Performing a WordPress malware removal function you can be sure that it is clean or not easy. So it can cost more than 150 per site to remove WordPress malware, and depending on the service provider, you can’t be sure if the site was clean.

Recent research by Acunetics reveals that almost 84% of websites have vulnerabilities, which means they are all at risk of becoming infected at any time.

1. Lock down the site’s before you start removing WordPress malware

This is important when removing WordPress malware to ensure that during the cleaning process, no one but you should access the site. Some hosting environments allow you to keep the site in maintenance mode. If you cannot find such options from your service provider, you can lock your site as follows:

1.1 Apache

Open your .htaccess (sometimes htaccess.txt) file and type the following lines above:
PS! Don’t forget to change the permission IP with you.

order deny,allow
# Deny access from all IPs
deny from all
# Allow access from specific IP
allow from

1.2 Nginx

Open your nginx.conf file and type the following lines:

location / {
# allow your IP below
# drop rest of the world
deny all;

2. Install antivirus software on all computers where the site is accessed

It is not uncommon for your FTP access, / wp-admin / username and password, or even your hosting environment credentials to be compromised by a keylogger or some other computer virus. From installing anti-virus software on computers where you access the admin panel or log in to your hosting environment or FTP.

For example, scan your PC for possible malware with malware bytes. Also, take a look at your operating system security settings and make sure the firewall is enabled. PS! Update your OS, web browser and browser extensions frequently.

3. Change all access codes (Hosting, SSH, FTP, MySQL, WP Users)

After you’ve closed your site to the public and scanned your PC for malware, make sure your credentials haven’t been leaked by changing them one by one. Change your hosting panel password, and cancel all FTP accounts and generate new ones with pre-generated passwords (if some hosts do so automatically, use other password management tools like Keepass2 or Dashlane and LastPass).

3.1 Change Database credentials:

When you try to change the MySQL or MariaDB password (or any other database credentials) you also need to update this information in your wp-config.php file.

3.2 Change Salts:

Salt is used to secure passwords in storage. Historically the password was stored in the system in plaintext, but over time additional safeguards were developed to protect the user’s password from being read from the system. Salt is one of those ways. A new salt is generated randomly for each password, after the violation, it is important to replace the old salts with new ones in your wp-config.php file.

You can generate new salt here:

3.3 Change WordPress admin panel access:

Log into your WordPress site, navigate to Users, and delete all inactive accounts. Then click Edit on active accounts one by one and under Account Management suspend all sessions and Generate new passwords for all users.

PS! Make sure you don’t have an account with Admin or Administrator username.

4. Make a full back-up of your website

If your hosting provider doesn’t have any back-ups, make sure to download the whole content of your fileserver and database to a local environment.

4.1 SSH:

Some servers give you SSH access, which can make your life much easier when doing WordPress malware removal. The process of having SSH access on different hosting environments can differ, for example, GoDaddy has options on their hosting panel:

When you have successfully logged into the site with SSH access, perform the following:

zip -r .

This might take some time but will generate a .zip file with all the files on your hosting account. You can later download the .zip file directly over SFTP.

4.2 SFTP:

Categorized in: