What this problem is
Security scans or hosting alerts report malware in WordPress files.
Why it happens
- Outdated plugin/theme vulnerabilities
- Stolen credentials (FTP, wp-admin)
- Insecure file permissions
Prerequisites
- File access (FTP/File Manager)
- Clean sources to reinstall (wordpress.org and plugin/theme vendor portals)
- Backup or snapshot (for recovery)
Diagnosis
Identify which files are flagged and whether they belong to core, a plugin, a theme, or unknown locations.
Detailed steps
Step 1) Change passwords and revoke access
Change hosting, FTP/SFTP, database, and WordPress admin passwords. Remove unknown users.
Step 2) Replace WordPress core
Re-upload clean wp-admin and wp-includes and core files.
Step 3) Reinstall plugins and themes from trusted sources
Delete and reinstall; do not keep modified plugin files.
Step 4) Scan for backdoors
Search for suspicious PHP functions, obfuscated code, and unknown admin scripts.
Step 5) Harden permissions
Use 755/644 and disable file editing in wp-admin.
Expected results
- Malware alerts cleared and site integrity restored
What to do if it fails
- Restore from a known-clean backup and patch the vulnerability; consider professional cleanup
Best practices
- Keep updates current, enable WAF, and use least-privilege accounts