header & footer final logo
Close this search box.

Beginner's Guide To Start A Blog

How To Remove Malware From WordPress Website Using Sitelock

In full transparency – some of the links on this page are affiliate links, if you use them to make a purchase I will earn a little commission at no additional cost to you. It helps me create valuable content for you and also helps me keep this blog up and running. (Your support will be appreciated!)

Have you ever encountered malware attack on your site? If yes, don’t worry there is a way to check the website for malware and immediately remove them. Hackers are always looking for stealing the confidential information of small businesses sites. 

They always point those sites that are ranked top in search engines. Many studies show that sites that are running on WordPress platform have 100% possibility to get hacked because of most of the top results powered by WordPress.

Unfortunately, Last week I received an email letting me know that the site has been temporarily shut down due to malware infection. Hosting team told me that there is a report regarding malware hosted on an account under my control. So, hosting provider closed my site access to stop the further complaints.

See how this notice looks like this: –

A notice that you will recieve when there is a malware hosted under your control

Early morning when I checked out my Gmail account, I saw this notice. I had no idea what to do and how to remove malware from WordPress. Without any further due I contacted my hosting provider and asked for help.

Fortunately, they gave me the solution and my site was live. To fix malware infected website hosting provider advised me to install sitelock security to avoid further malware attacks. So, immediately I purchased the “Find” plan of sitelock.

Luckily, I did not receive any further notice before activating sitelock security. But after three days hosting provider again reported a malware code into my directory. Resulting, still my site was dead.

The second notice is here –

second notice reporting malware code installed into my directory

Then I purchased sitelock “find plan”.This security tool scanned my whole directory and listed all the malware files. But it was unable to remove them automatically. So, I need to remove the malware from my WordPress site. That’s why my site was not on the server. I took 15 minutes to complete this process. After that, my site again came back. But I won’t suggest you buy this plan of sitelock because it requires manual removal process which makes it laborious. However, this is good only if you find some countable malware attacks.

But if there is a ton of malware files spread over your directory, then manual removal could take a reasonable time. In my case, Sitelock found 16 malware files into my public_html folder, and I took 10 min to locate & remove them. 

malware detection list

Hosting provider does not activate your server until you remove all infected file from the server. Google may also blacklist your domain which may affect your domain trust and citation flow. So, don’t take the risk purchase the “sitelock fix plan @ 6.99$” which automatically remove all the infected files from your server.

Above story was mine when I encountered malware attack on my site. Now, It’s time to uncover how to remove malware from WordPress. However, some malware removal services can make your site free from malware infection. But all these services are not affordable. So, today I am going to share affordable services that fit you.

Before I started, let’s talk a little bit about what is malware and how they can damage your WordPress site.

What is malware?

Malware is a malicious program/code/software that acts opposite to the interest of computer’s user. Malware covers all the terms used to define a virus, malicious code, adware, Trojan horses, spyware etc.

These are any code or software that could harm your system. For example, installing an outdated software into your computer may infect your whole system because the old software has not modified by software provider and can easily manipulate. That is the reason, while you download the outdated software into your computer, the system warns you that “this file or software may harm your computer”.

The same thing happens, while you upload or install an old plugin/theme/any other file into your web directory, then this malware secretly enter into your server and try to steal your website’s content.

What are the precautions to prevent WordPress hack?

It is always good to secure your site, so it never hacked. For that, you need to take some steps to make your site free from malware and hackers –

  1. Use a paid anti-virus to secure your system and network as well. An infected system could harm your WP-admin area. So before login to WordPress dashboard make sure that your system is free from any infection.
  2. Never upload any outdated theme/ plugin on your server.
  3. If you notice any WordPress updates then immediately update them.
  4. Never make “777” mode security permission because it permits a visitor to edit your web page into word format. [777 means read, write and modify]
  5. Take regular backups for instance recovery.
  6. Make your site fully secured by Sitelock and SSL
  7. Don’t download the themes from untrusted sources.
  8. Use a long and secured password. [include special symbols instead of letters]
  9. Periodically change the WP admin password
  10. Run your site on a reputed hosting server.
  11. Remove unnecessary themes; plugins form your Cpanel
  12. Install a security plugin like Wordfence, Sucuri.
  13. In case, if you have a free version of these security plugins then regularly scan your site because free version doesn’t allow automatic scan.
  14. To prevent WordPress hack make some modification to the robot.txt file. Disallow the search engine bots to index your WP admin page, WP– includes, plugins, themes files
  15. Secure your .htaccess file
  16. Secure wp_config.php file

Attention –

How To Fix Internal Server Error In Woradpress [8 successful ways]

How to remove malware from WordPress website using sitelock

As I mentioned that my website server was locked, it makes me curious to know the reason behind this lockout. I am talking about sitelock and Wordfence. Both tools helped me remove malware and make my server free from an infected file, software or code.

So, let’s discuss one by one.

#1. Wordfence: – A WordPress security plugin

Wordfence is a very powerful plugin. It has both free and paid version. I am using the free version of this plugin. I am so glad that free version includes all necessary security features.

Automatic malware removal is the usual drawback of this plugin. To include this feature, you need to buy a premium plan. But the good thing is that it notifies everything that you consider as a security essential [given above].

But the free version of this tool only helps before getting hacked. Once you get hacked, this tool is no longer available for you. Because hosting provider does not permit you to interact with WordPress admin panel and you can’t address, where the malware has injected. So make sure, scan your site regularly and fix any issue notified by Wordfrence security plugin to minimise the chances of getting hacked.

It was the free version of Wordfence. But if you upgraded to the premium version, then you don’t need to worry about anything. This tool will take care of everything.

Features: –

It has tons of features like blocking of malicious traffic, 2-step security for WordPress login page, WordPress firewall to protect from bot attacks, monitor the real-time traffic, DNS security and compatible with IPv6 etc. [Learn more about wordfence security features ]


WordPress login issues: 8 permanent solution

#2. Sitelock: – A malware removal tool

Now, let’s move on the second malware removal tool “Sitelock.”

This tool is awesome. Currently, I am using this tool to take care of all security issues. The feature is similar to Wordfence. I like the Sitelock smart scanner. It automatically removes all the malware available in your web directory.

There are three plans find, fix and protected [For hostgator]. I recommend you “fix plan” because it has the feature of automatic removal. Find and fix both are pretty similar excluding automatic malware removal feature.

Most of the famous hosting companies have partnered with sitelock. For example, Hostgator, Godaddy, iPage and Bluehost etc. You can directly purchase these plans form your hosting company.

Once you have purchased, you need to setup your account and configure it. But make sure find plan does not include a smart scanner. So, you need to remove all the malware files manually.

Follow these steps to make your site free from malware/malicious code (“find Plan” of Sitelock)

#1st step

When you receive an alert from hosting provider, then it’s time to get ready. First of all, login to Cpanel and open the file manager. In the public_html folder, you will find a malware.txt file. It is a detailed list of all the malware code present in your directory.

malware detection list

#2nd step

Now, download this file into your computer and open it. Here you will see all the files with their exact location.

#3rd step

Delete every file form the directory.

#4th step

After cleaning, it’s time to repair your website again because malware may be in your WordPress core files which makes your WordPress login page broken. That’s why you need to repair your site by re-uploading the new WordPress core files. It is only required if you find malware infection within your core files like WP-admin.php, WP-config.php, WP-setting.phop, index.php and so on.

#5th step

Once your website goes live, take a backup, of your website. For taking a backup, you need to open your Cpanel and click the backup button. It takes time to prepare the backup file. Once done, download the backup file into your computer. Finally, you have removed all the malware files from your server.

It was all for “sitelock find plan”. But if you buy “fix plan” then you don’t need anything. The smart scanner will automatically remove all the infected files from your WordPress directory. Sitelock quick scanner continuously scans your whole directory and if it detects any malware attack on your site. It immediately removes them from your site and sends you an email to let you know that malware has removed from your website.

It is the Gmail delivered by Sitelock which confirms that your site is now free from any malware infection.

message send by sitelock that malware was deleted and removed from your site

#3. Contact to your hosting support

No one knows that what is going to happen in the next day. Sometime, the situations may be opposite. In case, if you have no one to help then always contact your hosting support.

When I felt into grief, I contacted my hosting support, and they served me well. Here you can see my recent conversation while I reported a malware attack on my server. See how I solve my issue within 15 to 30 minutes.

How to talk to hostgator hosting support to fix the malware security issue 1


How to talk to hostgator hosting support to fix the malware security issue 2

How to talk to hostgator hosting support to fix the malware security issue 3

How to talk to hostgator hosting support to fix the malware security issue 4

How to talk to hostgator hosting support to fix the malware security issue 5

How to talk to hostgator hosting support to fix the malware security issue 6



Conclusion: –

In a nutshell, security is the prime concern. So, never ignore it. In this article, I have mentioned two methods that could help you remove malware from WordPress site. Free Wordfence security tool couldn’t help you after getting hacked. But it can be used as a cleaner. For better protection upgrade this plugin.

Hope you would enjoy this article.  If you like this article, then don’t forget to share on Facebook, Twitter, LinkedIn and Reddit etc.

If you have any issue, then feel free to ask.










The "Ultimate Blogging Toolkit" is a FREE ebook contains a list of 100+ tools that pro bloggers and affiliate marketers use to grow their blogs or websites.

More AI Writing Tools (Editor's Choice)


frase-io logo

With, you can produce long-form content within an hour. It comes with all essential tools and features that can help you with researching, briefing/outlining, writing, and optimising. Best for bloggers, Freelancers, editors, and Writers.

All In One

Jasper helps you write an in-depth article, create a high converting ad copy for your marketing campaign, and generate product descriptions in minutes. Just give a little context to Jasper and its AI will do the rest. The only downside is that it's quite expensive

80+ AI Templates

writesonic logo


Writesonic claims to be the world’s most powerful AI content generator tool which can write 1500 words in 15 seconds. From students to freelancers to bloggers to marketers, anyone can create high quality content with Writesonic.

Beginner friendly logo

Rytr is powered by state-of-the-art language AI which is capable of creating high-end unique content in minutes. It collects content from around the web, synthesis it with its own knowledge, and creates unique content for the client.

Find Related Content

Picture of Shailesh Shakya
Shailesh Shakya

I'm a Professional blogger, Pinterest Influencer, and Affiliate Marketer. I've been blogging since 2017 and helping over 20,000 Readers with blogging, make money online and other similar kinds of stuff. Find me on Pinterest, LinkedIn and Twitter!

2 thoughts on “How To Remove Malware From WordPress Website Using Sitelock”

Leave a Comment

Your email address will not be published. Required fields are marked *