A hacked WordPress site rarely announces itself obviously. Malware often sits quietly: redirecting visitors to spam sites, serving ads to visitors while the admin sees nothing unusual, harvesting customer data, or using your server to send spam emails. By the time Google flags your site or your host suspends the account, the infection may have been there for weeks. Knowing how to detect malware and remove it cleanly is a practical skill for any WordPress site owner.
Signs Your WordPress Site Has Been Compromised
Google Search Console warnings. Google’s security review flags malware, phishing pages, and deceptive content. A manual action or security issue notification in Search Console is a reliable indicator of a compromised site.
Visitors are redirected. You load the site normally as a logged-in admin but visitors arriving from Google search results are redirected to a different site. This is a classic WordPress malware pattern: the malicious code detects admin login cookies and hides itself from the site owner.
New admin users you did not create. Check Users in the WordPress admin. Unknown administrator accounts are a strong indicator of a compromised site where the attacker has created a backdoor account.
Files modified recently. Check your file modification dates via SFTP or SSH. Core WordPress files that were recently modified but should not have been (wp-login.php, wp-includes files, functions.php) indicate file-level infection.
Google Safe Browsing flagging your site. Check safebrowsing.google.com/safe-browsing/report_phish with your URL, or use Google’s Transparency Report site checker. If Google has flagged your site as dangerous, visitors see a warning page before reaching your content.
How to Scan for Malware
Wordfence Security. The free version of Wordfence includes a malware scanner that compares your WordPress core, plugin, and theme files against the WordPress.org repository and known clean versions. It flags files that have been modified or contain known malware signatures. Run a full scan from the Wordfence dashboard. On WP Engine, Wordfence’s scanning functionality works; its firewall should be set to Learning Mode initially to avoid conflicts with WP Engine’s own firewall.
Sucuri SiteCheck. Sucuri’s free online scanner (sitecheck.sucuri.net) checks your site from outside for blacklist status, malware in publicly accessible files, and known indicators of compromise. It does not scan server-side files but catches many common infections that affect front-end output.
MalCare. MalCare’s scanner checks files on your server directly and is often better at detecting deeply hidden malware that Wordfence misses. The scanning is free; automated removal requires a paid plan.
On WP Engine, the platform runs its own malware scanning at the infrastructure level. If WP Engine detects malware, they notify you and can assist with cleanup. This does not replace active monitoring but provides an additional detection layer.
How to Remove Malware from WordPress
Step 1: Take a backup first. Even of the infected site. You may need to reference the infected files to understand what was changed.
Step 2: Restore from a clean backup if available. If you have a backup from before the infection, restoring it is the fastest and most reliable cleanup method. WP Engine’s daily backups with 28-day retention give you a meaningful restore window. Identify approximately when the infection occurred from your error logs and restore from a point before that date.
Step 3: If no clean backup, clean manually. Reinstall WordPress core files (download fresh from WordPress.org, replace everything except wp-content and wp-config.php). Reinstall all plugins fresh from their source (not from the infected files). Replace your theme files with a fresh copy.
Step 4: Check wp-config.php and .htaccess. These are common targets for malware injection. Compare them against known-good versions and remove any code you did not write.
Step 5: Delete unknown admin accounts. Remove any WordPress user accounts you did not create.
Step 6: Change all credentials. Change your WordPress admin password, your WP Engine dashboard password, your database password (in wp-config.php), and any FTP/SFTP credentials. If the attacker had credential access, re-infection is immediate otherwise.
Step 7: Request Google review. After cleanup, use Google Search Console to request a security review. Google re-crawls the site and removes warnings once it confirms the infection is cleared.
How to Prevent Re-infection
Most WordPress infections come through three vectors: outdated plugins with known vulnerabilities, compromised admin credentials, and insecure themes from unverified sources. Addressing all three prevents the majority of infections.
Keep WordPress core and all plugins updated. Enable two-factor authentication on all admin accounts (see WordPress Two-Factor Authentication). Only install plugins and themes from WordPress.org or reputable commercial marketplaces — never from nulled or pirated sources. Use a host with a managed firewall and malware scanning like WP Engine. The infrastructure-level protection does not eliminate all risk but significantly raises the barrier for common attack types. For the broader security picture, see WordPress Security in 2026.
Frequently Asked Questions
How do I know if my WordPress site has malware?
Common signs: Google Search Console security warnings, visitors being redirected to other sites, unknown admin users, recently modified core files, spam emails being sent from your domain, and Google Safe Browsing flagging the site. Run a Wordfence scan and check Sucuri SiteCheck to confirm. Many infections are invisible to the site owner because the malicious code hides from logged-in admins.
Does WP Engine clean up malware for me?
WP Engine provides infrastructure-level malware scanning and will notify you if their systems detect an infection. For active cleanup, WP Engine’s support team can assist, and WP Engine recommends restoring from a clean backup as the most reliable resolution. They do not offer a dedicated malware cleanup service in the same way that standalone security companies like Sucuri do, but their support team is responsive to security incidents.
Should I pay for a professional malware removal service?
For complex infections that manual cleanup does not resolve, or for sites handling sensitive customer or payment data, a professional cleanup service (Sucuri, Wordfence Response) is worth the investment. They have deeper forensic tools and experience with sophisticated infections that resist standard cleanup approaches. For straightforward infections caught early, manual cleanup following the steps above is usually sufficient.
