If your WordPress site has been compromised by malware then the goal is to get rid of the malware as soon as possible so that the damage can be nipped in the bud. WordPress Malware removal is not a difficult task and anyone can do it if they follow a few simple steps.
First and foremost, you must back your entire website up on a drive. If you are hosting multiple sites from one account then it would be beneficial for you to make backups of those sites as well. This is obviously not a quick process so you will have to be very patient. You can use the snapshot feature or a separate backup plugin (Scan for issues first) to make these backups. It is recommended that you back your MySQL Database separately as well as with the rest of the essentials of the site.
After the backup is complete, please make it a point to examine all the files by yourself so make sure that all the essentials are there. You can use a list online to tally the essential files with the ones in your backup drive.
After making backups of the sites, delete WordPress from your PC, including all of its additional features like active and inactive plugins, themes etc. After the deletion, run a scan on your PC using software such as Malwarebytes to ensure there are no remaining harmful bits in your PC.
Reinstall WordPress and set it up the way you want. One change you will have to make is that you will have to reset all the usernames and passwords of the relevant websites because for all you know the attacker gained access to your website using this confidential information.
Also reinstall the themes and plugins which you want on your website and configure them to be the way you want. Remember to not store up inactivated plugins on your website since that is another way attackers gain access to your site. Also, only use new and reliable plugins and themes which are maintained by the developer. It would be to your benefit to keep away from the plugins and themes you were using for your websites previously.
Before downloading the backup files on your computer, you must scan each file relevant to your website to make sure it isn’t hacked. Only begin downloading them after you have ensured that these files are safe. Another thing to be vigilant about is your database. Have the entire code checked by a professional to make sure it isn’t compromised. Now download all the backup files in your drive on to your PC’s drive. Run a thorough scan on all these files using Malwarebytes or any other software of your choosing. Remember to install security plugins this time around.
You can easily use a Plugin like Sucuri to remove any hacked files from your website.