How to Remove Malware From Website

Malware—short for malicious software—is one of the most dangerous threats facing websites today. Whether you run a small business site, an e-commerce store, or a personal blog, any website connected to the internet is vulnerable to infection. Malware can steal sensitive data, redirect visitors to harmful pages, damage your search engine rankings, and even get your site blacklisted by major browsers like Google Chrome or Mozilla Firefox. Removing malware from a website is not just a technical task; it’s a critical step in preserving your online reputation, protecting your users, and maintaining trust with search engines.

Many website owners are unaware their site has been compromised until they receive a warning from Google Search Console, notice unusual traffic patterns, or receive complaints from visitors. By then, the damage may already be done. This guide provides a comprehensive, step-by-step approach to identifying, removing, and preventing malware from infecting your website. Whether you’re a developer, site administrator, or business owner managing your own site, this tutorial will equip you with the knowledge and tools to clean your website thoroughly and securely.

Step-by-Step Guide

Step 1: Confirm the Infection

Before taking drastic measures like deleting files or restoring backups, you must confirm that your website is actually infected. Malware infections are not always obvious. Some symptoms include:

• Unexpected redirects to spam or phishing sites
• Pop-ups or fake antivirus alerts on your site
• Unfamiliar admin users or new files in your file system
• Google showing a “This site may be hacked” warning in search results
• Search Console alerts about malware or unsafe content
• Slower site performance or unexplained server load spikes

To verify the infection, use trusted third-party scanners. Start with Google’s Security Issues report in Google Search Console. If your site appears there, it’s been flagged. Next, scan your site using Sucuri SiteCheck, Quttera, or Unmask Parasites. These tools analyze your site from an external perspective and can detect hidden malware, obfuscated code, or malicious redirects that you might miss locally.

Do not rely solely on antivirus software installed on your computer. Malware often hides in server-side files and won’t trigger alerts on your local machine. Always use online scanners that evaluate your live website as a visitor would see it.

Step 2: Isolate the Infected Site

Once you confirm the infection, immediately isolate your website to prevent further damage. This step is crucial if your site shares a server with other websites or if it’s connected to a database used by multiple applications.

For shared hosting environments, contact your hosting provider and request that your site be temporarily suspended or placed in quarantine mode. Many providers offer this service to prevent malware from spreading across their network. If you’re on a VPS or dedicated server, disable public access by modifying your .htaccess file (Apache) or nginx configuration to return a 503 Service Unavailable status for all traffic except your IP address.

Also, disable any automated email notifications or forms that could be exploited to send spam. Malware often turns contact forms into spam relays. Temporarily shutting down these functions reduces your risk of being blacklisted by email providers.

Step 3: Backup Everything (Carefully)

Before you begin cleaning, create a full backup of your website’s files and database. However, do not assume your existing backup is clean. Malware can hide in backups, especially if they were created after the infection occurred.

Use your hosting control panel (e.g., cPanel, Plesk) or an FTP client to download a complete copy of your website’s public directory (usually public_html, www, or htdocs). Export your database using phpMyAdmin or a similar tool. Store these files in a secure, offline location—preferably on an encrypted external drive or a cloud storage account with two-factor authentication enabled.

Label the backup clearly with the date and time, and note whether it was taken before or after the infection was detected. This will help you determine whether to restore from it later or discard it entirely.

Step 4: Identify the Source of Infection

Malware doesn’t appear out of nowhere. It enters through vulnerabilities. Common entry points include:

• Outdated content management systems (WordPress, Joomla, Drupal)
• Compromised themes or plugins with known exploits
• Weak or reused passwords
• Unsecured FTP or SSH access
• SQL injection vulnerabilities in custom code
• Third-party scripts (ads, analytics, chat widgets)

Begin by checking your CMS version. For WordPress sites, log into your admin dashboard and check for available updates. If your site is running an outdated version, that’s likely the root cause. Even if you’ve updated recently, malware may have been injected before the update.

Next, inspect your theme and plugin directories. Look for unfamiliar files—especially those with names like wp-tmp.php, base64_encoded.php, or shell.php. These are common names used by attackers to disguise malicious scripts. Use your file manager or command line to search for suspicious code patterns:

• Base64-encoded strings (e.g., eval(base64_decode(...)))
• Obfuscated JavaScript with long, unreadable strings
• PHP functions like system(), exec(), passthru(), or shell_exec() used outside of legitimate contexts
• Hidden iframes or script tags pointing to suspicious domains

Use a code comparison tool like WinMerge or Diffchecker to compare your current files with clean versions from the official CMS repository. This helps identify modified core files that may have been altered by attackers.

Step 5: Clean the Infected Files

Once you’ve identified malicious code, you have two options: remove it manually or replace the files entirely.

For minor infections—such as a single injected script tag—you can edit the file directly. Open the infected file in a plain text editor (never use Word or Google Docs). Locate the malicious code and delete it. Be extremely careful not to delete legitimate code. If you’re unsure, comment out the suspicious section first and test your site before permanently removing it.

For heavily infected files—especially core CMS files, themes, or plugins—it’s safer to replace them entirely. Download clean copies from the official source:

• WordPress: wordpress.org/download
• Joomla: downloads.joomla.org
• Drupal: drupal.org/download

Upload the clean files via FTP or your hosting control panel, overwriting the infected versions. Do not upload your old database yet—wait until after cleaning.

Pay special attention to the following directories:

• /wp-content/uploads/ – Often used to store malicious PHP files disguised as images
• /tmp/ and /cache/ – Used by malware to store payloads
• /cgi-bin/ – Can contain executable scripts
• .htaccess – Frequently modified to add redirects or rewrite rules

Open your .htaccess file and look for lines like:

Redirect 301 / http://malicious-site.com
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [NC]
RewriteRule (.*) http://phishing-site.com/$1 [R=301,L]

These are classic signs of a malicious redirect. Remove or comment out any suspicious lines. If you’re unsure whether the .htaccess file is legitimate, rename it to .htaccess.bak and let your CMS regenerate a fresh version.

Step 6: Clean the Database

Many malware infections persist in the database. Attackers often inject malicious code into posts, pages, comments, or options tables. This is especially common in WordPress sites.

Access your database via phpMyAdmin or a similar tool. Look for the following tables:

• wp_posts – Contains page and post content
• wp_postmeta – Stores metadata for posts
• wp_options – Holds site settings, including homepage URL and plugin configurations
• wp_comments – Often used to hide malicious scripts in comment text

Run SQL queries to search for malicious code. For example, in WordPress:

SELECT * FROM wp_posts WHERE post_content LIKE '%base64%';
SELECT * FROM wp_options WHERE option_value LIKE '%script%';
SELECT * FROM wp_comments WHERE comment_content LIKE '%iframe%';

Review the results. If you find base64-encoded strings, eval() functions, or links to known malicious domains, delete or clean those entries. Use a text editor to decode base64 strings if needed—this helps you understand what the malware is doing.

Always back up your database before making changes. You can export the entire database as a .sql file, then open it in a text editor to search globally for malicious patterns. This method is more thorough than using phpMyAdmin’s interface.

Step 7: Change All Passwords and Credentials

After cleaning your files and database, change every password associated with your website:

• Hosting account password
• FTP/SFTP credentials
• Admin panel login (WordPress, Joomla, etc.)
• Database username and password
• Email accounts linked to the site
• API keys for third-party services (Google Analytics, Cloudflare, etc.)

Use a password manager to generate strong, unique passwords for each account. Avoid reusing passwords across platforms. Enable two-factor authentication (2FA) wherever possible, especially for your hosting account and CMS admin panel.

Also, review user accounts in your CMS. Delete any unfamiliar or unused accounts. Attackers often create backdoor users with administrator privileges to regain access after you clean the site.

Step 8: Scan and Reinstall Third-Party Scripts

Malware can be introduced through compromised third-party scripts. If your site uses Google Analytics, Facebook Pixel, live chat widgets, or advertising networks, verify that their code snippets are legitimate.

Compare the script tags on your site with the official code provided by the vendor. For example, Google Analytics should only include code from https://www.googletagmanager.com or https://www.google-analytics.com. Any script pointing to an unfamiliar domain (e.g., http://malicious-domain[.]xyz/script.js) should be removed immediately.

Remove any outdated or unused scripts. The fewer external dependencies your site has, the lower your risk of compromise.

Step 9: Re-upload Clean Files and Restore Database

Once you’ve cleaned all files and the database, upload the clean files to your server. Then, import the cleaned database. Do not restore the original database unless you’re certain it’s free of malware.

After uploading, test your website thoroughly:

• Check all pages for broken layouts or missing content
• Verify that forms and contact scripts work
• Test login functionality
• Check for any lingering redirects

Use a browser in incognito mode to avoid cached results. Also, test from different devices and networks to ensure the malware isn’t serving different content based on user agent or IP.

Step 10: Request a Security Review from Google

If your site was flagged by Google, you must request a review to have the warning removed. Log into Google Search Console, navigate to the Security & Manual Actions report, and click “Request a Review.”

Google will re-scan your site. If no malware is detected, the warning will be removed within 24–72 hours. Do not request a review until you’re certain your site is clean—repeated failed requests can delay the process.

Also, submit your site to other security services:

• Sucuri – Request a malware removal confirmation
• McAfee SiteAdvisor – Submit for re-evaluation
• PhishTank – If flagged as phishing

Best Practices

Regular Updates Are Non-Negotiable

Outdated software is the

1 cause of website compromises. Always keep your CMS, plugins, themes, and server software (PHP, MySQL, Apache/Nginx) updated. Enable automatic updates where possible, but test them on a staging environment first.

Use Strong Authentication

Never use “admin” as a username. Use complex passwords with at least 12 characters, including uppercase, lowercase, numbers, and symbols. Enable two-factor authentication on your CMS and hosting account. Consider using SSH keys instead of passwords for server access.

Limit File Permissions

Set appropriate file and directory permissions:

• Files: 644
• Folders: 755
• wp-config.php (WordPress): 600

Never set files to 777. This gives full read, write, and execute permissions to everyone and is a major security risk.

Install a Web Application Firewall (WAF)

A WAF acts as a barrier between your website and potential attackers. Services like Cloudflare, Sucuri, and Wordfence (for WordPress) filter malicious traffic before it reaches your server. They can block SQL injection attempts, brute force attacks, and known malware distribution networks.

Monitor File Changes

Use tools like OSSEC, Rootkit Hunter, or Wordfence’s File Integrity Monitoring to track changes to your files. These tools alert you when new files are added, existing ones are modified, or permissions are changed—often before the malware becomes active.

Disable File Editing in CMS

In WordPress, add this line to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

This prevents attackers from using the built-in theme and plugin editor to inject code if they gain admin access.

Backup Frequently and Securely

Automate weekly backups and store them offsite. Use encrypted storage and test your restore process regularly. A clean backup is your best defense if malware returns.

Use HTTPS Everywhere

SSL/TLS encryption doesn’t prevent malware, but it prevents attackers from intercepting data during transmission. It also improves SEO and user trust. Use Let’s Encrypt for free certificates and enforce HTTPS via server configuration.

Remove Unused Plugins and Themes

Every plugin and theme is a potential vulnerability. Delete anything you’re not actively using. Even inactive plugins can be exploited if they contain known security flaws.

Limit Login Attempts

Use plugins or server-level rules to block IPs after 3–5 failed login attempts. This prevents brute force attacks that try thousands of password combinations.

Conduct Regular Security Audits

Quarterly audits should include:

• Reviewing user accounts
• Checking for suspicious files
• Verifying backup integrity
• Testing for open ports and services
• Scanning for malware

Tools and Resources

Malware Scanners

• Sucuri SiteCheck – Free online scanner that detects malware, blacklisting, and out-of-date software
• Quttera Web Malware Scanner – Deep scanning with detailed reports and malware classification
• Unmask Parasites – Excellent for detecting hidden iframes and malicious redirects
• Wordfence (WordPress) – Real-time firewall and malware scanner with file integrity monitoring
• ImunifyAV+ (Hosting Integrated) – Server-level antivirus for cPanel and Plesk

File Comparison Tools

• WinMerge – Free Windows tool to compare folder structures and files
• Diffchecker – Online tool to compare text differences
• Meld – Cross-platform file comparison tool for Linux and macOS

Code Analysis Tools

• PHPStan – Static analysis for PHP code quality and security
• ESLint – For JavaScript security and best practices
• Security Headers – Analyzes HTTP security headers

Database Cleanup Tools

• phpMyAdmin – For manual SQL queries and database exports
• WP-CLI – Command-line tool for WordPress; can search and replace content in databases
• Search & Replace DB – PHP script to safely replace strings in WordPress databases

Security Hardening Guides

• OWASP Top 10 – https://owasp.org/www-project-top-ten/ – The definitive list of web application security risks
• WordPress Hardening Guide – https://wordpress.org/support/article/hardening-wordpress/
• CIS Benchmarks – https://www.cisecurity.org/cis-benchmarks/ – Industry-standard security configurations for servers

Hosting Recommendations

Choose a hosting provider that prioritizes security:

• SiteGround – Includes free SSL, daily backups, and malware scanning
• Cloudways – Managed cloud hosting with built-in WAF and server hardening
• Kinsta – WordPress-optimized with automatic updates and 24/7 monitoring
• Wordfence Secure Hosting – Hosted with integrated Wordfence firewall

Real Examples

Example 1: WordPress Site with Base64-Encoded Malware

A small business website running WordPress 5.2 was flagged by Google for malware. Upon inspection, attackers had injected a base64-encoded PHP script into the theme’s functions.php file. The script decoded and executed a remote shell that allowed the attacker to upload additional files, including a backdoor and spam bot.

Steps taken:

• Site was isolated and placed in maintenance mode
• File comparison revealed unauthorized changes to functions.php
• Malicious code was decoded: it called a remote server to download payloads
• functions.php was replaced with a clean version from WordPress.org
• Database was scanned and 17 malicious posts containing hidden redirects were deleted
• All passwords were changed, and two-factor authentication was enabled
• Site was resubmitted to Google Search Console and cleared within 48 hours

Example 2: E-commerce Site Compromised via Outdated Plugin

An online store using PrestaShop 1.7.4 was infected with a credit card skimmer. The malware was hidden in a third-party payment module that hadn’t been updated in two years. When customers entered payment details, the script captured and sent the data to a Russian server.

Response:

• Site was taken offline immediately to prevent further data theft
• Server logs revealed repeated access to the vulnerable module’s directory
• The entire plugin folder was removed and replaced with the official version
• Customer payment data was audited; no evidence of compromise beyond the skimmer
• Site was rebuilt from a clean backup and migrated to a more secure hosting environment
• PCI compliance was re-established with quarterly vulnerability scans

Example 3: Static HTML Site Injected with Iframe Redirect

A portfolio website built with static HTML files was compromised. Attackers inserted hidden iframes into every .html file, redirecting visitors to a fake Adobe Flash update page.

Resolution:

• File permissions were reviewed and locked down to 644
• FTP credentials were found to be weak and reused from a breached email account
• All HTML files were compared with a clean archive from GitHub
• Malicious iframes were removed using a bulk search-and-replace script
• Site was re-deployed with SSH key authentication and no FTP access

FAQs

How do I know if my website has malware?

Signs include browser warnings, unexpected redirects, strange pop-ups, slow performance, or alerts from Google Search Console. Use online scanners like Sucuri SiteCheck or Quttera to confirm.

Can malware spread to my computer?

Malware on your website does not directly infect your computer. However, visiting an infected site can trigger drive-by downloads. Always scan your own system with antivirus software if you suspect exposure.

How long does it take to remove malware?

Simple infections can be cleaned in a few hours. Complex or widespread infections may take 1–3 days, especially if you need to restore from backups or rebuild files.

Will my SEO rankings recover after cleaning?

Yes, if you successfully remove all malware and request a review from Google. Rankings may take 1–4 weeks to fully recover, depending on the severity and duration of the infection.

Can I clean malware without technical skills?

It’s possible, but risky. If you’re not comfortable editing code or databases, hire a professional security service. Many agencies offer malware removal as a standalone service.

Is free antivirus software enough for my website?

No. Desktop antivirus tools cannot scan server-side code or detect web-based malware. Use dedicated website security scanners instead.

What’s the most common way websites get infected?

Outdated CMS platforms and plugins are the

1 cause. Weak passwords and unsecured FTP access are also major contributors.

Should I delete my entire website and start over?

Only if the infection is severe and you lack clean backups. In most cases, targeted cleaning is faster, cheaper, and preserves your content and SEO value.

How often should I scan for malware?

At minimum, scan monthly. For high-traffic or e-commerce sites, scan weekly. Enable real-time monitoring tools for continuous protection.

Can malware return after I clean it?

Yes, if the original vulnerability isn’t fixed. Always patch software, change passwords, and implement security best practices to prevent recurrence.

Conclusion

Removing malware from a website is a methodical process that requires patience, attention to detail, and a commitment to security. It’s not enough to delete a few suspicious files—you must identify how the infection occurred, eliminate every trace of malicious code, and close the vulnerability that allowed it in. Skipping any step increases the risk of reinfection.

The good news is that most malware infections are preventable. By keeping your software updated, using strong authentication, installing a web application firewall, and performing regular audits, you can significantly reduce your risk. Think of website security not as a one-time fix, but as an ongoing practice—like locking your doors every night.

When you take ownership of your site’s security, you protect not only your business but also your visitors. In an era where trust is earned through transparency and safety, a clean, secure website is one of your most valuable assets. Use this guide as your roadmap, implement the best practices, and never underestimate the power of vigilance.