Security & Hosting

Cleaned a WordPress Install and Database After Malware

A WordPress security note about scanning files and database records, packaging clean deployable files, and removing a malicious user from the database.

Quick summary

A WordPress security note about scanning files and database records, packaging clean deployable files, and removing a malicious user from the database.

The problem

The site needed a malware cleanup pass that covered both the downloaded WordPress files and the database records where persistence could hide.

What I checked

  • Downloaded WordPress file copy
  • Database user and usermeta records
  • Suspicious PHP and upload-folder executables
  • Redirect rules and hidden persistence patterns
  • Old backup, staging, cache, and dump folders

What I changed

  • Scanned files for common backdoor and malware patterns
  • Built clean deployable core and content packages while preserving required active assets
  • Excluded stale backup, staging, cache, and runtime dump folders from the clean package
  • Used a temporary cleanup tool to inspect and remove a malicious database user
  • Documented cleanup findings and remaining follow-up steps

Result

The recovery path separated active production assets from risky leftovers and removed the confirmed malicious user from the database.

What I'd watch next

  • Whether administrator passwords and salts are rotated after cleanup
  • Whether stale backups return through future uploads
  • Whether security scans stay clean after redeployment

Tools used

WordPressDatabase reviewFile scanningCleanup tooling

Need help with something similar?

Send the URL and what needs fixed.