Malware scans vs clean restores: picking the fastest recovery path
Short answer: Scans can be faster for shallow infections; a clean restore from backup plus hardening is often faster for deep compromises—especially when attackers had weeks of access.
Pick based on evidence: one suspicious file vs widespread timestomping, database injections, and rogue admin users.
When scanning first makes sense
- Known benign mistake: a test script left public briefly.
- Host provides reputable scanning with clear remediation steps.
- You have no trustworthy backup (then fix backup policy immediately after recovery).
When restore should win
Multiple reinfections after “cleaning”, SEO spam on hundreds of URLs, or encrypted ransomware-like payloads usually mean the integrity of the whole tree is unknown. Restore, patch, and redeploy known-good themes/plugins from vendors—not from zip files sitting on the server.
Post-recovery minimum
Update core CMS, themes, and plugins; remove abandoned extensions; enable MFA for admins; verify only expected cron jobs and outbound SMTP behaviour.
Frequently asked questions
Will Google delist me after malware?
Possibly temporarily. Clean thoroughly, request reviews in Search Console once safe, and monitor coverage reports.
Can I restore just wp-content?
Sometimes—but database malware or hidden core files mean partial restores fail. Treat partial restores as a hypothesis you verify.