When WordPress is infected with malware (tampered with), updating WordPress and plug-ins may not remove the malware.
Does the malware disappear when I update wordpress and plugins?
WordPress allows you to update the WordPress itself, themes, and plugins from the admin panel. If WordPress is infected with malware, using the update function will indeed replace all of the updated WordPress and plugin programs with new, clean code, but it will not necessarily remove all of the malware.
Specifically, the following types of malware cannot be removed by the update.
Malware contained in plug-ins that have not been updated (or could not be updated)
Malware in files that are not replaced by updates, such as wp-config.php
Malware that is not parasitic on files, but exists by itself, such as backdoors.
Malware in wp-content/upload folder
However, this does not mean that updating is meaningless. Updating itself is an important security measure because updating WordPress itself or plugins may close the vulnerabilities that allowed hackers to enter in the first place.
How do I remove malware that remains after updating WordPress and plugins?
We recommend that you use a malware detection plugin to scan all sites on your server* even after updating WordPress and plugins.
This is because there is a possibility that the malware has been tampered with via other sites on the server.
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
However, since malware producers are constantly improving their malware code to slip through the scan every day, malware scanning plug-ins have their limitations and may not be able to detect everything.
If you subscribe to our malware plug-ins for a fee, you will be able to use these new malware detection patterns, as we register several thousand new detection patterns per year.
We also recommend that you have a professional malware removal service if re-infection occurs repeatedly.