If you delete a few “bad files” but keep the wrong access method, WordPress can get reinfected. That’s the part most owners miss. Malware cleanup isn’t just about removing the files—it’s also about how you reach them, how you copy them, and how you double-check what changed.
In 2026, the safest “hands-on” choice for removing WordPress malware from files is almost always SFTP (Secure File Transfer Protocol). SFTP lets you work with a real file session, clear visibility, and fewer “gotchas” than web-based tools.
Quick answer: Use SFTP to remove malware from WordPress files (and verify the changes)
Use SFTP when you’re cleaning files on a hacked WordPress site, then verify the file hashes and timestamps. If you can’t use SFTP, the hosting file manager can work—but you need strict safety steps to avoid damaging permissions or breaking PHP files.
Here’s the key idea: the clean-up method you pick affects both risk and proof. With SFTP, you can keep a safer workflow and get repeatable checks.
Why the “tool you use” changes your malware removal outcome
When I’ve seen compromised sites come back for round two, it usually wasn’t because the owner missed one file. It was because the cleanup workflow made it easy to:
- Accidentally edit a malicious file instead of replacing it.
- Overwrite good files with corrupted ones.
- Fail to preserve timestamps and permissions, so WordPress or the web server behaves differently after “cleanup.”
- Leave hidden code in place inside uploads, plugins, themes, or even cached files.
As of 2026, most serious infections aren’t just one “infected script.” They’re usually a chain: one file drops another, or it changes settings, or it creates a backdoor that runs on every request.
SFTP matters because it gives you a steady, controlled way to download, compare, and replace files. That makes it easier to prove what was changed.
What SFTP actually is (and why it’s safer than clicking around)
SFTP is a secure way to transfer files between your computer and the server over an encrypted connection. In plain terms, it’s like a private “file tunnel” where your actions are more predictable.
With SFTP, you typically use a client like FileZilla, WinSCP, or Cyberduck. You connect, browse folders, and upload/download files one at a time with clear feedback.
That clarity is a big deal during malware cleanup. You can:
- Download suspicious files before touching them.
- Replace bad files with known-clean copies.
- Keep backups of your “before” state for later proof.
- Control file sizes and confirm they match the source.
Original insight: the “proof trail” is the real safety feature
Most people focus on speed. In my experience, the biggest safety win during malware removal is the proof trail. With SFTP, your downloads and uploads are logged by your client and you can keep local copies for comparison.
That matters when you get a follow-up complaint like “we cleaned it but it’s still showing in Google Search Console” or “another admin account appeared.” You need to show what changed and when.
File Manager vs SFTP vs hosting panels: what’s risky during cleanup?
Here’s the honest breakdown. Web-based file tools can be fast, but they’re not all equal when you’re doing security work.
| Method | Best for | Main risks during malware cleanup | Safety score (practical) |
|---|---|---|---|
| SFTP | Replacing infected files carefully | Less visibility if your local checks are weak | 9/10 |
| Hosting File Manager | Quick edits and moving files | Easy to corrupt PHP via editor, permission mishaps, no real “local backup” workflow | 6/10 |
| Hosting control panel “manager” tools | Bundle actions, backups, restoring | One-click actions can overwrite things you didn’t intend; some tools abstract paths/permissions | 6/10 |
What most people get wrong about File Manager
The most common mistake I see is using the built-in editor to “remove code” while the file is in a half-broken state. PHP file encodings, line endings, and partial edits can leave junk that still executes.
Another mistake: using File Manager to delete files without downloading them first. If the cleanup causes a fatal error, you’re stuck guessing what you removed.
If your host doesn’t provide SFTP, you can still use File Manager safely, but only if you follow a strict workflow (I’ll show you below).
The safest workflow to remove malware from WordPress files (SFTP-first)
Here’s my step-by-step cleanup workflow that I use as a baseline for most malware removal jobs. It works for small business sites and it fits the way most hosts are set up.
Step 1: Put the site in a safe state before you touch files
Before any file work, stop the bleeding. If malware is still hitting, it can keep dropping new files.
Do one of these right away:
- Temporarily switch to maintenance mode (plugin or server rule).
- Or block traffic to sensitive URLs while you clean.
Then, confirm you can still access your admin panel (sometimes malware blocks it later).
Step 2: Make a real backup you can restore
You need two backups:
- A full file backup (or at least a copy of
public_htmlor your WordPress root folder). - A database backup (your database can hold backdoors too).
Even if the job is “file malware,” I still back up the database because the infection chain often touches options, admin users, and cron jobs.
If you want a checklist for recovery, see our post on WordPress hack recovery steps (internal link). It’s the workflow we use when a site is already live.
Step 3: Identify what changed (focus on recent files)
Start with file dates and suspicious patterns. In most cleanups I do, the infected files show up as:
- Recently modified theme/plugin files
- New PHP files in odd places (especially inside uploads)
- Small “loader” scripts that include base64 or eval patterns
Use your SFTP client to sort by “modified time.” In FileZilla, you can often sort columns after listing the directory. Don’t rely only on “size.” Some backdoors are tiny.
Step 4: Download suspicious files before editing
Always download first. I treat this like evidence collection.
Save them into a local folder named by date, like:
2026-05-01_suspicious_wp_files/
Then open them locally and check for:
- Encoded blocks (base64/rot13/gzuncompress)
- Calls to
eval,gzinflate,str_rot13 - Requests to strange external URLs
- Hidden “if” blocks checking user agents or query strings
Important: Don’t just delete code lines. If you don’t understand the file, replace the entire file with a known-clean version.
Step 5: Replace core, theme, and plugin files with known-clean copies
This is where SFTP helps most. You can replace without guessing.
For core WordPress files, the safest move is to reinstall the exact version you’re running. For themes and plugins, use these sources:
- Official plugin/theme download sources
- Your site’s original files from a previous clean backup
If you changed theme templates for your business, you can replace the files, then restore only your custom parts afterward.
Step 6: Scrub common malware locations
Most file-based malware lands in predictable spots. Check these areas carefully:
/wp-content/uploads/(sometimes malware hides inside images or creates PHP files disguised as uploads)/wp-content/plugins//wp-content/themes//wp-includes/(core tampering happens)/root files likewp-config.php(rare, but high risk)
Also search for odd filenames like .php files with random names, or files with “backup,” “shell,” “cmd,” or “tool” in the name. Attackers love naming tricks.
When SFTP isn’t available: how to use File Manager safely
If you only have a web File Manager, you can still clean safely, but you must slow down and treat it like a riskier tool.
My rule is simple: never edit a suspicious PHP file inline unless you downloaded a copy first.
Safe File Manager workflow (no shortcuts)
- Create a backup inside the host (file backup and database backup if possible).
- Download the suspicious file(s) to your local computer using the File Manager download feature.
- Compare against known-clean copies (theme/plugin download versions).
- Upload replacements rather than editing line-by-line.
- Double-check file permissions after upload.
Also watch for the editor feature. Some File Managers save files with different encoding or line endings, which can break PHP or leave syntax errors that reveal your site as “defaced” in search results.
Permission mistakes that can keep malware running
A small permission change can keep a backdoor alive. Common issues include:
- PHP files becoming writable by the wrong user/group.
- Uploads folder permissions being too open.
- Owner/group changed after upload.
If you’re not sure what permissions should be, ask your hosting support. In most setups, directories are readable and writable as needed by WordPress, but PHP files aren’t meant to be world-writable.
Hosting panel tools: when they help and when they hurt
Hosting panels are great for backups and restores, but they’re not always the safest tool for surgical malware cleanup.
In 2026, many panels include one-click “file restore,” “rename,” “chmod,” and “edit” features. Those can help when used carefully.
But they can also cause trouble when the panel:
- Restores the wrong folder level (common when WordPress is installed in a subfolder).
- Overwrites permissions in a way that changes how the server runs PHP.
- Edits files through a web editor that strips or changes content.
My opinion: if you’re able to use SFTP, do that for file replacements. Use hosting panel tools for backup/restore and then verify with your own checks.
People Also Ask: SFTP vs File Manager vs hosting panel for malware removal
Is SFTP safe for removing malware from WordPress files?
Yes—SFTP is the safest common option for file cleanup because it’s encrypted and gives you control over download/replace steps. The safety comes from your workflow: download first, replace with known-clean versions, then verify.
It’s safer than editing in a browser because you’re less likely to corrupt files through the editor.
Can I delete hacked WordPress files without replacing them?
You can delete some files, but don’t treat deletion as the only fix. If the malware is a dropper, deleting one file can still leave a second stage behind. The safest approach is replacement of any changed files and removal of the malicious ones.
When you’re not sure which file is the real source, replace the whole impacted plugin/theme files instead of guessing.
How do I know what file is infected?
Use a mix of clues: recent modifications, weird PHP patterns, and location. In real-world cases, infected files are often:
- New files added to
wp-content - Modified plugin/theme files
- PHP files inside
uploadsor cache folders
Also check your WordPress activity timeline. While most logs can be erased, you can still find clues in access logs and server logs.
Will deleting malware fix my WordPress hack permanently?
Not always. File cleanup is only one part. Most confirmed reinfections happen because the attacker also added something in:
- Database settings (options and admin users)
- Scheduled tasks (cron jobs)
- New admin accounts or changed roles
If you want the broader checklist, check our WordPress hardening steps after malware removal (internal link). It helps stop repeat attacks.
A real-world example: what I saw on a small business site
On a client site in 2026, the attack started as “a few odd PHP files” in /wp-content/uploads/. The owner used their hosting panel’s File Manager to delete the files they found.
It looked fixed for about 24 hours. Then the site showed a new redirect pattern again. The second wave was caused by a modified plugin file that still acted like a loader.
When we switched to SFTP, we were able to download the suspicious plugin file, compare it to the original version, and replace the entire plugin folder. After that, the redirect behavior stopped within the same hour.
That’s the difference between “delete symptoms” and “remove the cause.”
After cleanup: lock things down so malware doesn’t return
Cleaning files is only step one. If you don’t harden, you’re basically giving the attacker a second chance.
Here are practical steps we recommend for small business owners after malware cleanup:
- Update WordPress core, themes, and plugins to the newest safe versions.
- Remove unused plugins and themes.
- Change all passwords (admin users, FTP/SFTP accounts, hosting panel accounts).
- Disable file editing from the WordPress admin if you don’t need it.
- Review admin users and roles for anything unfamiliar.
- Re-check cron jobs and scheduled tasks.
If you want more help preventing the next incident, read our WordPress security hardening tips for small businesses (internal link). It’s written for owners who don’t live in server settings.
Common limitations: when you may need more than file cleanup
Sometimes the malware isn’t visible in the usual files. There are cases where:
- The site is compromised through the database only.
- The attacker uses server-level scripts or reinstalled backdoors after you removed them.
- Your host’s environment needs deeper investigation (in rare cases).
If you’re seeing reinfections right after cleanup, you need a deeper scan and a full incident review, not just more file deletion.
Conclusion: Choose SFTP for cleanup, then verify and harden
The safest way to remove malware from WordPress files is usually SFTP, followed by careful verification and hardening. SFTP gives you control, backups of what you touched, and a cleaner workflow for replacing changed files with known-good copies.
If you only have File Manager, use it carefully: download first, replace instead of editing, check permissions, and avoid inline code edits. Hosting panels are best for backup and restore actions, not for risky browser edits.
Make the workflow repeatable and prove what you changed. That’s how you stop malware from coming back—and keep your site stable after the cleanup.
Featured image alt text suggestion: “SFTP file transfer client connected to WordPress root during malware cleanup in 2026”