How to Remove Malware from Your Website (Without Losing Everything)

By: Irina Shvaya | June 30, 2026

You check your website and something’s wrong. Visitors are getting redirected to a spam site. Google is throwing up a red warning page. Your hosting provider sent an ominous email about “suspicious activity.” Your stomach drops — your website has been hacked.

The panic is real, but here’s the good news: you can remove malware from your website without nuking everything and starting over. Thousands of sites get cleaned and restored every day. The key is following the right steps in the right order so you eliminate the infection completely without losing your content, your SEO rankings, or your sanity.

In this guide, we’ll walk you through a complete 10-step website malware removal process — from containment to cleanup to long-term protection.

Key Takeaways

  • Don’t delete everything. Back up your infected site first — you may need those files for forensic analysis or to recover content.
  • Clean systematically. Replace core CMS files, manually review custom files, and check your database for injected code.
  • Remove backdoors, not just symptoms. Hackers almost always leave hidden access points. If you skip this step, they’ll be back.
  • Update and harden after cleanup. Patching vulnerabilities and changing every password is non-negotiable.
  • Monitor for 30+ days. Reinfection often happens within the first few weeks if a backdoor was missed.

Step 1: Take Your Site Offline (Maintenance Mode)

The first thing you should do when you discover malware is limit the damage. Every minute your infected site stays live, it’s potentially:

  • Infecting your visitors’ devices
  • Sending spam emails from your server
  • Getting your domain blacklisted by Google and browsers
  • Damaging your brand reputation

What to do: Put your site into maintenance mode or temporarily take it offline. In WordPress, you can use a plugin like WP Maintenance Mode or simply rename your index.php file and upload a static HTML maintenance page. If your host already suspended your account, the site is effectively offline — that actually buys you time.

Don’t rush to delete files at this stage. Containment comes first, cleanup comes second.

Step 2: Back Up Everything — Even the Infected Files

This sounds counterintuitive, but back up your entire site before you touch anything — malware and all.

Why? Because:

  • You might accidentally delete legitimate files during cleanup
  • You may need the infected files to identify how the hack happened
  • Some malware hides in unexpected places, and you might need to compare file versions later

Download a full backup of your website files via FTP/SFTP and export your database through phpMyAdmin or a command-line tool like mysqldump. Store this backup locally — label it clearly as “infected” so you don’t accidentally restore it later.

If you already have a clean pre-hack backup, that’s even better. But don’t restore it just yet — you need to understand the vulnerability first, or you’ll get hacked again within days.

Step 3: Identify the Infection

Before you start deleting files, you need to understand what you’re dealing with. Website malware comes in many forms:

  • SEO spam injection — hidden links or pages stuffed with keywords for pharma or gambling sites
  • Redirect malware — visitors get sent to malicious domains
  • Backdoor shells — scripts that give attackers remote access to your server
  • Cryptominers — code that uses your visitors’ browsers to mine cryptocurrency
  • Phishing pages — fake login pages hosted on your domain without your knowledge

Scanning Tools

Use one or more of these to scan your site:

  • Sucuri SiteCheck (free) — scans for known malware, blacklist status, and errors
  • Wordfence (WordPress) — deep server-side scanning with file integrity checks
  • MalCare — automated scanning and one-click removal for WordPress
  • Google Search Console — check “Security Issues” for any Google-detected problems

If you’re not sure whether your site has actually been compromised, our guide on how to check if your website has been hacked walks through the warning signs in detail.

Run your scans and document every flagged file, suspicious URL, and warning. You’ll need this list for the cleanup steps.

Step 4: Clean Infected Files (Core vs. Custom)

This is where the real website malware removal work begins. The approach differs depending on the type of file:

Core CMS Files

If you’re running WordPress, Joomla, Drupal, or another CMS, the easiest way to clean core files is to replace them entirely with fresh copies from the official source.

For WordPress malware removal specifically:

  • Download a fresh copy of WordPress from wordpress.org
  • Delete the wp-admin/ and wp-includes/ directories on your server
  • Upload the clean versions from the fresh download
  • Do NOT delete wp-content/ — that’s where your themes, plugins, and uploads live

Custom Files (Themes, Plugins, Uploads)

Custom files require manual review. Look for:

  • PHP files in your /uploads/ directory (there should be almost none — uploads are typically images and documents)
  • Recently modified files that you didn’t change
  • Files with obfuscated code — long strings of base64_decode, eval(), str_rot13, or gzinflate calls
  • Files with names designed to look legitimate like wp-settings-tmp.php or class-db.php in unusual directories

For plugins and themes: Delete them entirely and reinstall from the official WordPress repository or the vendor’s site. Don’t try to clean them file by file — it’s faster and safer to replace them.

Step 5: Check Your Database for Injected Content

Malware doesn’t just hide in files. Attackers frequently inject malicious code directly into your database — especially in:

  • Post and page content — hidden iframes, JavaScript redirects, or spam links
  • Widget areas — injected scripts in sidebar or footer widgets
  • User tables — rogue admin accounts you didn’t create
  • Options table — modified siteurl, home, or custom option values

Search your database for suspicious strings like <script>, eval(, base64_decode, iframe, and unfamiliar URLs. In WordPress, pay special attention to wp_options, wp_posts, and wp_users.

If you find a rogue admin account, delete it immediately. If siteurl or home values have been changed, correct them.

Step 6: Remove Backdoors

Here’s the step most people skip — and exactly why they get hacked again a week later.

Backdoors are hidden scripts that give attackers a way back into your site, even after you’ve cleaned the visible malware. They’re often:

  • Disguised as legitimate WordPress files (e.g., wp-page.php in the root directory)
  • Hidden inside theme functions.php files
  • Embedded within image files using steganography techniques
  • Placed in obscure directories like /wp-content/languages/ or /wp-includes/fonts/

Common backdoor signatures to search for:

  • Pattern
  • Why It’s Suspicious
  • eval(base64_decode(...))
  • Executes hidden encoded commands
  • preg_replace with /e modifier
  • Allows code execution via regex
  • assert() used with variables
  • Can execute arbitrary PHP
  • $_POST['cmd'] or $_GET['cmd']
  • Accepts remote commands
  • file_put_contents + $_REQUEST
  • Writes attacker-controlled content to files

Use a tool like Wordfence or manually grep your files for these patterns. Don’t stop at the first backdoor you find — there are often multiple.

Step 7: Update Everything

Once your site is clean, update every piece of software immediately:

  • CMS core — update to the latest stable version
  • Plugins — update all of them; delete any you’re not actively using
  • Themes — update your active theme; delete inactive themes entirely
  • PHP version — if your host supports it, upgrade to the latest stable PHP version
  • Server software — ask your hosting provider about Apache/Nginx and MySQL updates

Outdated software is the number-one attack vector for website hacks. Studies consistently show that the majority of compromised WordPress sites were running outdated plugins or themes at the time of the breach. Updating isn’t optional — it’s the single most important preventive step you can take.

Step 8: Change All Passwords and Keys

Assume every credential associated with your site has been compromised. Change all of the following:

  • WordPress admin passwords (for every user, not just yours)
  • Database password (update it in wp-config.php too)
  • FTP/SFTP passwords
  • Hosting control panel password
  • SSH keys if applicable
  • WordPress security keys and salts (use the WordPress salt generator to get fresh ones)

Use strong, unique passwords — at least 16 characters with a mix of letters, numbers, and symbols. A password manager like 1Password or Bitwarden makes this manageable.

Also enable two-factor authentication on your WordPress admin and hosting accounts. This single step blocks the vast majority of brute-force attacks.

Step 9: Request a Google Review (If Blacklisted)

If Google flagged your site with a “This site may be hacked” or “Deceptive site ahead” warning, you’ll need to request a manual review after cleanup.

Here’s how:

  • Log into Google Search Console
  • Navigate to Security Issues
  • Review the listed issues and confirm you’ve resolved them
  • Click Request a Review
  • Describe the cleanup steps you took in detail

Google typically processes these reviews within 72 hours, though it can take up to a week. During this time, your organic traffic will be significantly impacted. The faster you request review, the faster you recover.

If your site was blacklisted, our post on what to do when your website is blacklisted by Google covers the full recovery process, including reclaiming lost rankings.

A thorough security audit can also help identify lingering issues that might cause Google to re-flag your site.

Step 10: Monitor for Reinfection

You’re not done yet. The first 30 days after cleanup are critical. Set up ongoing monitoring to catch any reinfection early:

  • Install a security plugin like Wordfence or Sucuri with real-time file monitoring enabled
  • Set up Google Search Console alerts for security issues
  • Check your site weekly for unfamiliar files, new user accounts, or unexpected redirects
  • Review server access logs for suspicious IP addresses or unusual request patterns
  • Schedule regular backups so you always have a clean restore point

If the same infection returns within days, you likely missed a backdoor or haven’t patched the original vulnerability. At that point, it’s worth bringing in professional help.

DIY vs. Professional Website Malware Removal

Not every hack requires a professional, but some definitely do. Here’s how to decide:

  • Factor
  • DIY Cleanup
  • Professional Removal
  • Best for
  • Simple infections, single-site owners with technical skills
  • Complex hacks, e-commerce sites, or repeated infections
  • Cost
  • Free (your time)
  • $150–$500+ depending on severity
  • Time
  • 4–12 hours depending on experience
  • Usually 24–48 hours
  • Thoroughness
  • Risk of missing backdoors or database injections
  • Comprehensive scan, cleanup, and hardening
  • Ongoing protection
  • You manage monitoring yourself
  • Often includes monitoring and a firewall
  • Risk
  • Possible data loss if mistakes are made
  • Minimal — professionals back up and verify

If your site handles customer data, processes payments, or generates significant revenue, professional removal is almost always the right call. The cost of a lingering infection — lost customers, damaged SEO rankings, legal liability — far outweighs the cleanup fee.

Our web design & maintenance team at eSEOspace handles malware removal as part of our ongoing site care. We don’t just clean the infection — we identify how it happened, harden your defenses, and monitor for recurrence.

How to Prevent Future Hacks

Once you’ve cleaned your site, take these steps to reduce the risk of it happening again:

  • Keep everything updated — CMS, plugins, themes, PHP
  • Use a web application firewall (WAF) — Sucuri or Cloudflare can block malicious traffic before it reaches your server
  • Limit login attempts — block IPs after repeated failed login attempts
  • Disable file editing — add define('DISALLOW_FILE_EDIT', true); to your wp-config.php
  • Use SFTP instead of FTP — encrypted file transfers prevent credential sniffing
  • Choose quality hosting — hosts with proactive security monitoring catch infections faster
  • Remove unused plugins and themes — every piece of inactive software is a potential attack surface

For a full security hardening checklist, see our Complete Website Security Guide.

Frequently Asked Questions

How long does it take to remove malware from a website?

A straightforward malware cleanup typically takes 2–6 hours for someone with technical experience. Complex infections involving database injections, multiple backdoors, or compromised server configurations can take significantly longer. Professional services usually resolve most infections within 24–48 hours.

Will removing malware fix my Google rankings?

Once you remove malware from your website and Google lifts any blacklist warnings, your rankings should begin recovering within a few weeks. However, if the infection was active for an extended period, you may see a temporary dip while Google recrawls and re-evaluates your pages. Requesting a review through Google Search Console speeds up the process.

Can I just restore a backup instead of cleaning the infection?

Restoring a clean backup can work, but only if the backup predates the infection and you’ve identified and patched the vulnerability that allowed the hack. Otherwise, attackers will exploit the same weakness and reinfect your site. Always update all software and change all passwords after restoring a backup.

How much does professional website malware removal cost?

Professional malware removal services typically range from $150 to $500 for a standard cleanup, with more complex infections or enterprise sites costing more. Many services — including eSEOspace — bundle ongoing monitoring and a firewall with the cleanup, which provides far more value than a one-time fix alone.

Dealing with malware? Don’t risk making it worse or missing a hidden backdoor. eSEOspace’s team can clean your site, remove backdoors, and harden it against future attacks. Contact eSEOspace today and let’s get your site safe and back online.

Put this into action with eSEOspace

We help businesses grow with maintenance & support that actually performs. Explore the services behind this guide:

Book a free strategy call →

You Might Also like to Read