How to clean up your WordPress site manually - step-by-step guide

When you first build your WordPress site it'll certainly grow over time, acquiring new content, media files, users, themes, plugins, and more. These are all good things, but they can make your site vulnerable - it can become a good target for the attackers. For example, you may find intrusions in your plugin or theme files, or your WordPress core files can be infected...

So, you may want to go through your site and perform some basic clean-up tasks. It shouldn’t take you very long, and the result will be a site that’s more secure.

In this guide, we’ll walk you through a few steps to start cleaning up your site manually.

Step 1: Clean up your plugins and themes files

To perform this task, you may go to your WordPress dashboard and replace 1 plugin or theme at a time with the originals.

For example, to replace a plugin, please follow these steps:

  1. Download the plugin zip file from the respective sites
  2. Delete the plugin

    Important: Please do not delete a plugin/theme until you're sure you can get the originals. This is especially important for premium plugins/themes.

  3. Install plugin from the original zip file.

Step 2: Enable Shield's Plugins/Themes Guard scanner

This scanner can be enabled from within Hack Guard module of the Shield plugin. 

Hint: This scanner is designed to detect and alert you about any changes made to your plugins/themes files after someone has gained access to them. We highly recommend you to always keep it on. 

Step 3: Clean up your WordPress Core files and folders

To perform this easy task, you can use the Shield scanners to replace core files, and remove files in your core directories that aren't WordPress files.

To do this, go to Hack Guard module and:

  1. Enable the Automatic WordPress File Scanner
  2. Enable Auto Repair option

We also highly recommend you to read A Complete Guide To The Shield Security Scans here.

Hint: These scanners are designed to detect and alert you about any changes made to your WordPress core files. We highly recommend you to always keep them on.

Additionally, clean out your site hosting of files not needed by the site. You may want to contact your web host for this. This includes:

  • At the root of your website you should only have the folders: wp-admin, wp-content, wp-includes
  • Download the ZIP of your version of WordPress and compare the files at the top of the zip with the files at the root of your website. Are there any files on your site that aren't in the WordPress ZIP? Remember of course that 'wp-config.php', .htaccess, .user.ini, will be on your site but not in the zip.
  • Review the contents of your wp-content and wp-content/uploads directories. If there are any strange files that look out of place, examine them to see if they look like normal code (you may need to get the help from a developer to examine these files.)
  • ALWAYS, ALWAYS, ALWAYS, make a backup of your site so that if you delete something that's important you have a backup of the original files.

As also recommend you to use these guides here: