Table of Contents

Discovering your WordPress site has been hacked is every website owner's nightmare. Your visitors see spam, Google flags your site as dangerous, and you're losing business by the minute. Take a deep breath—most hacked sites can be fully recovered with the right approach.

In this emergency guide, we'll walk you through exactly what to do when your WordPress site is hacked, from immediate damage control to complete cleanup and prevention of future attacks.

Signs Your WordPress Site Has Been Hacked

Before jumping into recovery, confirm your site is actually compromised. Common signs include:

Obvious Signs

  • Defaced Homepage - Content replaced with hacker messages or propaganda
  • Spam Content - Pages filled with pharmaceutical ads, casino links, or foreign text
  • Malicious Redirects - Visitors sent to suspicious websites
  • Google Warnings - "This site may be hacked" or "Deceptive site ahead" messages
  • Hosting Suspension - Your host disabled your account for malicious activity

Subtle Signs

  • Unknown Admin Users - New administrator accounts you didn't create
  • Slow Performance - Site suddenly loading very slowly
  • Strange Files - Unfamiliar PHP files in your directories
  • Modified Files - Core WordPress files with recent modification dates
  • Spam Emails - Server sending spam emails you didn't authorize
  • Search Engine Spam - Your site ranking for strange keywords

Immediate Actions: Stop the Bleeding

Step 1: Stay Calm and Document

Before making any changes:

  • Take screenshots of all suspicious activity
  • Note the date and time you discovered the hack
  • Document any unusual behavior visitors reported
  • Check your email for any security notifications

Step 2: Put Site in Maintenance Mode

Prevent further damage and protect visitors by temporarily disabling your site. Most hosting panels have a one-click maintenance mode, or you can add this to .htaccess:

# Maintenance mode
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123.456.789.000$
RewriteRule .* /maintenance.html [L]

Replace the IP with your own so you can still access the site.

Step 3: Change All Passwords Immediately

Change these passwords right away from a clean device:

  • WordPress Admin - All administrator accounts
  • Hosting Account - cPanel, Plesk, or hosting dashboard
  • FTP/SFTP - File transfer access
  • Database - MySQL/MariaDB passwords
  • SSH - If you have shell access
  • Email - Associated email accounts

Step 4: Contact Your Hosting Provider

Your host likely has experience with hacked sites and may offer:

  • Recent backup restoration
  • Malware scanning tools
  • Server-level security logs
  • IP address information of attackers
  • Temporary security measures

Assessment: Understanding the Damage

Step 5: Check for Unknown Users

In WordPress admin, go to Users → All Users and look for:

  • Administrator accounts you didn't create
  • Users with strange usernames or email addresses
  • Recently created accounts

Delete any suspicious accounts immediately.

Step 6: Review Recently Modified Files

Connect via FTP/SFTP and check files modified in the last few days. Pay special attention to:

  • wp-config.php - Core configuration file
  • .htaccess - Often used for malicious redirects
  • Files in /wp-content/uploads/ - Should only contain media files
  • Files in /wp-includes/ - Should match WordPress core exactly
  • Any PHP files in unexpected locations

Step 7: Scan for Malware

Use multiple scanning tools for thorough detection:

  • Sucuri SiteCheck - Free online scanner
  • Wordfence - Plugin-based scanning
  • MalCare - Deep malware detection
  • VirusTotal - Check specific files

Cleanup: Removing the Malware

Option 1: Restore from Clean Backup (Fastest)

If you have a backup from before the hack:

  1. Restore files and database from backup
  2. Update WordPress, themes, and plugins immediately
  3. Change all passwords
  4. Install security plugins

Warning: Make sure your backup predates the hack. Check backup dates carefully.

Option 2: Manual Cleanup (Most Thorough)

Replace WordPress Core Files

  1. Download fresh WordPress from wordpress.org
  2. Delete existing /wp-admin/ and /wp-includes/ folders
  3. Upload fresh copies from the download
  4. Replace all files in root except wp-config.php and wp-content

Clean wp-config.php

  1. Compare with a fresh wp-config-sample.php
  2. Remove any suspicious code (encoded strings, eval() statements)
  3. Generate new security keys at WordPress Salt Generator
  4. Update database password to your new password

Clean .htaccess

Replace with default WordPress .htaccess:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Clean Themes and Plugins

  1. Delete and reinstall all plugins from WordPress.org (don't just update)
  2. Delete and reinstall themes from official sources
  3. Remove any themes/plugins you don't actively use
  4. Check premium plugins for updates from original vendors

Clean Database

In phpMyAdmin, check for:

  • Suspicious entries in wp_users and wp_usermeta
  • Strange content in wp_posts and wp_options
  • Unknown tables that don't start with your prefix
  • JavaScript or iframes in post content

Option 3: Professional Cleanup Service

For complex hacks or if you're not comfortable with manual cleanup, professional WordPress maintenance services can handle the cleanup safely and thoroughly. This is often the fastest and most reliable option.

Verification: Confirm the Cleanup

Step 8: Rescan Your Site

After cleanup, scan again with multiple tools:

  • Run Wordfence or Sucuri scans
  • Check Google Search Console for security issues
  • Use Sucuri SiteCheck externally
  • Test all site functionality

Step 9: Request Google Review

If Google flagged your site:

  1. Log into Google Search Console
  2. Go to Security & Manual Actions → Security Issues
  3. Click "Request Review" after fixing all issues
  4. Provide details about what you fixed
  5. Wait 24-72 hours for review

Prevention: Stop Future Attacks

Step 10: Implement Security Hardening

Essential Security Plugins

  • Wordfence - Firewall, malware scanner, login security
  • Sucuri Security - Auditing, monitoring, firewall
  • iThemes Security - Hardening, two-factor authentication
  • UpdraftPlus - Automated backups (critical!)

Security Best Practices

  • Keep Everything Updated - WordPress core, themes, plugins
  • Use Strong Passwords - 16+ characters, unique per site
  • Enable Two-Factor Authentication - For all admin accounts
  • Limit Login Attempts - Block brute force attacks
  • Use SFTP Instead of FTP - Encrypted file transfers
  • Choose Quality Hosting - Security-focused providers
  • Regular Backups - Daily automated backups stored offsite
  • Remove Unused Themes/Plugins - Reduce attack surface

Advanced Hardening

  • Disable file editing in wp-admin
  • Move wp-config.php above web root
  • Protect wp-admin with additional password
  • Use a Web Application Firewall (WAF)
  • Implement Content Security Policy headers

Common Causes of WordPress Hacks

Understanding how hackers got in helps prevent future attacks:

1. Outdated Software (Most Common)

Plugins and themes with known vulnerabilities are prime targets. Always update promptly.

2. Weak Passwords

Simple passwords like "admin123" are cracked in seconds. Use a password manager.

3. Nulled/Pirated Themes and Plugins

Free premium themes often contain backdoors. Always use official sources.

4. Insecure Hosting

Shared hosting with poor isolation can allow cross-site infections.

5. Outdated PHP Version

Old PHP versions have known security vulnerabilities. Use PHP 8.0+.

When to Call a Professional

Consider professional help when:

  • The hack keeps returning after cleanup
  • You're dealing with sophisticated malware
  • Your database is heavily compromised
  • You're losing significant revenue from downtime
  • You need guaranteed cleanup and future protection

At ScalingWeb, our website maintenance team handles hacked site recovery regularly. We can clean your site, identify how hackers got in, and implement security measures to prevent future attacks.

Recovery Checklist Summary

  • ☐ Document the hack (screenshots, dates, symptoms)
  • ☐ Enable maintenance mode
  • ☐ Change all passwords from clean device
  • ☐ Contact hosting provider
  • ☐ Remove unknown admin users
  • ☐ Scan for malware
  • ☐ Restore from backup OR perform manual cleanup
  • ☐ Replace WordPress core files
  • ☐ Reinstall all plugins and themes
  • ☐ Clean database
  • ☐ Rescan and verify cleanup
  • ☐ Request Google review if flagged
  • ☐ Install security plugins
  • ☐ Implement security best practices
  • ☐ Set up automated backups

Need Emergency Help?

If your WordPress site has been hacked and you need immediate assistance, don't panic. Our security experts can help you recover quickly and implement proper protection.

Site hacked right now? Contact us for emergency WordPress recovery. We offer rapid response to get your site clean and secure as quickly as possible.

Tagged: WordPress Security Malware Removal Website Recovery Cybersecurity
Stacy

Written by

Stacy

Expert team in digital transformation and web technologies.