WordPress is one of the most popular platforms for building websites – powering more than 40% of all websites in the world. Unfortunately, its popularity makes it a tempting target for hackers and malware.
In technical terminology, malicious code is referred to as malware – the English translation is malicious software (often called a “virus” in layman’s terms). Malware is software designed to infect a system, damage a website or gain unauthorised access. In the context of WordPress, it is any malicious code that can get into your website, disrupt its function, compromise data or misuse it for further attacks.
In this article we will explain in detail what WordPress malware is, how it gets on the site, what risks it brings and how to remove it. Finally, we’ll also mention preventative measures to better secure your WordPress site.
What is malware in WordPress? Why is WordPress a frequent target of attacks?
Malware refers to malicious code or software that aims to harm or benefit a website. As an open source platform with a huge user base, WordPress naturally attracts attackers. WordPress powers more than 40% of websites, so hackers know they can hit a huge number of sites with a successful attack. Malware on a WordPress site can cause serious damage – from a site breach to the theft of sensitive data to the destruction of a company’s reputation. Although developers regularly release updates to keep the core of WordPress relatively secure, plugins and themes create a huge ecosystem in which the quality of code varies greatly between authors. This is why attack vectors often arise – if developers leave plugins out of date or buggy, attackers can use them to gain access to your WordPress site through a backdoor.
How can a WordPress site become infected with malware (WordPress malware)?
There are many ways for malicious code to enter the web. The most common cause of a WordPress site being compromised is the exploitation of a known vulnerability – for example, in an un-updated plugin or theme. According to security analyses, up to 93% of identified WordPress vulnerabilities were related to plugins, and more than 52% of known holes are caused directly by outdated (not updated) plugins. In other words, out-of-date code is an open gateway for hackers – attackers actively scan sites looking for known vulnerabilities in specific versions of plugins or themes to exploit. In addition, the more plugins and themes you use, the more potential room there is for security holes.
The most common ways of infecting WordPress with malware include:
Vulnerable or outdated plugins and themes
As we have already mentioned, this is the most common attack vector. Developers continuously patch vulnerabilities in updates; however, if a user neglects to update, hackers take advantage of the time lag between the release of the patch and its deployment. An example is a critical vulnerability in the File Manager (2020) plugin that attackers exploited to execute arbitrary code on more than 600,000 websites – many site administrators failed to patch it in time, and therefore hackers infected their sites.
Malicious (infected) plugins or themes
Sometimes administrators unwittingly put themselves at risk by installing untrusted software. If a user downloads a pirated “nulled” version of a paid template, they often bring malware embedded directly into the code. In some cases, attackers have infiltrated the developer or intentionally created a plugin with hidden malicious code.
Weak passwords and login theft
Attackers often try a brute-force attack on the administrator’s account. If you use a simple password, it’s only a matter of time before the botnet guesses it. The worst part is that many of the sites we uncovered from the wordpress malware just had the simple username “admin”, allowing for an even easier brute-force attack method. If an attacker gets access to your login credentials by other means (e.g., by leaking from another service, phishing, or malware on your computer), they can directly log into the WordPress admin and upload malicious code, for example, via a file editor or custom plugin.
Inappropriate settings and configuration
Various omissions in the configuration can make the hackers’ job easier. These include leaving install.php or wp-config.php in a public location, incorrectly set file access rights (chmod) that allow writing to sensitive directories, or an insecure hosting account interface.
Vulnerability of the server or another application on the hosting
If your site shares a server with other sites (typical with cheap shared hosting), you may be vulnerable to an attack on someone else’s site on the same server. Attackers can gain access to the server and subsequently infect any WordPress installations running on it. Similarly, a security hole in another web application (e.g., a forum, an e-commerce site, or a custom script on the same hosting) can serve as an entry point for malware that then spreads to WordPress directories.
We encountered malware most often with shared hosting where there was no isolation between sites – specifically Webglobe or Webhouse. In such a setup, all it takes is one site on the server to be infected, and the malware can spread to other sites in the same user account. We therefore recommend choosing hosting that provides separate PHP processes, folders and databases for each site separately.
All of the above scenarios have a common denominator – an attacker will exploit even the smallest security flaw to insert malicious code into a website. After the initial penetration, they will often upload a backdoor, which is a file or account that allows persistent access even if you have patched the original vulnerability. This ensures the possibility of a repeat attack or further manipulation of the site.
Symptoms of a compromised WordPress site (how to tell I have malware)
Many sites can be infected for quite a long time without the administrator noticing immediately. So how do you know if your WordPress site contains malware? Here are the typical warning signs that something is wrong:
Slowdown or strange page behaviour
The website suddenly runs slowly, often crashes or unexpected pop-ups appear. Malware can put a strain on the server (e.g. by mining cryptocurrencies in the background) or cause errors and system crashes.
Cryptocurrency mining scripts allow hackers to secretly mine cryptocurrencies through visitors’ devices. The site slows down, the hosting load increases, and the attacker makes a profit – so it pays off for them.
Extraneous elements have appeared on the site that you did not disclose – for example, spam links, ads, new suspicious pages or posts with malicious content. It can also be so-called pharmaceutical spam (pages promoting drugs, casinos, etc.) or embedded SEO spam links to foreign sites hidden in the footer or code.
Unexplained admin accounts
There is a new account with admin rights in WordPress administration that you did not create. This almost certainly means that the attacker has created a backdoor for repeated access.
Redirecting visitors
Visitors report being redirected to strange sites (often containing malware, ads or phishing) when they arrive at your website. As a logged-in administrator, you may not see this (often the attacker only targets unknown visitors or specific traffic sources). We also noted that only mobile devices were redirected and the desktop version was fine.
Warnings in search engines and browsers
It is a very serious signal if Google flags your site as infected or if the browser displays a security warning that the site contains malware or fraudulent content. This can manifest itself by seeing a “This site may be hacked” warning in the search results for your site, or a red warning screen when you try to visit.
Strange activity in statistics
In analytical tools (Google Analytics, etc.), you will notice unusual fluctuations in traffic – for example, a large drop in organic traffic (which can mean a penalty or blocking of the site in search due to malware, or on the contrary, suspicious accesses from unknown countries or strange requests to the server. A sudden drop in legitimate traffic is usually a warning sign that Google may have temporarily blocked the site (excluded it from results due to a suspected infection).
These symptoms may not always be obvious at first glance, so we recommend that you monitor your site on an ongoing basis. Security plugins that check for file changes and the discovery of new malicious code, or external scanners (such as Google Safe Browsing or Sucuri SiteCheck) that can detect if your site is listed as compromised can help. The earlier you discover the infection, the less damage you can do.
What are the risks and damages when WordPress is infected with malware?
If malware manages to infect a website, the consequences can be very serious – for your website, your business and your visitors. Here’s an overview of the main risks and damage that WordPress malware causes:
Data theft and leakage of sensitive information
An attacker can steal data from a website – whether it’s a customer database, users’ personal information or, for example, access passwords. It can also be the theft of information from e-commerce orders, which can seriously undermine your customers’ trust.
Misuse of the web for malicious activities
Hackers often use compromised sites as tools – for example, they can embed code into a site that sends spam emails or plug it into a botnet to carry out DDoS attacks on other servers. It is also common to see malware spreading further infection to visitors (e.g. via exploit kits in the browser) – so your site spreads viruses to everyone who visits it.
Damage to SEO and site reputation
Malware can insert spammy links, ads and malicious content on your website, thus affecting the credibility of the site. Search engines such as Google will react quickly – downgrading your site in the results or blocklisting it altogether to protect users. Your brand will suffer – no one wants to see a “this site may harm your computer” warning next to their site. Repairing SEO damage (removing penalties, restoring trust) can take a long time even after the site has been cleaned up.
Financial losses and outages
An infected site often stops working properly or is sometimes temporarily shut down by better hosting (to prevent it from spreading malicious code). This loses you visitors, customers and sales. A website or e-shop downtime, even for a few hours, can mean a significant financial loss. In addition, you can expect a costly and lengthy recovery – from a security audit, to cleaning and restoring data from backups, to beefing up security. Emergency interventions by experts can cost hundreds of euros, not to mention the long-term loss of revenue.
Legal implications
If an attack results in the leakage of customers’ personal data (e.g. emails, addresses, phone numbers) or payment details, there is a risk of legal liability for inadequate data security. Under GDPR, the authorities can issue fines for leaking personal data. Likewise, if your website spreads malware and infects visitors’ computers, your business could be liable for damages.
In short, it doesn’t pay to ignore WordPress security. A malware attack on a WordPress site can cause far more damage than adequate prevention would be worth. Therefore, in the next section of this article, we’ll show you how to remove WordPress malware and avoid re-infection in the future.
How to remove malware from a WordPress site (removing viruses from hacked sites)
If you suspect that your WordPress has been infected with WordPress malware, you need to act immediately. The sooner you begin to address the incident, the better chance you have of minimizing the damage. However, removing malware from a website (known as unwinding a website) can be a rather challenging process that requires technical expertise. For the sake of completeness, we will now outline the basic steps of the manual process, which are at the core the same for most approaches to removing malware from WordPress. However, we will keep some specific procedures as internal know-how to protect our solution from competitors.
Steps for cleaning an infected WordPress site
Disconnect the site from visitors (temporary isolation): if possible, immediately prevent public access to the compromised site to prevent the situation from getting worse. For example, you can use maintenance mode or allow access only from your IP address in the .htaccess file. This will prevent the infection from spreading to visitors and allow you to clean up in peace.
Locate malicious code
Do a thorough scan of the site to find any files infected with malware. Use security plugins or scanners on your web host. These tools can identify known malicious files or codes. In addition, compare WordPress core and plugins with the original versions – if a system file is not supposed to be changed and yet has different content, it is suspicious. Don’t forget the wp-content/uploads directory – attackers like to hide PHP files disguised as images, for example.
Remove or clean infected files
Remove (or at least move out of the public directory) all identified malicious files. If it is part of the WordPress core, a known plugin or theme, it is best to reinstall a clean version – e.g. delete the entire directory of the affected plugin and re-upload it from the official source. Malware often also infects core files (e.g. wp-config.php, wp-load.php or theme files) where it adds its code. Either replace these files with clean copies or carefully remove malicious inserts from them (this requires knowledge of PHP to avoid damaging functionality).
If you’re not sure if you’ve removed all the malware, don’t rely on it – an attacker could have created a backdoor file that looks harmless at first glance. Look for suspicious files (.php files in unusual places, files with random names, etc.).
Check the database and content
The malicious code could also have entered the database – for example, the content of posts (embedded scripts), settings or user accounts. Scan the database (e.g. via phpMyAdmin) and look for suspicious values that shouldn’t be there (scripts in wp_posts fields, unknown data in wp_options, etc.). Remove or fix anything you find. Also check the list of users in WordPress – especially admins – and delete any that don’t belong there.
Reset accesses and passwords
Once you have cleaned up the system, immediately change all passwords – admin access to WordPress, database passwords (edit in wp-config.php), FTP/hosting account, API keys and secrets if applicable. It is quite possible that the original login credentials have been compromised and leaving them would allow an attacker to break in again.
With Webhouse web hosting, we have also encountered the fact that passwords to the database are freely displayed in the administration after logging in. Such a critical error that we would never place a client page there ourselves.
Update WordPress, plugins and themes
Make sure you are using the latest version of WordPress and all plugins and templates. If not, update them now (after cleaning them up). This will remove known security vulnerabilities through which malware could get in. Also consider removing unnecessary plugins completely – the less code you have on your site, the fewer potential vulnerabilities.
Test the site and monitor other behaviours
After removing the malware, test the basic functionality of the site – make sure everything works, and that the design hasn’t “broken” somewhere (this could happen if you deleted infected theme files). Monitor the behaviour of the site over the next few days – whether suspicious files or signs of infection appear again. Ideally, deploy a security plugin with active monitoring to alert you to any new threats.
Ask to be removed from blacklists
If Google Safe Browsing or antivirus systems have flagged your site as unsafe, after a successful cleanup, you will immediately submit a request to review and unblock the site. In Google Search Console, you’ll find a Security Issues / Safe Browsing section where you can request a site re-evaluation. Google will then re-crawl the site and if no malicious code is found, remove all warnings (usually within 1-3 days). Definitely don’t skip this step – otherwise you’ll be deterring visitors long after the site has been cleaned
Learn from the incident and improve security
Every security incident should lead to enhanced measures in the future. To conclude this article, we’ll go over the key preventative steps we recommend putting in place to prevent the situation from happening again.
Removing viruses from WordPress websites can take hours to days, depending on the severity of the attack. Especially if you don’t have the experience or time, you’re better off contacting experts to thoroughly inspect, clean and secure your website from further attacks. At VR Master s.r.o., we’ve been working on this issue for a long time – we’ve cleaned up more than 75 compromised WordPress sites and helped their owners restore trust and search rankings.
If you suspect malware or have already been hacked, don’t hesitate to contact us – we will take care of the threat professionally and strengthen your website security.
Prevention: how to secure WordPress from malware
Once the infection has been cleared (or ideally before it even occurs), it is necessary to put preventive measures in place. Securing WordPress is an ongoing process – no one-time adjustment will fix a website forever if you don’t take care of it. The key is to minimize the chances of an attack and detect intrusion attempts early. Here’s a list of best practices to increase WordPress security and prevent malware:
Update WordPress, plugins and themes regularly.
Updates often contain security patches. Set an update check interval of at least a week or use automatic updates for smaller updates. Don’t leave your site running on outdated code.
Use only trusted plugins and themes.
Install extensions only from the official WordPress repository or from reputable developers. Avoid pirated copies of paid plugins – they may contain hidden backdoors. Keep an eye on reviews and the latest update – if a plugin is not maintained, you’d better find a replacement.
Secure login with a strong password and 2FA
Choose a strong, unique password for the administrator (at least 12 characters long, a combination of letters, numbers, symbols). Never use “admin” as a username. Enable two-factor authentication (2FA) to prevent an attacker from getting in even if the password is leaked. Also consider limiting the number of login attempts (plugin Limit Login Attempts, etc.).
Install a security plugin with a firewall
Add-ons like Wordfence, Sucuri Security, iThemes Security or All In One WP Security can monitor malicious activity and block web application level attacks (WAF). Many of them also check file integrity, scan for malware, and provide alerts if something suspicious is happening on the web.
Regularly back up the entire website
Set up automatic backups of your database and files (daily or weekly depending on the frequency of changes). Keep backups off the server (e.g. in cloud storage). If you create regular backups, you’ll be able to quickly restore a clean version of your site in the event of an attack and minimize downtime.
Track file and rights changes
Make sure the correct file permissions are set (ideally 644 for files and 755 for folders, sensitive wp-config.php can have 600). Use a tool or plugin that reports changes to files – if there’s a new .php file in /uploads or a change in a core file, you should know about it. Similarly, check regularly for unknown accounts in the administration.
Secure your server and computer
Keep security in mind outside of WordPress: protect your hosting with a strong password, disable unnecessary services and use up-to-date PHP. Keep an updated antivirus on your computer – to prevent an attacker from getting your FTP passwords through a keylogger on your PC. Use a VPN when connecting to Wi-Fi so that login credentials cannot be intercepted.
Be alert to suspicious activity
Watch out for little warning signs – for example, if the hosting email reports unusually high CPU usage or if you happen to see an unfamiliar link in the footer of the template. These are often the first signs that something is wrong, and early intervention will prevent a bigger problem.
Don’t underestimate WordPress security
WordPress is a powerful and flexible system, but security needs to be taken seriously. In this article, we’ve explained what WordPress malware is and what attack methods it most commonly uses, showing the symptoms of an attack and the consequences it can cause. We’ve also outlined the malware removal process and the most important precautions to take to protect your site.
If you suspect your WordPress site has been hacked or infected with malware, don’t wait – take action. Sometimes all it takes is a few hours of inaction and attackers will cause damage that will take weeks to repair. If you don’t dare to clean up your site yourself, don’t hesitate to use professional services. Our company VR Master Ltd specializes in removing malware from WordPress websites and comprehensive website security. We have a wealth of experience in cleaning hacked websites and will be happy to help you get your site back under control, clean it up and secure it.
WordPress security is not to be underestimated – investing time (and possibly resources) in prevention increases the credibility of your business and the peace of mind of your webmaster. We hope this guide has helped you navigate the WordPress malware issue. If you have questions or need help with a hacked site, get in touch – we’re here for you and your WordPress.
Professional removal of viruses from websites
Attacks most often come through vulnerable plugins, weak security or human inattention. The consequences can range from data loss, to reputational damage, to financial loss. Prevention is key – updates, strong passwords, security plugins and backups. If an attack has already occurred, it’s imperative to act quickly: identify and remove malicious code, i.e., perform a site cleanup and site protection by professionals, and strengthen protection. If necessary, do not hesitate to contact professionals to help you protect your WordPress from malware and attacks. After all, a secure WordPress means a reliable website for you and your visitors.