How to identify malware in WordPress: 2026 guide

Identify malware in WordPress: infection signs, suspicious files, SSH commands and scanners. A technical diagnosis guide by Pixelize.

To identify malware in WordPress, look for signs such as suspicious redirects, browser warnings, admin users you didn’t create, and modified PHP files. Confirm with wp core verify-checksums and a scanner like Wordfence before removing anything.

An infected site rarely warns you clearly. It redirects one visitor here, injects a pharmacy link there, disappears from Google on a Tuesday. By the time the owner notices, the damage to SEO and reputation has already started. This guide shows how to confirm the infection with your own eyes — not just install a plugin and hope.

What is malware in WordPress?

Malware in WordPress is any malicious code injected into your site — into PHP files, the database or the .htaccess — to redirect visitors, steal data, send spam or keep hidden access to the server. It usually enters through outdated plugins and themes, weak passwords or vulnerable hosting.

Unlike a desktop virus, WordPress malware lives on your server and affects everyone who visits the site. The most common types are backdoors (hidden attacker access), malicious redirects, SEO spam (the classic pharma or japanese hack) and phishing scripts.

8 signs your WordPress is infected

No single sign proves infection. Several together do. Check these:

1. Redirects to suspicious sites

Visitors land on gambling, adult or pharmacy pages — often only on mobile or only when they arrive from Google, to stay out of your sight. The source is almost always in .htaccess, wp-config.php or a script injected into the theme.

2. Browser warning or Google blacklist

Messages like “This site may be hacked” in Chrome mean Google has already flagged the domain. Confirm it in Search Console → Security & Manual Actions.

3. Ghost admin user

An administrator you didn’t create is a classic sign of an active backdoor. In the dashboard, sort users by registration date. In the database, this query reveals accounts the panel sometimes hides:

SELECT ID, user_login, user_email, user_registered
FROM wp_users
ORDER BY user_registered DESC;

An admin with a generic email and a date matching the incident confirms the compromise.

4. Sudden ranking drop and SERP spam

If Google shows Japanese titles or pharmacy terms on your pages (the japanese/pharma hack), there is injected SEO spam. Search site:yourdomain.com and see what Google actually indexed.

5. Slowness, 500 error or strange traffic spike

Malware consumes CPU sending spam or mining crypto. A 500 error with no obvious cause and traffic spikes to obscure PHP files are red flags.

6. Files and pop-ups you didn’t add

Pop-ups, banners and new files in the root or in wp-content/uploads (where PHP should never exist) point to injection.

7. Unexplained login failure

Being unable to log in to wp-admin can mean the attacker changed credentials or corrupted the users table.

8. Host emails or dropping deliverability

A “account suspended for spam” notice or your emails landing in spam mean the server has become a source of malicious sending.

How to confirm the infection with your own eyes

Here is what most guides skip. Before any plugin, SSH access (or your hosting panel’s terminal) confirms the infection in minutes.

Take a full backup before running any command.

Step 1 — Verify core integrity

WP-CLI compares your core files against the official WordPress.org ones and lists what changed:

wp core verify-checksums

Any core file reported as modified is suspicious — the core should not change.

Step 2 — Hunt recently modified PHP files

Malware is new code. List PHP files changed in the last 7 days:

find wp-content -name "*.php" -mtime -7 -ls

Cross-reference with the incident date. PHP files inside uploads/ are almost always malicious.

Step 3 — Search for obfuscated code

Attackers hide the payload in obfuscation functions. A recursive grep reveals most of them:

grep -rEn "eval\(|base64_decode|gzinflate|str_rot13" wp-content/ wp-includes/

eval(base64_decode(...)) is the most common backdoor signature. Not every result is malware, but each one deserves a manual read.

Step 4 — Inspect .htaccess and wp-config.php

Open both. In .htaccess, look for RewriteRule blocks sending traffic to strange domains. In wp-config.php, any eval, base64 or include of an unknown file is injection.

Step 5 — Audit the users in the database

Run the SELECT from sign 3 and remove any unrecognized account — but only after confirming it is a ghost.

Scanners: server-side vs external (and the limit of each)

Tools automate what you just did by hand. Understand the difference before trusting blindly:

  • Server-side scanners (Wordfence, MalCare) run on the server, read the actual file content, compare against clean versions and detect database injection. They are the most complete.
  • External scanners (Sucuri SiteCheck, VirusTotal) see only what a visitor sees — the public page. Fast and install-free, but they cannot see server files or inactive backdoors.
  • Google Search Console confirms blacklisting and compromised pages from Google’s point of view — free and essential.

Rule of thumb: use an external one for a quick triage and a server-side one for real diagnosis. Neither is 100%.

The 2026 blind spot: AI-generated malware

A recent shift changed the game. Attackers started using language models (LLMs) to generate malware that mimics the code pattern of legitimate plugins. Signature-based scanners tend to flag this code as clean, because it looks like a real plugin.

What this changes in practice:

  • Don’t trust the signature alone. A “clean” scan does not prove the site is clean.
  • Prioritize integrity and behavior. verify-checksums, files modified by date and anomalous traffic catch what the signature misses.
  • Combine signals. The manual verification above becomes even more valuable when the malware knows how to disguise itself.

I found malware. Now what?

If you confirmed the infection, follow this order — rushing here makes the damage worse:

  1. Full backup of files and database (yes, even infected — it is your evidence and your safety net).
  2. Isolate the site — maintenance mode or offline to contain the damage to SEO and visitors.
  3. Change every password — admin, FTP/SSH, database and hosting panel.
  4. Remove the payload — restore core, plugins and themes from official sources and clean the injections you found.
  5. Request a review from Google in Search Console after cleaning.
  6. Close the entry point — update everything, review permissions and harden the server.

A botched removal leaves a backdoor behind, and the site reinfects within days. If the diagnosis pointed to a backdoor, persistent SEO spam, or you don’t have comfortable SSH access, it’s worth bringing in a specialist — which is what Pixelize does through its WordPress Specialist service. And if the symptom is an error rather than a hack, the common WordPress errors guide covers the diagnosis.

Frequently asked questions

How do I know if my WordPress site is infected?

Look for suspicious redirects, browser warnings, admin users you didn't create, a sudden ranking drop, and modified PHP files. Confirm with the wp core verify-checksums command and a server-side scanner like Wordfence before removing anything.

What is the best malware scanner for WordPress?

For real diagnosis, use a server-side scanner like Wordfence or MalCare, which read the server files and the database. For a quick triage without installing anything, Sucuri SiteCheck inspects the public page. Combine both — no single tool catches everything.

How do I remove the WordPress redirect virus?

Locate the injection in .htaccess, wp-config.php or theme files using grep for base64_decode and eval. Remove the code, restore the official WordPress files, change every password and update everything. If the redirect returns within days, there is an active backdoor.

What is a ghost admin in WordPress?

It is an administrator account the attacker created to keep access even after a partial cleanup. Detect it by running SELECT ID, user_login, user_email, user_registered FROM wp_users ORDER BY user_registered DESC — accounts with a generic email and a date matching the incident confirm the compromise.

Is a security plugin enough to detect malware?

Not on its own. In 2026, attackers use AI to generate malware that mimics legitimate plugin code and slips past signature-based scanners. Combine the scanner with integrity checks (verify-checksums), analysis of files modified by date, and anomalous-traffic monitoring.