Malware

This glossary entry is for WordPress site owners who want to understand security threats without wading through enterprise cybersecurity documentation.

Malware is software intentionally designed to damage, disrupt, or gain unauthorized access to a computer system, network, or website. The word is a contraction of “malicious software.”

Answer capsule: Malware is any software written to cause harm—stealing data, hijacking traffic, or corrupting files. On WordPress, it typically arrives through outdated plugins, nulled themes, or compromised hosting accounts. Detection requires a dedicated scanner; removal often requires professional cleanup or a security plugin like MalCare or Sucuri.

What types of malware affect WordPress sites?

WordPress malware falls into several categories, each with a different attack pattern:

Backdoors — Hidden entry points that let attackers re-enter your site even after you clean it. We see these on nearly every compromised site we diagnose on client projects.
Malicious redirects — Code that sends your visitors to spam or phishing pages. These are often injected into wp-config.php or .htaccess.
SEO spam — Hidden links or pages inserted to manipulate search rankings for pharmaceutical or gambling keywords. Google’s Search Console flags these fast, tanking the site’s organic visibility.
Cryptomining scripts — Code that uses your visitors’ CPU to mine cryptocurrency. Page performance drops noticeably—we’ve measured 40%+ increases in Time to First Byte on infected shared hosting accounts.
Ransomware — Encrypts your files and demands payment. Less common on WordPress than on desktop systems, but it happens on poorly secured servers.

How does malware get onto a WordPress site?

The three most common entry points, in order of frequency, are:

Outdated plugins or themes — The majority of WordPress infections in 2024 traced back to known plugin vulnerabilities, per Wordfence’s annual threat report.
Nulled (pirated) software — Free downloads of premium plugins or themes frequently contain pre-installed backdoors.
Compromised hosting credentials — Weak passwords or a breached hosting account give attackers direct file access.

How do you detect malware on a WordPress site?

Manual detection is unreliable for non-developers. Use a scanning tool. MalCare and Wordfence both offer free scanning tiers on WordPress.org. MalCare’s deep scan checks file signatures against a database of 200,000+ known malware patterns—a level of coverage that manual inspection cannot replicate.

Signs to watch for without a scanner: unexpected admin accounts, Google Search Console warnings, sudden traffic drops, or hosting suspension notices.

Can you remove malware yourself?

Straightforward infections—a single injected file, a known malicious snippet—are removable by restoring a clean backup or using a plugin’s one-click cleanup. Complex infections with backdoors across multiple files require professional removal. Sucuri’s site cleanup service starts at $199.99/year and includes unlimited cleanups, which is cost-effective compared to paying a developer hourly for repeat incidents.

Additional reading

Last verified: April 2026