Nowadays WordPress is becoming the most popular Content Management System(CMS) in the web development field. The number of WordPress users and developers is increasing day by day. So the hackers and the spammers are interested in WordPress website hacking and injecting malware. So as a business owner, website owner or website developer you must know how to remove malware from WordPress websites and ensure the security of your website.
There are many reasons for ensuring website security. Hackers can hack your website using malware. The spammers can show his ads or something like that using malware. So to maintain your security and website quality you should remove malware from your WordPress websites.
You can remove malware from WordPress websites in many ways. Today I am describing the best and easiest way to remove malware from WordPress websites.
If you are unable to log in your WordPress dashboard then read this article How to remove malware without log in WordPress dashboard.
WordPress Safety
Before knowing about WordPress malware removal we should know how to be safe from malware in WordPress.
- Please use the updated version of WordPress.
- Update all of your themes and plugins.
- Try to use as few plugins as possible.
- Before installing any plugin check the active installation and reviews are more than 4 stars.
- Always use plugins from wordpress.org *
- Avoid using nulled versions or GPL version themes or plugins. Because most of the malware attack is done by nulled themes and plugins. Hackers add some files and backdoors code for accessing the admin panel with the nulled themes and plugins. So it’s the most important part to be safe from malware attacks in WordPress.
01. Scan Your Website
The very first step of the malware removal process of a WordPress website is to scan the vulnerability of the website. You can do this using different websites and plugins. Let’s check from a website first. This is the link to a website security check tool.
If you have any difficulties warning like this. Next Go for the next step.

Also Read: How to boost up your wordpress website speed
02. Install an Anti Malware Plugin
There are many malware scanning and removal plugins in the WordPress directory. Here are the few best plugins.
- Wordfence Security
- Sucuri WordPress Security Plugin
- Astra Security Plugin
- Hide My WP
- Anti-Malware Security
- WebARX Security
- MalCare Security
- All In One WP Security & Firewall
- WP Antivirus Site Protection
- Quttera Web Malware Scanner
You can use any of them. Today we are going to talk about the Wordfence Security plugin. Because this is very easy to use. Because there are some instructions about how to solve those issues which you have on your website. Please install -> active and let’s work on this.

03. Custom Scan Settings to remove malware from WordPress
Before starting scanning please make a setting like us. It will help you scan your website compactly. Let’s change the scan settings.
- After activating the Wordfence Security plugin you will get a new option in the WordPress dashboard named Wordfence.
- Firstly go to Wordfence -> Scan -> Manage Scan
- Secondly there you will find an option named Basic Scan Type Options from select High Sensitivity
- Thirdly go to the General Options section and make sure all the available options are selected.
- Fourthly go to the Performance Options and mark the Use low resource scanning option.
- Finally, the settings you will see the scan type is custom. That means you are ready to scan. Click on the Start New Scan button.



04. Find Out the Malware & Issues
You are on the final step to Remove Malware from the WordPress website. After completing the scanning process. You can see a clear result on your website. Where the malware and affected files are located. There might be two types of warning you will see. One is medium and another is critical.
The critical issues should be fixed as soon as possible. Medium issues are recommended for fixing. There you will get some instructions on how to fix the problems and remove the malware from WordPress. Most of the time there are two types of issues, one is malware files and another is the backdoor code. You have to fix both of them.
05. remove malware from WordPress Website
Firstly you should delete these files which do not belong to WordPress files. Such as wp-tmp.php and wp-vcd.php. This file can be found in the wp-includes folder of your public_html folder or your home directory folder. If you have any confusion about which files should be removed which not. Just copy the file name and search on google you will find the solution. Once you will delete all the malware files. Then go for the next and more important step.
06. Remove Backdoor Codes From WordPress Website
Hackers add some codes for accessing the website admin panel. Most of the time they include the code with the functions.php file. Leave this where they added. Because the plugin is already showing these to us. Let’s learn how to remove this.
- Firstly expand The issue and click on the View Differences button.
- Secondly, you will show the changed part on the new tab like this.
- Thirdly download the file from the cpanel and open the file using any code editor like vs code, sublime text or notepad ++
- Fourthly remove the changed part from the code and save this.
- Finally, upload the file and replace the file.

Do this for every changed file. By following these steps you can remove the backdoor codes from WordPress.
Since your WordPress, Themes and Plugins are already updated you will not show any issue.
Again rescan your website so that you can ensure that your website is safe from malware.