How to Remove WordPress Malware –

Today, we cleaned another website with various signs of contamination, including injected index.php files, malicious users with admin privileges, and malicious plugins installed.

Since the contamination was widespread, I decided to review each site component. After the cleanup was complete, I disabled all the users with admin privileges, and also I switched off the plugin installation feature.

Do you think your website is infected?
Try our Free site check.


How to disable plugin installation in WordPress:

Just add the following line inside the wp-config.php file

define('DISALLOW_FILE_MODS', true);

What’s the first thing we always do, before proceeding with a cleanup?

We always start by moving all the contaminated web files to a safe area outside of public access – it will prevent data loss and reputation damage. After we secure the files, a temporary HTML index file is created, which contains critical contact information – phone number, address, and links to social media.

Which security plugin fixes the problem?

We never use a plugin to clean a website – that’s because malicious programs are always built to pass malware scans. It’s better to perform a manual cleanup and check each component by hand. After the cleanup is complete, we usually install and configure Wordfence.

I cleaned the website myself, and the malware returned. What to do?

That’s usually a sign of cross-site contamination – quickly disable the website by moving the files to a safe area and finding other neighbor websites hosted on the same server.
Also, check for any suspicious PHP files, custom Cronjobs, suspicious plugins, users, etc.

Cleanup steps

  • Make sure the WordPress files are intact and updated – including index.php and wp-config.php files.
  • Review the themes and plugins folders, apply all the available updates – delete the malicious folders.
  • Review users with admin privileges – look for wp-configuser and wpsupp-user.

Malicious plugins:

Malicious URLs

Other malicious URLs, AS204601,,,,, AS49447, AS49447, AS44477, AS44477

Other malicious domains:,,,,,,,

Sucuri SiteCheck:
Known javascript malware: malware.injection?35.70

If you’ve recently noticed suspicious redirects to,, or subdomains, we can help.

Our skilled malware analysts are available 24/7 to fix hacked WordPress websites and clean up malware – reach out to us if you need help.

Hacked website?
Try our Free site check.

A security analyst will perform a free thorough external site check within the next minutes.