WordPress malware infection can be a nightmare. And while everyone hopes it won’t happen to their website, we don’t have very assuring news. It’s Not a Matter of ‘If,’ It’s a Matter of ‘When’. Software vulnerabilities are discovered everyday and with each version and update newer ones are discovered. Meanwhile malware attacks continue to increase manifolds each year and the variants evolve every minute.
According to WordPress Statistics by W3Techs WordPress powered around 40% of all websites as of 2021.
You need to act prudently, proactively to contain the situation before the SEO sees a downfall and the malware spreads to other areas.
- The first thing to do is to put your website into maintenance mode. That way visitors and SEO will not be impacted and you’ll be prepared to take the bull by the horns.
- The second thing to do is to fix the malware issue. That’s where this toolset comes into the picture.
1. Key Factors In Our Assessment of WordPress Anti-Malware Plugins
We tested 11 malware removal plugins (and then some) that let you detect malware on your WordPress website. And we tested them primarily on the basis of the following factors (in addition to our exhaustive list of other factors; more on this later):
- Precision: How well does the plugin detect malware. Does it miss malware?
- Ease of Use: How easy is it to setup the plugin and comprehend the results.
When your website is infected, only the above 2 factors really matter. Rest is all fluff. Each factor has a star rating.
This means other security plugins not having malware detection capabilities do not qualify for malware detection and removal purposed even though they may have a plethora of options and features like brute-force, firewall etc. Those serve a different purpose.
Also instead of just going by their advertised features, we installed each plugin on a test site with lots of plugins and uploads etc. to get a real picture on how the plugins perform.
One common thing we noticed is that all the plugins we tested (except for one) have a set of files that they ignore. These commonly are archives, images etc.
This means that given a malicious file with a .jpg extension, it’s next to impossible to detect hidden malware unless you force these plugins to scan every file. You may well think that the site is clean while it continues to be infected and makes a mess of things.
Another classic example is cited in this case study of a hack where a rogue user registered on the site uploads suspicious PDFs: This hack will nearly kill your online business.
Before we dive in, here’s a quick list of the common types of malware that can infect WordPress websites.
2. Different types of malware that can infect WordPress websites
WordPress is one of the most popular content management systems (CMS) in the world, and as such, it’s a prime target for cybercriminals. Here are some of the common types of malware that can infect WordPress websites:
- Backdoors: These are malicious scripts that allow attackers to bypass normal authentication methods and gain unauthorized access to a website. Once inside, they can modify, delete, or add new files and execute arbitrary commands. Common Variants: WSO shell, C99 shell, R57 shell.
- Drive-by Downloads: These are scripts or pieces of code that automatically download malicious software onto a visitor’s computer without their knowledge. Common Variants: Exploit kits, malicious iframes.
- Pharma Hacks: This type of attack injects spammy content (often related to pharmaceuticals) into a website. The goal is often to hijack the site’s search engine rankings for specific keywords Common Variants: Hidden spammy links, keyword stuffing.
- File and Database Injection: Attackers exploit vulnerabilities to inject malicious code or files into a website’s database or file system. Common Variants: SQL injection, PHP object injection.
- Cross-Site Scripting (XSS): This type of attack involves injecting malicious scripts into web pages viewed by other users. These scripts can steal information, such as login credentials, or perform actions on behalf of the user without their knowledge. Common Variants: Stored XSS, reflected XSS.
- Cross-Site Request Forgery (CSRF): Attackers trick a user into performing actions they didn’t intend to, often without their knowledge or consent. Common Variants: Forced actions on admin panels, unauthorized post publishing.
- Fake Plugins and Themes: Cybercriminals create fake or pirated versions of popular plugins and themes that contain malicious code. When installed, they can give the attacker control over the website. Common Variants: Nulled plugins, pirated themes.
- DDoS Attacks: Distributed Denial of Service attacks flood a website with traffic, causing it to become slow or completely unavailable. Common Variants: Traffic flooding, resource exhaustion.
- Ransomware: Malicious software that encrypts a website’s files and demands payment in exchange for the decryption key. Common Variants: Crypto-locking, threat-based ransomware.
3. How Malware Can Damage a WordPress Website
Malware poses a significant threat to WordPress websites, often infiltrating them through outdated plugins, themes, or weak credentials. Once embedded, malware can wreak havoc in various ways. It can deface the website, replacing its content with malicious messages or advertisements. Some malware redirects visitors to phishing or scam sites, tarnishing the website’s reputation and eroding user trust. Others might covertly use the site’s resources for illicit activities, such as cryptocurrency mining or launching distributed denial-of-service (DDoS) attacks. Furthermore, malware can steal sensitive data, including user information and administrative credentials, leading to privacy breaches and potential legal repercussions. The presence of malware can also result in search engines blacklisting the affected website, causing a sharp decline in organic traffic. In essence, malware can severely damage a WordPress website’s functionality, reputation, and search engine ranking, leading to loss of visitors, revenue, and credibility.
3.1 The Devastating Impact of Malware on Websites
- Malware can cripple a website, leading to loss of data, revenue, and trust.
- For businesses, a malware-infected site can mean a drop in search engine rankings, warnings to visitors, and even potential legal repercussions.
- Beyond the immediate damage, the long-term reputation harm can be even more devastating. Restoring trust with users and search engines can be a lengthy process.
- Malware can end up defacing the website, redirecting visitors to phishing or scam sites, or stealing sensitive data.
3.2 The Importance of Backing Up Your WordPress Website before Malware Removal
While malware removal plugins are valuable tools in the fight against cyber threats, they are not infallible. Backing up your WordPress website provides a safety net, ensuring that you can always return to a known good state, regardless of the outcome of the malware removal process. It’s a fundamental step in responsible website management and cybersecurity best practices.
Backing up your WordPress website before using a malware removal plugin is of paramount importance for several reasons:
- Data Safety & Loss Prevention: Malware removal plugins work by scanning and modifying files and database entries. There’s always a risk of unintentional data loss during this process. A backup ensures that you have a safe copy of your data to restore if needed.
- Avoiding Data Corruption Due to Unforeseen Errors: Malware removal plugins might not always function perfectly. They could encounter errors or conflicts with other plugins or themes, leading to data corruption. A backup provides a fallback option in such scenarios.
- False Positives & Unintended Deletions: Some malware removal tools might flag legitimate files or database entries as malicious (false positives) and delete or quarantine them. If a crucial file is mistakenly removed, it can break your site. With a backup, you can quickly restore the original state.
- Incomplete Removal of Complex Malware: Some sophisticated malware embeds itself deeply into the WordPress installation and database. If a malware removal plugin doesn’t completely eliminate it, the malware might regenerate. Having a backup allows you to consult experts and try different removal strategies without the fear of causing further harm.
- Database Integrity & Preserving Relationships: WordPress databases have intricate relationships between tables — Think WooCommerce or other complex plugins which create and retain their own tables. A malware removal process might inadvertently disrupt these relationships. A backup ensures you can restore the database to its original state if issues arise.
- Testing and Verification in a Safe Environment: After using a malware removal plugin, it’s good practice to test the website thoroughly to ensure everything works as expected. If you find issues, a backup allows you to revert to the previous state and reattempt the malware removal process.
- Peace of Mind Translates to Confidence in Actions: Knowing you have a complete backup of your website gives you the confidence to take decisive actions against malware. You can operate without the constant fear of irreversible mistakes.
- Avoiding Downtime & Quick Recovery: If your website faces extended downtime due to a failed malware removal attempt, it can harm your reputation, SEO rankings, and revenue. A backup allows for a swift recovery, minimizing potential downtime.
- Legal and Compliance Reasons Like Data Retention: Depending on the nature of your website and the jurisdiction you operate in, you might be legally required to retain user data or content for specific periods. A backup ensures compliance with such regulations.
- Historical Record for Understanding Attacks: Keeping a backup of the infected state can serve as a historical record. It can be useful for analyzing the nature of the attack, understanding vulnerabilities, and improving future security measures.
3.2 Step-By-Step Instructions on How to Back up a Website
Certainly! Here’s a concise step-by-step guide to back up a WordPress website:
- Login to WordPress Dashboard:
- Access your WordPress admin area by navigating to
- Access your WordPress admin area by navigating to
- Choose a Backup Method:
- Manual Backup:
- Use cPanel or an FTP client.
- Backup Plugin:
- Popular choices include UpdraftPlus, BackupBuddy, and VaultPress.
- Manual Backup:
- Backup Using a Plugin (Recommended for Beginners):
- Install the Plugin:
- Go to
- Search for your chosen backup plugin.
Install Nowand then
- Go to
- Configure Backup Settings:
- Navigate to the plugin’s settings (usually found in the WordPress dashboard sidebar).
- Choose where to store backups (e.g., Dropbox, Google Drive, local storage).
- Set a backup schedule (e.g., daily, weekly).
- Run the Backup:
- Click the option to run a manual backup or wait for the scheduled backup to occur.
- Install the Plugin:
- Manual Backup:
- Backup Database:
- Log in to cPanel.
- Go to
- Select your WordPress database.
Go. Save the .sql file.
- Backup Website Files:
- Connect to your website using an FTP client (e.g., FileZilla).
- Navigate to the root directory (often named
- Download all WordPress files to your local computer.
- Backup Database:
- Store Backups Safely:
- Keep multiple copies in different locations (e.g., cloud storage, external hard drive).
- Ensure backups are encrypted or password-protected.
- Regularly Test Backups:
- Periodically restore a backup to a staging environment to ensure it works correctly.
Remember, always back up your website before making significant changes or updates. This ensures you have a recovery point in case of errors or issues.
4. Key Factors to Consider When Choosing WordPress Infection Removal Plugin
When ranking or evaluating WordPress malware removal plugins, several factors come into play to ensure you’re choosing the most effective and reliable solution for your website. Here are the key factors to consider:
- Effectiveness in Malware Detection: The primary function of a malware removal plugin is to detect and remove malicious code. The plugin should be able to identify a wide range of malware types, from simple to sophisticated.
- Removal Capabilities: Beyond detection, the plugin should be able to safely remove or quarantine the identified malware without causing harm to legitimate files or data.
- Real-time Monitoring: The best plugins offer real-time monitoring, ensuring that threats are detected and dealt with as soon as they appear.
- Regular Updates: Cyber threats evolve rapidly. A good plugin should have regular updates to its malware definitions and algorithms to counter new threats.
- Ease of Use: The user interface should be intuitive, making it easy for users of all technical levels to navigate and use the plugin’s features.
- Performance Impact: The plugin should be optimized to have minimal impact on the website’s performance. It shouldn’t slow down the site or cause excessive resource usage.
- Reputation and Reviews: Look for plugins with positive reviews and a good reputation within the WordPress community. User feedback can provide insights into the plugin’s reliability and effectiveness.
- Customer Support: Reliable customer support is crucial, especially when dealing with malware issues. The plugin provider should offer timely and helpful support to users.
- Pricing and Licensing: Consider the cost of the plugin and the licensing terms. Some plugins offer free versions with limited features, while others might require a subscription for full functionality.
- Additional Security Features: Some plugins offer additional security features like firewall protection, brute force attack prevention, and two-factor authentication. These added features can enhance the overall security of your website.
- Compatibility: Ensure the plugin is compatible with your version of WordPress, as well as other plugins and themes you’re using.
- Backup and Restore Features: Some malware removal plugins offer integrated backup and restore features, allowing users to revert to a previous state if something goes wrong during the malware removal process.
- Transparency: The plugin should provide clear reports on what malware was found, where it was located, and the actions taken. This transparency helps users understand the threats and the plugin’s actions.
- False Positive Rate: It’s essential that the plugin can accurately distinguish between legitimate files and malware. A high rate of false positives can be problematic and lead to unnecessary interventions.
- History and Track Record: Consider how long the plugin has been on the market and its track record in terms of reliability and effectiveness.
While many plugins claim to offer malware removal capabilities, it’s essential to evaluate them based on the factors mentioned above. Doing so ensures that you select a plugin that not only removes existing threats but also provides comprehensive protection against future attacks.
5. The Best WordPress Malware Removal Plugins
5.1. Malcure Malware Scanner
Malcure Malware Scanner allows you to scan as well as clean the malware. Its unique feature is that it scans all files including fake images, fake binaries and even the database. So it’s able to detect malware hidden inside files renamed as .png, .ico etc.
Malcure Test Results:
- It takes a little while to complete the scan but the results are thorough and give you the exact point of infection like the exact file and database record. It also scans post comments, revisions, options and post meta.
Ease of Use: ⭐⭐⭐⭐⭐
- Scans every file without skipping any.
- Scans database.
- CPU and memory efficient.
- Supports partial scans.
- Free version doesn’t allow cleanups.
Recommendation: The most thorough malware scanner we tested.
5.2. Quttera Web Malware Scanner
Quttera was the most interesting of the entire lot. It has external, internal as well as a high sensitivity scan option. It has reasonable detection and a relatively simple setup.
Quttera Test Results:
- Quttera failed to detect malware inside the exempted files. Quttera also gave several false-positives and failed to detect 6 out of 10 malicious files we had planted. Also it didn’t detect any database infections at all.
Ease of Use: ⭐⭐⭐⭐
- Frequently updated.
- No real-time update of definitions or malware signatures.
- Poor accuracy.
Recommendation: Don’t trust the results.
5.3. Anti-Malware Security and Brute-Force Firewall
One of the best in this list, the plugin has minimal options and is easy to setup. The plugin supports one-click malware removal which means that given a false-positive, the end user may end up deleting legitimate files and breaking WordPress.
- It has excellent malware detection though it did miss malicious files renamed to .tar.bz2 or .jpg etc.
- It has entry-level protection from brute-force attacks and a limited firewall.
Ease of Use: ⭐⭐⭐⭐
- The most-used and trusted WordPress anti-malware plugin.
- Also protects against some common vulnerabilities.
- Has a built-in firewall.
- DoS protection.
- User-Interface could use an update.
Recommendation: If configured to scan all files, this works better than most other plugins here.
5.4. Wordfence Security – Firewall & Malware Scan
Wordfence is the most popular security plugin in WordPress repository. Its main feature is the firewall and that’s where it really shines. But it does have a malware scanning functionality.
Wordfence has comprehensive options which need to be tweaked to ensure complete detection.
Wordfence Test Results:
- Wordfence firewall is easy to circumvent.
- Wordfence only detects malicious URLs in an extremely limited set in the database.
- Missed 100% of the database infections that we had planted.
- Missed 100% of the file infections that we had planted.
- The scan also broke mid-way as one file threw a PHP notice.
- Supports one-click malware removal. However we see it as a security issue because the end user may end up deleting legitimate files flagged as false-positives.
Ease of Use: ⭐⭐⭐
- The most-used WordPress security plugin.
- Has a built-in, comprehensive firewall.
- Supports vulnerability scanning.
- Scheduled scans.
- Setup requires a little bit of caution for proper operation.
Recommendation: As far as malware detection and removal is concerned, this most used WordPress security plugin is more about protection than cleanup.
6. WordPress Malware Removal Plugins — Honorable Mentions
We found that some extremely popular plugins didn’t fit the bill as far as malware detection is concerned. In order to give you a clear picture of things, we are outlining which plugin does what and it’s specific usage case-scenario.
The point is to help you avoid going in circles when you are struggling with a malware infection.
6.1. Security & Firewall – MalCare Security
We tested the free version of MalCare plugin from the WordPress plugin repo. MalCare makes big promises but it failed to detect even a single issue with the website. MalCare copies all of your WordPress files to their server and runs a scan.
Even after we uninstalled the plugin, they kept pinging our test site trying to get in for whatever reason.
6.2. NinjaScanner – Virus & Malware scan
NinjaScanner has comprehensive options which need to be tweaked to ensure complete detection. However the results are not easy to comprehend. The plugin does support malware removal. However we see it as a security issue because the end user may end up deleting legitimate files. Also NinjaScanner missed 7 of the 10 infected files we tested.
6.3. iThemes Security (formerly Better WP Security)
iThemes Security is intended for WordPress hardening and its primary purpose is not malware removal. If you want to lock down your site after a malware cleanup, this plugin comes in highly recommended.
6.4. Sucuri Security – Auditing, Malware Scanner and Security Hardening
Sucuri uses an external scanner to scan the website. This means the scanner ends up missing a lot of malware. It also is only able to list the infection rather than pinpointing the exact source of infection like the database or specific file. However that said, it’s one of the best online website scanners around and doesn’t miss much if you do have an infection that would show up on the frontend of your website.
6.5. Cerber Security, Antispam & Malware Scan
Cerber has comprehensive settings however it ends up throwing more false-positives and missed almost all infections. It’s also quite difficult to configure and comprehend the results for new users.
6.6. BulletProof Security
Missed 100% of the infections we planted in the test site.
6.7. Exploit Scanner
In our experience using this plugin, it failed to fetch WordPress checksums and gave us 100% false positives.
7. Specific Examples of Malware Attacks That Have Targeted WordPress Websites
Certainly! WordPress, being one of the most popular content management systems, has been a frequent target for cybercriminals. Here are some specific examples of malware attacks that have targeted WordPress websites:
- CryptoPHP: Cybercriminals embedded malicious code within pirated premium WordPress themes and plugins available for free download. When unsuspecting users installed these nulled themes or plugins, their sites became infected. The malware was used for various illicit activities, including illegal cryptocurrency mining. Year: 2014
- MasonSoiza Malware: This malware campaign involved the injection of malicious scripts into WordPress databases. The scripts redirected visitors to scam websites. The attack was named after one of the domains used in the redirections. Year: 2018
- WP-VCD Malware: This malware was spread through pirated WordPress themes and plugins. Once installed, it would create rogue admin accounts and spread itself to other WordPress installations on the same hosting account. It was primarily used for ad fraud. Year: 2019
- WP GDPR Compliance Plugin Exploit: A vulnerability in the WP GDPR Compliance plugin, which was designed to help websites comply with the EU’s General Data Protection Regulation (GDPR), was exploited by hackers. They used it to gain unauthorized access and deploy further malware. Year: 2018
- Supply Chain Attack on Pipdig Power Pack (P3): The Pipdig Power Pack, a plugin accompanying themes by Pipdig, was found to contain suspicious code. This code was allegedly used to launch DDoS attacks against competitors and even had a “kill switch” to potentially wipe out users’ databases. Year: 2019
- Fake SEO Plugin: Cybercriminals created a fake SEO plugin named “X-WP-SPAM-SHIELD-PRO” that, when installed, would give them backdoor access to the affected website. Year: 2017
These are just a few examples, and there have been many other incidents over the years. The common thread among these attacks is the exploitation of vulnerabilities in plugins, themes, or the WordPress core itself. This underscores the importance of regularly updating all components of a WordPress site and being cautious about where you download themes and plugins.
Additionally, here’s a list of resources that website owners can use to educate themselves about malware removal and cybersecurity best practices:
8. Additional Resources & Information About WordPress Security
- Online Resources:
- Tools and Scanners
These resources cover a wide range of topics related to cybersecurity and malware removal. By leveraging them, website owners can gain a comprehensive understanding of the threats they face and the best practices to mitigate those risks.
9. WordPress Malware FAQs
9.1 So what is the best malware removal plugin for WordPress in 2023?
We wish there’d be a one-size-fits-all. From strictly a precision and ease-of-use point of view, Malcure is the best WordPress malware removal service that money can buy today. It’s the most thorough, precise, frequently-updated WordPress malware cleanup plugin that has some excellent advanced features under the hood. It supports custom pattern matching in database as well as WordPress files. It also helps you rescan only the critical parts while skipping the clean files — talk speed and performance!
9.2 How do I remove malware using a WordPress plugin?
Wait no more. Here’s an indepth video tutorial on How To Fix Hacked WordPress Site – Step by Step, Live WordPress Malware Infection Removal & Analysis Basically, you scan, identify the threats and then follow the steps to cleanup and secure the website.
9.3 How do I scan WordPress for malware?
Depending on the plugin you are using, the scanning process shall differ. However it is important to ensure that before you scan, you review the settings of each plugin and make sure nothing is skipped during the scan. The biggest issue we found was that most plugins only scan plain-text files and missed malware hiding behind suspicious filenames or binary files. Malcure came out shining with flying colors. If you are using an online scanner, Sucuri is the most impressive followed by Malcure Webscan. The only issue is that online-scanners are not able to do a thorough scan.
This article is contributed by James Richard. James Richard is a WordPress security researcher and plugin developer with over 20 years of experience. He enjoys sharing his expertise with fellow enthusiasts. In this post, he distils the wisdom gained from building plugins to solve security issues that admins face.