Removing malware from a website is a critical task because infected websites can lose traffic, get blacklisted by Google, and even be suspended by hosting providers. The faster you detect and remove malware, the less damage it causes.
This guide explains step-by-step how to clean a hacked or infected website safely and restore it to normal working condition.
What Happens When a Website is Infected
When malware enters your website, it can:
- Inject malicious code into files
- Create fake pages or spam content
- Redirect visitors to harmful websites
- Steal login or customer data
- Slow down or crash your website
- Trigger Google security warnings
If you notice any of these issues, immediate action is required.
Step 1: Identify the Infection
Before removing malware, you must confirm where the issue is.
Signs of infection:
- Website redirects to unknown pages
- Strange admin users appear
- Unknown files in hosting
- Google warning: “This site may be hacked”
- Sudden traffic drop
- Suspicious scripts in source code
Check your website using:
- Google Safe Browsing report
- Hosting file manager
- Security plugins scan
Step 2: Put Your Website in Maintenance Mode
To protect visitors and stop further damage:
- Enable maintenance mode
- Or temporarily take website offline
This prevents users from interacting with infected pages.
Step 3: Scan Your Website for Malware
Use security tools to detect infected files.
Popular tools:
- Wordfence Security (WordPress)
- Sucuri SiteCheck
- MalCare
- Host-based malware scanner
These tools help you locate:
- Infected files
- Suspicious scripts
- Backdoors
- Malware injections
Step 4: Backup Your Website (Important Step)
Before making any changes:
- Take a full backup of your infected website
- Store it safely in cloud storage
Even if it’s infected, backup is important for recovery or analysis.
Step 5: Remove Infected Files
Now you need to manually or automatically clean the website.
Manual removal:
- Open file manager or FTP
- Check wp-content folder (WordPress)
- Remove suspicious files (unknown names or recent changes)
- Delete malicious scripts from theme and plugin files
Important areas to check:
- index.php
- .htaccess file
- wp-config.php
- theme header/footer files
Step 6: Clean Database
Malware can also hide inside the database.
Check:
- Posts with spam links
- Unknown admin users
- Suspicious scripts in content
Use phpMyAdmin:
- Open database
- Search for unusual code
- Remove infected entries carefully
Step 7: Remove Backdoors
Hackers often leave backdoors so they can re-enter your website.
Look for:
- PHP files with random names
- Hidden admin scripts
- Recently modified files
Delete anything suspicious immediately.
Step 8: Update Everything
After cleaning:
- Update WordPress core
- Update all plugins
- Update themes
Outdated software is the main reason for reinfection.
Step 9: Change All Passwords
Reset all credentials:
- WordPress admin password
- Hosting panel password
- FTP credentials
- Database password
Use strong passwords with letters, numbers, and symbols.
Step 10: Recheck Website Security
After cleaning:
- Run malware scan again
- Check Google Safe Browsing status
- Test website functionality
- Ensure no redirects or errors
Step 11: Request Google Review (If Blacklisted)
If Google marked your website as dangerous:
- Go to Google Search Console
- Request security review
- Submit your cleaned website
Google will re-evaluate your site.
Best Practices After Malware Removal
To avoid reinfection:
- Install security plugin permanently
- Enable firewall protection
- Schedule regular scans
- Use secure hosting
- Keep backups updated
- Avoid pirated themes/plugins
Common Mistakes During Malware Removal
- Deleting files without backup
- Ignoring database infection
- Not removing backdoors
- Only relying on plugins
- Not changing passwords after cleanup
These mistakes often lead to reinfection.
Professional Tip
If malware is complex or deeply injected, use professional tools or services like:
- Sucuri Cleanup Service
- Wordfence Premium Support
- Hosting provider malware removal service
Conclusion
Removing malware from a website requires careful steps and attention. It is not just about deleting infected files but also securing the entire system to prevent future attacks. A properly cleaned website should always be followed by strong security practices to avoid reinfection.
