WordPress remains the most popular platform for websites in 2026, but it is also a frequent target for attacks. Malware can damage your reputation, slow down your site, or compromise user data. At Sered, we care about your security, which is why we have prepared this official guide for customers, teaching you how to detect, clean, and protect your WordPress site, combining automatic tools, manual techniques accessible from WordPress or cPanel, and advanced security best practices.
Part 1: π¨ Signs of infection
Malware can be silent, but there are clear signs that indicate infection:
π Unusual redirects: your site sends visitors to unknown pages or malicious advertisements.
π Altered search results: strange titles, descriptions, or links on Google.
π’ Degraded performance: very slow loading for no reason, browser errors, security alerts.
β οΈ Browser or antivirus warnings. Google Chrome, Firefox, or security tools display warnings such as "Dangerous site" or "This site may contain malware."
π Modified files or folders: Check for unexpected changes in .htaccess, wp-config.php, or functions.php, or for folders and files with suspicious names (random letters, unrecognizable names) that are not part of the official WordPress core. It is also a warning sign to find
.phpfiles inside/wp-content/uploads/, as this folder normally only contains images and multimedia files.
Part 2: πΎ Preparation before cleaning
πΎ Make a full backup
This includes site files and database.
You can use plugins such as UpdraftPlus or All-in-One WP Migration, or do it from cPanel with Installatron.π SERED Guide: Create a backup with Installatron
π« Temporarily isolate the site (Optional)
You can temporarily activate maintenance mode from WP Toolkit or install a free plugin from the official repository such as π WP Maintenance Mode, π Maintenance, π SeedProd Coming Soon, or π LightStart to hide the site while you clean it up.
Part 3: Automated scanning and cleaning
3.1 Recommended plugins
There are many security plugins in the WordPress ecosystem. Below are some of the most popular and widely used ones, both free and paid versions:
Plugin | Features | Official link |
MalCare (paid) | Cloud scanning, automatic cleaning, detects backdoors and hidden malware | |
Wordfence (free and paid) | Firewall, deep scanning, security alerts, attack blocking | |
Security Juices (paid) | File auditing, integrity monitoring, remote malware scanning | |
Anti-Malware Security and Brute-Force Firewall (gratis) | Malware scanning and cleaning, protection against brute force attacks |
βΉοΈ You can choose the one that best suits your needs. It is not advisable to install several comprehensive security plugins at the same time, as they may cause conflicts or affect performance.
3.2 π₯οΈ Automatic hosting protection
Your hosting includes Imunify360, an advanced security system that:
π Constantly scan all files on the hosting server
π‘οΈ Automatically detects and removes malware
π Allows you to view the history of threats and cleanups from its icon in cPanel.
βΉοΈ You don't need to take any manual action: the system works automatically to protect your account.
β οΈ Important: No security system is foolproof. Imunify360 protects at the server level, but if your WordPress has outdated plugins, weak credentials, or vulnerable code, malware can still get in. That's why it's essential to keep WordPress, plugins, and themes up to date and apply the security measures recommended in this guide.
Part 4: π₯οΈ Manual cleanup from WordPress / cPanel
π Check critical files
Access your hosting panel β File Manager and navigate to the folder where WordPress is installed:π Main domain: usually located in the public_html folder
π Subdomains or additional domains: each has its own folder. You can check the exact path from the Domains β Document Root section in cPanel
β
Once inside the site folder, review these important files:
βοΈ wp-config.php β verify that it does not contain any strange code, incomprehensible text, or added lines that you do not recognize
π .htaccess β check that it does not contain any suspicious redirects or links to unknown sites
π¨ functions.php β located in the folder /wp-content/themes/your-theme/, check that it does not contain malicious or unknown code
β οΈ If you find suspicious code or are unsure, do not delete it directly. It is advisable to restore a clean backup or contact technical support.
ποΈ Remove outdated plugins and themes
Keep only official and updated plugins and themes
Avoid pirated or nulled versions. Even if they appear to work well, they often include hidden code that creates backdoors (invisible administrator access), injects malware, or allows automatic reinfection.
Always use the official WordPress repository or developer sites.
π SERED Guide: Download plugins and themes from trusted sources
π€ Review users and permissions
Delete unrecognized administrators.
Review roles and permissions for all users.
π§Ή Database cleanup (Optional / Advanced)
If you want to go deeper into cleaning, you can check the database for suspicious tables.
Plugins such as WP-DBManager or WP-Sweep help remove unnecessary records without losing legitimate data.
For novice users, this action can be omitted, as many security plugins already check and protect parts of the database automatically.
β οΈ If you decide to review the database manually, first make a full backup, because any incorrect changes may affect the functioning of the site.
Part 5: π§ Security and management from cPanel with WP Toolkit
WP Toolkit allows you to install, configure, and protect WordPress without entering the WordPress dashboard.
π WP Toolkit SERED Guide
Key functions:
π οΈ Security status and diagnosis
π‘οΈ Vulnerability mitigation
π Updates and Smart Update
πΎ Backups and restoration from cPanel
π§ͺ Staging environments for testing
π Checklist of best practices with WP Toolkit
β Check alerts and security status regularly
β Apply vulnerability mitigation with one click
β Keep your core, plugins, and themes up to date with Smart Update
β Create backups before making significant changes
β Test changes in staging environments
Part 6: π Hardening and additional best practices
π Change login URL: π SERED Guide
β±οΈ Controlled CRON tasks: π SERED Guide
β Download plugins and themes from trusted sources: π SERED Guide
π‘οΈ Additional security measures: π SERED Guide
Part 7: Prevention and Advanced Protection
π Constant updates (WordPress, plugins, and themes).
π‘οΈ Firewall de aplicaciΓ³n web (WAF): Wordfence, All-in-One Security, Sucuri, etc.
π Secure authentication (2FA):
π 2FA WordPress
π 2FA Cpanel/Hosting
π Constant monitoring with audit plugins.
πΎ Restore copy if necessary: π JetBackup 5 SERED
Part 8: β Summary of best practices
β‘ Detect signs of infection early
πΎ Make backups before any cleanup
π‘οΈ Use automatic scanning + manual review
π Keep WordPress, plugins, and themes up to date
π Configure WAF, 2FA, monitoring
π€ Check users and permissions regularly
π οΈ Take advantage of WP Toolkit in your cPanel
π Implement additional hardening (change login, control CRON, download only trusted plugins/themes)
By following these steps, your WordPress will be protected and ready to face threats with a secure approach.
β οΈ Final note
Although this guide covers the most important steps for detecting, cleaning, and protecting your WordPress site, some advanced infections may require professional intervention. If, after following these steps, your site continues to show problems or strange behavior, it is advisable to contact a WordPress security specialist, as certain types of sophisticated malware can only be removed with a thorough manual analysis.
π Technical support
If you have any questions, please contact our team:
Email: [email protected]
Live chat: from your SERED customer area