How to remove malware from WordPress sites

Recently, one of WordPress hosted on Siteground has been infected with malware. When Siteground detects malware, they block the affected site(s) and send an notification to the site owner.

Just for your reference: if you sign up for Bluehost's Shared Hosting plan by clicking on this referral link, you are able to use it starting from USD2.95/month (with 1USD off per month.) If you sign up for a web-hosting service by clicking the links contained in this article, I will get some commission. However, I do not recommend a specific service just for commission; I have been running and managing some WordPress sites from several web hosting companies including Bluehost and Siteground for several years. If you are looking for a cheap web hosting service with relatively good resources, BH's Shared Hosting will be a good option to consider.

When accessing the infected site, the following screen appears.

Siteground webhosting - infected with malware

Visitors will see the message "This site is currently unavailable. If you're the owner of this website, please contact your hosing provider to get this resolved."

An email notification with the title "Important: Malicious code detected on website" is also sent to the site owner.

Malicious code detected SiteGround

A malicious code was detected on one of my WordPress sites. I could see some strange files under the WordPress site folder.

Strange files under web-hosting server

There are some suspicious files such as ws.php, wzewsdw.php, etc.

Also, I could find the list of malicious files from my Siteground account page.

Siteground - the list of suspicious files

How to remove malware from WordPress sites

When your WordPress site is infected with malware, you need to remove all strange files from your web-hosting server. However, just removing strange files will not resolve the issue. You may consider to replace all files WordPress files with new fresh ones including WordPress core file, themes and plugins files.

I just restored the data using the Backup/Restore tool provided by SG. Then, I contacted SG to request to unblock my site. They instructed me to take the following action to request a review:

You can now request a review for the site to be re-enabled from your Siteground account homepage > Review > More > Request Review

From my Siteground account homepage, I could find the Review button:

Request a review after removing malware from WordPress sites

After I requested a review, I received an email notification with the title "Malicious Code Removed From Website" within an hour.

Malicious code removed from WP

I updated all WordPress theme and plugins to the latest version and installed a security plugin named iThemes Security.

I think It's important to review other sites under the same web-hosting account for malicious codes even after you removed the malware from one of your sites. I found that other sites were also infected with malware.

See Also...