How to Remove Malware from your Site

Originally published at: How to Remove Malware from your Site - MainWP WordPress Management

Taking over an existing site for a client which is infected with malware can be a complex mess to deal with and to get the site clean and free of malware. Luckily there are a number of security and malware scanning plugins that will help with being able to clean up the site. The iThemes…


You’ve missed (one of) the best and most used security plugins: Wordfence Security
They also have a great series of YouTube videos that explain much more how to remove malware.

1 Like

The Wordfence plugin can cause quite a bit of database bloat and performance issues which is why it was not included in the post. The basics were covered in the post to scan WordPress core, plugins and themes and then how to remove files that should not exist or how to fix files which have been modified. Cleanup of an infected wp-config.php file is going to be more complex than just basics.

Shield Security is another solid plugin option and it has an extension for MainWP.

Do you have proof of that? I’m running Wordfence on all (250) sites I manage and don’t experience database bloat or performance issues. I see this argument a lot, but nobody can give me proof. Years ago there was a performance issue, because Live Traffic was set to log “All Traffic” and yes in that case you a right. But if you would set it to “Security Only” there’s no issue. And that’s the default setting for years now.

Giving a “how-to” about removing malware should always come with a big warning:

if you remove 99% of the malware, your site is still 100% infected.

So if you don’t know how to clean a hacked site, you should hire a professional.

Customers and client sites with wp-admin performance issue those issues show up fastest when the Wordfence plugin is being used as the security plugin along with the more bloated backup plugins which have a legacy codebase, no names mentioned.

Ideally, you would want to use the checksum WP-CLI commands for both WordPress core and all plugins that are hosted on the repo. Again this would not cover any premium paid plugins since those can not be verified using a WP-CLI command.

I did not say that removing malware was an easy process just the most basic version was using security plugins that can scan WordPress core, plugins, and themes on the site. If the Wordfence plugin works well on your client sites then great.

If you experience performance issues, you should contact support to investigate it. Maybe it’s related to bad hosting, configuration or a conflict with a plugin or so.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.