Blog Menu

I write and curate content for Bluehost. I hope this blog post is helpful.
Are you looking at creating a blog, website or an online store? Bluehost has something for everyone. Get started today.

WordPress powers more than 40% of the internet. Microsoft, Salesforce, Grammarly and Zoom, to name a few, use WordPress for their websites. 

Although WordPress is a secure content management system, WordPress websites receive regular security threats because of the platform’s popularity.

Malware is among the top website security threats.

Keep on reading to learn about website malware and how to remove malware from websites:

Website Malware — Basics

Malware is an umbrella term that refers to software that damages computers, websites, servers or networks. Malware includes spyware, ransomware, trojan horses, adware, and tons of other malicious software.

Malware that exclusively targets websites is called website malware. It enters your website through various security holes, including unsafe databases, backdoors and bad plugins. 

Website malware causes several inconveniences to website owners and visitors. It can generate unwanted pop-ups and ads, and it can redirect traffic to other malicious websites.  

Still, the real danger is how hackers can use website malware to capture visitors’ data and mislead them to share personal information, leading to safety concerns, financial loss and a bad reputation.

Worried about what to do with a hacked WordPress site? Don’t fret — we’ve got you covered.

Here’re some of the strategies on how to remove malware from websites.

How To Remove Malware From Websites

Are your users complaining about odd behavior on your website? Or did Google notify you it blacklisted your website? Chances are that your website has been hacked. Let’s see how to remove malware from websites and regain control.

Time is the key to minimize losses. Perform a website malware removal right away by doing the following:

1. Log Into Your Website

If you suspect that a malware infection has attacked your WordPress website, check whether you can still log into your website.

If you can, that’s a good sign.

Log in using secure file transfer protocol (SFTP) or secure shell protocol (SSH).

Change your website passwords immediately. These passwords include those for your web host, SFTP, and WordPress database.

Back up your website if you haven’t already.

2. Put Your Website in Maintenance Mode

After logging into your website and changing your password, put your website into maintenance mode to protect your users from further exposure to malicious links. 

In the meantime, use plugins like WP Maintenance Mode and Coming Soon to keep your users updated.

3. Identify the Hack

Once you’ve secured your website, you can start learning how to remove malware from websites.

There’s no one way to go about malware removal. To start with, you can:

  1. Use a malware scanner to perform a malware scan on your website. Malware scanners like Sucuri SiteCheck and SiteLock SMART go through your website’s content and detect malware and other security issues.
  1. Check status reports from diagnostic tools. If you’ve installed diagnostic tools such as Google Search Central, Google Search Console or Google Transparency Report, check whether the reports reflect anything out of the ordinary.

Also, Google will notify you if someone hacks your website. Google will flag your website as malware and will let you know why it did so.

  1. Check core file integrity using the diff command in the terminal. You can also inspect your files via SFTP. If nothing has been modified, you’re good.
  1. Check recently modified files to confirm whether your files were hacked. Check date stamps and the last user who modified those files.

4. Check With Your Hosting Company

Due to vast experience working with multiple websites, web hosting companies know how to remove malware from websites. If you think that your website has been hacked, always contact your web hosting provider for assistance.

In addition to the experience they bring, web hosts can also help you collect information about the cyberattack. They can help you identify when and where the attack started and how to resolve the issue.

Also, if you’re on shared hosting and other websites were affected by the attack, your web hosting provider may even handle malware cleanup for you.

Top hosting providers such as Bluehost also offer add-ons related to website maintenance, performance, backup, and security when you sign up for a web hosting plan. 

To top it off, Bluehost has partnered with web security expert SiteLock that strengthens Bluehost security and helps you remove malware from your website.

Bluehost Security — SiteLock Add-On

SiteLock is a website scanner and malware removal service that enhances Bluehost security by warning website owners of malware and other suspicious files. 

With SiteLock’s free scan, which is available for all new hosting accounts, you can protect your websites against infections, receive notifications for malware, and avoid blacklisting. 

You can also enhance your Bluehost security by upgrading to a paid plan which:

  • Protects your website against spam bots and DDoS attacks
  • Scans your website for scripting, SQL injections, spam and other malware
  • Removes malware automatically and patches platform’s vulnerabilities
  • Creates a protective firewall against malicious bots and cyberattacks 
  • Ensures that you meet payment card industry (PCI) requirements

The premium plans for SiteLock as a Bluehost security add-on start at $2.99/month.

Contact Bluehost support to order SiteLock for your website.

5. Clean Hacked Website Files

After identifying the malware, clean the hacked website files.

Open each suspicious file one by one in a text editor. Remove the foreign code. Then, upload the files back to the website and check for any changes.

In addition, go over:

  • Database tables for duplicate or spammy content
  • User access manager for accounts created recently and remove unauthorized ones
  • File manager to disable PHP execution from unsafe directories to remove backdoor threats — which provide users access by going around the standard authentication

According to Sucuri’s 2019 website threat report, 47% of infected websites contained at least one backdoor.

For WordPress malware removal, WordPress files can be replaced with clean copies from a recent backup.

6. Change the Password Again

After ensuring your website is clean, the last step in learning how to remove malware from websites is to change the password again, in case the hackers got hold of the updated password during the cleanup.

Prevent Future Malware Attacks

Knowing how to remove malware from websites is helpful, but prevention is better than cure. Here are some ways to increase website security and prevent malware attacks altogether:

1. Keep Your WordPress Website Updated

In its 2019 website threat report, Sucuri shared that 56% of the content management system (CMS) files were outdated when the website malware infection occurred. 

It is essential to update your WordPress website’s core, themes and plugins to patch security vulnerabilities.

2. Remove Themes and Plugins You Don’t Use

In its WordPress vulnerability statistics for June 2021, WPScan shares that every nine out of ten WordPress security backdoors are traced back to WordPress plugins. WordPress themes and WordPress core make up the remaining vulnerabilities.

Most hackers inject malicious code through these security vulnerabilities of outdated plugins and themes. To reduce the chances of attacks, remove the unused themes and plugins and only use trusted plugins and themes.

3. Use a Security Plugin

There are tons of WordPress security plugins that protect your website.

These plugins empower you to scan for vulnerabilities and implement firewalls to block security threats.

We recommend the following security plugins:

4. Choose a Reliable Web Host

A reliable web host plays a big part in keeping your website safe. Most attacks come through a security vulnerability on the hosting platform.

Among the various web hosting plans, beginners usually opt for WordPress hosting because it’s the most budget-friendly option.

With shared hosting, users share web server resources, making the website susceptible to cross-site contamination. Hackers on a shared server can easily access adjacent websites.

To prevent such malware attacks, choose web hosting providers that follow industry practices, such as Bluehost. 

WPMU DEV suggests looking for web hosts that provide:

If you don’t want to risk website security, get a Bluehost Managed WordPress hosting plan. With its Bluehost security, you get guaranteed backups, timely updates and top-notch protection without sacrificing website speed.

5. Ensure Your Website Is Regularly Backed Up

Back up your website regularly. There are several plugins you can use for that. We recommend VaultPress by Automattic, the parent company of WordPress.

Besides using a plugin, create and store multiple copies of your backup on both online (cloud) and physical (hard drive or USB) media.

6. Install a Firewall

A firewall filters incoming website traffic based on predetermined criteria that separate safe and unsafe connections to help prevent attacks.

There are different websites to get a firewall. You can also employ SiteLock’s firewall by signing up for Bluehost Security’s SiteLock add-on.

7. Limit Password Attempts

Once you’ve changed your password, a way to limit entry into your website is to change your login page and limit password attempts.

Use a plugin like Login LockDown, which records the IP address and timestamp of every failed login attempt and locks down the login function if the number of failed attempts from the same IP address exceeds the allowable range.

Protect your login page with plugins like WPS Hide Login that change your login URL into one that only you know.

Lastly, for logins, consider using multi-factor authentication as an additional security measure.

Final Thoughts:

We cannot undermine the importance of a secure website. It affects both website owners and website users. 

Malware hacks can lead to financial and personal data leaks and inclusion in search engine blacklists. Employing the best security practices can prevent that. 

Learning how to remove malware from websites is a valuable skill to have in your arsenal. But, if you don’t have the time and patience to learn, various website security experts can make things easier for you.

Protect your website from malware by signing up for Bluehost’s Managed WordPress hosting plan and getting a Bluehost security add-on.

  • Machielle Thomas

    Machielle is a content enthusiast who has a passion for bridging the gap between audiences and brands through impactful storytelling. Machielle has also spoken at dozens of WordCamps throughout the years.

    Texas State University
    Previous Experience
    Brand Content, Content Marketing, Brand Lead, Operations Lead, Course Instructor
    Other publications
    Shopify, Contently
Learn more about Bluehost Editorial Guidelines

Write A Comment