delete the files using the File Manager instead of FTP. Remember to check out the invisible files as well. You need to delete any compromised .htaccess files too.

Step 4: Reinstall WordPress

Now, you can reinstall your WordPress. Using the installer in your web hosting panel, reinstall WordPress in the public_html directory if this was the initial location of the WordPress install or in the subdirectory if WordPress was installed in an add-on domain.

Back to your site backup, edit the wp-config.php file on the new install of WordPress to use the database credentials from your old site. This will associate the new WordPress installation to the old database. It's not recommended re-uploading your old wp-config.php file as the new one will have new login encryption salts and will definitely be clean from any hacked code.

Step 5: Reset Passwords

It's the perfect time for you to login to your site and to change all the usernames and passwords. This will make sure that no cyber criminal can hack their way to your website again. Just remember to work with an impractical password from now on. But what's an impractical password? Choose a password that has a combination of letters, numbers, and symbols. You can even use your favorite movie or song lines to make it even harder. It's all up to you.

Step 6: Reinstall Plugins

When we say to reinstall plugins, we don't mean you to reinstall the old ones. It's better to use newer downloads from the premium plugin developer. Again, don't use old plugins because they might be contaminated. That's how to delete malware.

Step 7: Reinstall Themes

Just like the plugins, it's better to use freshly downloaded themes. If you personalize your theme files, go back to your back up files and replicate the changes on the fresh copy of the theme. It's not advisable to reuse your old themes because they may contain malware. That's how to delete malware.

Step 8: Upload Your Images Back to Your Website

This can be a bit confusing but with focus, you'll be able to re-upload your website images. You need to get your old image files copied back up to the new wp-content > uploads folder on the server. Although, you need to avoid any compromised files in this process. You will need to carefully analyze each and every year/month folder in your backup and check inside each folder. Also, you need to make sure there are ONLY image files and no PHP files or JavaScript files or whatever you did not upload to your Media Library. This is a long process. Once you have blessed each year/month folder, you can upload these to the server using FTP.

Step 9: Use Your Computer Antivirus

It's also beneficial to scan your entire computer. Your computer can also transfer malware to your website, so watch out for viruses, trojans, and malware.

Step 10: Install and Run Security Plugins

We're pretty sure you got some security plugins on your old website. It's time to reinstall them back to your newly restored website. Keep track of these plugins all the time because they can become a vulnerability in the future when not updated on time.