Chykalophia Docs
Security

Malware & your website explained

What malware is, how it gets onto websites, what it does when it's there, and how to get it removed.

securitywordpressmalwareintermediate

Malware — short for malicious software — is code that an attacker places on your website without your permission. It can do many things: redirect your visitors, display ads, steal customer data, or turn your site into a spam sender. Most website owners have no idea it's there until something goes visibly wrong.

Quick summary

Website malware is usually installed through outdated or vulnerable plugins/themes, or through stolen admin credentials. Signs include unexpected redirects, security warnings from Google, new pages you didn't create, or a sudden slowdown. Removal requires a full scan and clean — not just deleting what you can find visually. Prevention is mostly about keeping software up to date and using strong passwords.

How malware gets onto websites

Outdated or vulnerable software

This is the most common cause. When a vulnerability is discovered in a WordPress plugin or theme, attackers write automated tools to exploit it. Sites running the unpatched version get scanned and compromised within days — sometimes hours — of the vulnerability becoming public.

Keeping WordPress, themes, and plugins up to date is the single most effective prevention measure.

Stolen or weak credentials

If an attacker gets your WordPress admin password (through phishing, a data breach at another site, or by guessing), they can simply log in and install malware themselves.

Strong, unique passwords and two-factor authentication prevent this.

Infected hosting environment

In rare cases, especially on cheap shared hosting, a compromised neighboring website on the same server can infect yours. Managed WordPress hosting significantly reduces this risk.

Malicious plugin or theme

Installing plugins or themes from untrusted sources — unofficial websites, pirated ("nulled") versions — is a direct path to malware. Only install plugins from the official WordPress repository or from reputable commercial developers.

What malware does on your site

TypeWhat it does
RedirectsSends your visitors to spam, scam, or adult websites
SEO spamAdds hidden links to your pages to boost the attacker's rankings
Spam email senderUses your server to send bulk spam, harming your email reputation
Credential harvestingCaptures login information from your own visitors
CryptominingUses your visitors' computers to mine cryptocurrency
BackdoorA hidden access point that lets the attacker return even after you change passwords
DefacementReplaces your homepage with the attacker's message
RansomwareEncrypts your files and demands payment (less common on websites than on computers)

Signs your site may have malware

  • Visitors report being redirected to other sites
  • Google Search Console shows a security warning
  • Your browser or antivirus shows a warning when visiting your own site
  • You see pages, posts, or links you didn't create
  • Your hosting provider sent an alert or suspended your account
  • Sudden significant drop in search traffic
  • The site runs much slower than usual
  • You notice unfamiliar admin user accounts in WordPress

How malware is removed

Don't try to clean manually without expertise

Malware often places copies of itself in multiple locations and installs backdoors so it can return. Deleting visible files without a full scan almost never works — the site gets reinfected within days.

There are two reliable approaches:

Option 1: Restore from a clean backup If you have a backup from before the malware was installed, restoring it is the cleanest solution. You lose any content changes made since the backup, but you get a confirmed clean site. See Why backups are your safety net.

Option 2: Professional malware removal Services like Sucuri and Wordfence offer malware cleanup. They scan every file, remove all malicious code and backdoors, and report on how the infection occurred. This is what we recommend when no clean backup is available.

After cleanup, you must:

  1. Update WordPress, all plugins, and all themes
  2. Change all passwords (WordPress admin, hosting, FTP/SFTP, database)
  3. Remove user accounts you didn't create
  4. Address the vulnerability that allowed the infection

Preventing malware

The most effective prevention steps, in order of importance:

  1. Keep everything updated — WordPress core, plugins, and themes
  2. Use strong passwords and 2FA on all WordPress admin accounts and your hosting account
  3. Remove plugins and themes you don't use — they still contain exploitable code even when deactivated
  4. Install only from reputable sources — the official WordPress repository or established commercial developers
  5. Use a security plugin — Wordfence or Solid Security add a firewall and malware scanning
  6. Maintain backups — so recovery is fast if something does get through
  7. Use good hosting — managed WordPress hosts include server-level security scanning

Common questions

Need a hand?

If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.

Learn more

What to do if an account is compromised

A calm, step-by-step guide to recovering a hacked email, social media, hosting, or other business account — and locking down everything else.

SSL & HTTPS, explained

What the padlock in your browser means, why every website needs HTTPS, and how SSL certificates work — in plain English.

On this page

How malware gets onto websitesOutdated or vulnerable softwareStolen or weak credentialsInfected hosting environmentMalicious plugin or themeWhat malware does on your siteSigns your site may have malwareHow malware is removedPreventing malwareCommon questionsRelated guidesLearn more
Malware & your website explained | Chykalophia Docs