WordPress malware removal that stays removed
Anyone can delete the file that looks infected. Our WordPress malware removal service finds everything the attacker left behind, the backdoors, the fake plugins, the database injections, the cron jobs that reinstall it all, then closes the door they came through.
Where malware hides in a WordPress site
WordPress powers a huge share of the web, so its malware is industrialised: automated, layered and built to survive amateur cleanups. These are the hiding places we check on every single job.
PHP in the uploads folder
wp-content/uploads should contain images and documents, never executable code. Attackers drop PHP shells there because most owners, and many scanners, never look.
Fake and tampered plugins
A plugin folder named something plausible like wp-cache-tools that is actually a remote-control kit, or one real plugin file with ten malicious lines added in the middle.
wp-config.php injections
Extra lines in the one file every request loads. Perfect hiding spot: it is unique to each site, so it cannot be compared against a clean original without care.
Database payloads and spam
Encoded JavaScript in widgets and options, spam links buried in old posts, rogue administrator accounts. File scanners never see any of it, which is why we clean the database too.
Cron job backdoors
A WP-Cron or server cron task that quietly redownloads the malware every night. The main reason "cleaned" sites are reinfected by the weekend.
The original entry point
The outdated plugin or stolen password that let the attacker in. Leave it open and every cleanup is temporary. Closing it is part of the job, not an optional extra.
"I deleted the bad file" is how re-infections start
The file you found is the decoy
Modern malware plans for its own removal
WordPress infections are rarely one file. The visible payload, the redirect or spam injection, is deliberately separated from the persistence layer: two or three backdoors in different places, a spare admin account, a scheduled task that restores everything if any part is deleted. Remove only what you can see and the infection regenerates, except now the attacker knows you are looking. If your site was visibly defaced or blacklisted, start with our hacked website repair triage.
- Every core file compared byte-for-byte against official WordPress releases
- Plugins and themes reinstalled from clean sources where needed
- Database, users and scheduled tasks audited, not just the file system
A verified clean, then a locked door
Clean, harden, guarantee: then stay clean
After the clean we patch the entry point, update everything, lock down logins and file permissions and request removal from Google and the major blacklists. You get an incident report in plain English and a 30-day re-infection guarantee. Most clients then move onto ongoing website security monitoring or a WordPress support plan, because the £29 a month that prevents the next infection is better spent than the £249 that cures it.
- Hardening and updates included in the fixed price
- Google "Deceptive site" and search warnings cleared
- Re-infection inside 30 days cleaned again at no charge
From infected to verified clean
Snapshot and deep scan
We take a forensic copy first, then scan every file and database table, comparing core files against official releases and flagging anything that does not belong. Nothing is deleted until we understand it.
Clean and close
Malware, backdoors, rogue admins and malicious cron jobs removed in one pass so nothing left behind can regenerate. The entry point is identified and patched.
Verify, report, guarantee
External scanners re-check the site, Google reviews are submitted, and you receive the incident report. The 30-day guarantee starts the moment we hand back a clean site.
How visible is your website on Google right now?
Run our free SEO checker. It scans any page in about 30 seconds and shows the exact issues holding back your rankings.
The clean, and the plans that keep it clean
One fixed fee for the removal. Monitoring or full care afterwards is optional, recommended and cheap next to a second infection. Prices exclude VAT.
Hacked Site Rescue
Malware removed, site restored, Google warnings cleared.
£249 one-off
- Full malware scan and clean
- Backdoors found and closed
- Google blacklist removal request
- Security hardening after cleanup
- 30-day re-infection guarantee
- Incident report for your records
Professional Care
For business sites where downtime costs money. Our most popular plan.
£119 /month
£1190 /year
- Everything in Essential
- 60 minutes of development time every month
- Same-day emergency response
- Speed and Core Web Vitals monitoring
- Monthly accessibility scan
- Phone and email support, 7 days
Uptime & Security Monitoring
Know before your customers do. Monitoring with real alerts and action.
£29 /month
£290 /year
- 1-minute uptime checks, 24/7
- Instant email and SMS alerts
- Malware and blacklist monitoring
- SSL expiry monitoring
- Monthly uptime report
- We investigate every incident
All prices exclude VAT. Cancel monthly plans any time. Secure card and Direct Debit payments powered by Stripe.
Frequently asked questions
How do I remove malware from my WordPress site?
Properly: scan every file against known-good WordPress core and plugin versions, inspect wp-config.php and the uploads folder for PHP that should not exist, check the database for injected code and rogue admin users, review scheduled tasks for reinstallers, then patch the entry point. Deleting the visibly infected file and hoping is how sites get reinfected within days.
How much does WordPress malware removal cost?
Our WordPress malware removal service is £249 excluding VAT, fixed regardless of how deep the infection goes. That includes the full clean, backdoor closure, Google blacklist removal, post-clean hardening, an incident report and a 30-day re-infection guarantee. No per-file pricing, no hourly meter running while we work.
Where does malware hide in WordPress?
The classic spots: PHP files dropped into wp-content/uploads where only images should live, fake plugins with plausible names, code injected into wp-config.php or the theme's functions.php, base64-encoded payloads in the database, spam links in posts, and WP-Cron jobs that quietly redownload the malware after every cleanup. A real clean checks all of them.
Why does my WordPress malware keep coming back?
Because something survived: a backdoor file the scan missed, an extra administrator account, a scheduled task that reinstalls the payload, or the vulnerable plugin that let the attacker in originally. Re-infection is almost never bad luck. It means the cleanup treated symptoms, not causes, which is exactly what our process is built to avoid.
Will malware removal plugins clean my site?
Scanner plugins are decent at detection and we use scanning as one input. But they run inside the compromised site, so sophisticated malware can hide from them or disable them, and they cannot judge whether an odd file is a developer customisation or a backdoor. Automated quarantine also breaks sites. Detection can be automated; judgement cannot.
How do I know the malware is actually gone?
You get evidence, not reassurance: an incident report listing every infected file, what it did, what we removed and how the attacker got in, plus clean results from external scanners and Google's own review. Then the 30-day guarantee puts our money behind it: if the same infection returns, we clean it again free.