PayPal, Stripe, Credit Card, Amazon Pay, Giropay, EPS, Apple Pay, Google Pay, Klarna, Bancontact, Samsung Pay
Discovering that your WordPress website has been hacked can feel like a punch to the gut. Whether it’s unexpected redirects, spam content, or a complete lock-down of your admin panel, a hacked site can damage your reputation, SEO rankings, and user trust.
But don’t panic - there’s a clear path to recovery.
This comprehensive guide will walk you through how to fix a hacked WordPress website, remove malware, restore functionality, and protect it from future attacks
WordPress powers over 40% of the web, making it a prime target for hackers. Its open-source nature, while powerful, leaves it vulnerable if not properly maintained. Common reasons for hacks include:
Hackers exploit these weaknesses to inject malware, steal data, or use your site for SEO spam, phishing, or crypto mining. The good news? You can recover and fortify your site with the right steps.
Before diving into fixes, confirm your site is compromised. Look for these red flags:
If you spot any of these, act fast. Delaying can worsen the damage and hurt your SEO.
Most all hosting companies are very helpful in these kinds of situations. The ones with experienced staff have faced these kinds of a problem before. Get in touch with your hosting provider and listen to their advice
But be careful if they want to charge extraordinary fees. Could be a sign they are farming out the difficulty and jacking up the price. Always check with dedicated WordPress professionals.
Recovering a hacked WordPress website demands a meticulous and methodical approach to effectively eliminate threats, restore functionality, and fortify defenses against future attacks. A compromised site can manifest in various ways, whether it’s unauthorized content, malicious redirects, or complete loss of admin access. Addressing it promptly is critical to minimizing damage to your reputation, user trust, and SEO rankings.
By following a structured sequence of steps, you can thoroughly clean your site of malware, restore it to a secure state, and implement robust security measures to prevent recurrence.
To mitigate further damage and protect your visitors from malicious content, immediately enable maintenance mode on your WordPress website. This action restricts public access, displaying a user-friendly “Site Under Maintenance” message while allowing you to work on the backend securely.
Use a trusted plugin like WP Maintenance Mode or Coming Soon Page & Maintenance Mode to set this up quickly. Activating maintenance mode prevents hackers from exploiting active user sessions, shields your audience from harmful redirects or spam, and signals to search engines that you’re actively addressing issues, which helps preserve your SEO rankings.
Keep in mind when you do restore from a backup, your entire website will revert to that version.
Before making changes, create a backup of your current site, even if it’s compromised. Use plugins listed below to save files and your database to a secure, off-site location (e.g., Google Drive or Dropbox).
Caution: Do not restore from your compromised backup. This is for reference in case you need to recover specific files.
Hopefully you will have a clean pre-hack backup, you will use later
WordPress Backup Plugins
Use a reputable security plugin to identify malicious files and code. Run a full scan to pinpoint infected files, backdoors, or database entries. MalCare, for example, surgically removes malware while preserving legitimate code, making it a top choice for quick recovery
Here are some of the best plugins that we would recommend for your website.
A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site. Gives you Login Security Tools, to keep bots at bay and protect your website from brute force attacks.
Formerly Better WP Security. WordPress Security plugin with 30+ ways to protect and secure your site.
includes an endpoint firewall, security scanner, login security, alerts, centralized management, malware scan, blocking, live traffic, login security & more.
Write a myriad of WordPress events to syslog for integration with fail2ban.
Scans your system for security vulnerabilities listed in the WPScan Vulnerability database.
Tests security issues, malware & warns of dangerous plugins.
Security tool-set for security integrity monitoring, malware detection and security hardening.
Backup, anti spam, malware scan, CDN, AMP, integrations with Woo, Facebook, Instagram, Google.
A subscription service offering real-time backup, automated security scanning, and support from WordPress experts.
Protect your WordPress with SecuPress, analyze and ensure the safety of your website daily.
Google Authenticator, Two Factor Authentication, OTP verification, SMS, and Email.
Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam and much more.
Malware scanner, IP blocking, audit logs, activity logs, firewall, login security and more.
Add expert security to all your WordPress sites with Shield Security, without being a security expert.
If you’re comfortable with technical tasks and prefer a hands-on approach, manually scanning your WordPress site for malware is a viable alternative to automated plugins. Using an SFTP client like FileZilla or a file manager provided by cPanel, connect to your server to inspect critical files and directories. Focus on key areas where malware often hides, such as wp-config.php, .htaccess, the wp-content/uploads folder, and theme or plugin directories. Look for suspicious code, including unusual eval(), base64_decode(), or obfuscated JavaScript functions, as well as unfamiliar files or recently modified ones (check timestamps). Additionally, review the wp-includes and wp-admin folders for unauthorized changes, as hackers frequently inject malicious scripts here.
For database inspection, use phpMyAdmin to examine tables like wp_options, wp_posts, and wp_users for injected spam links or rogue entries.
Compare files against a clean WordPress installation (download the same version from wordpress.org) to identify discrepancies. While manual scanning is thorough, it’s time-intensive and requires expertise, so proceed cautiously and back up all files before making changes. If the infection is complex, consider using a security plugin or consulting a professional to ensure complete cleanup
To recover a hacked WordPress site, restore it from a clean, pre-hack backup containing uninfected files and database. Verify the backup’s integrity with a malware scanner like Sucuri. Use a plugin like UpdraftPlus or your cPanel to restore files via SFTP or a guided wizard, and replace the database using phpMyAdmin or the plugin. Test the restored site in a staging environment to ensure functionality.
After a good restoration, update WordPress core, plugins, and themes, and test all site features.
If you do not have a clean or good backup, You may have to opt for manual cleaning or find professional help.
Hackers often inject malicious code into your WordPress database, affecting posts, users, or options tables. To remove malicious code from your WordPress database, manually inspect and clean it using phpMyAdmin, accessible via your hosting control panel. Focus on tables like wp_posts, wp_options, and wp_users, where hackers often inject spam links, rogue scripts, or unauthorized accounts. Look for suspicious entries, such as unfamiliar URLs, encoded JavaScript, or unexpected admin users. Carefully delete or edit these entries to avoid disrupting legitimate data, and use the search function to locate specific malicious strings.
Back up the database before making changes to ensure you can revert if needed. If you’re unsure, use a plugin like WP-Optimize for safer cleaning or consult a professional
Outdated software invites hackers by exposing known vulnerabilities. To secure your site, update the following to their latest versions: WordPress core, all themes (active and inactive), plugins, and your server’s PHP version (target PHP 8.0 or higher for enhanced security and performance). Access the WordPress dashboard to check for updates under Dashboard > Updates, and apply them promptly. For PHP, update via your hosting control panel or contact your provider.
Delete unused themes and plugins to eliminate potential entry points, and enable auto-updates for WordPress core and trusted plugins to stay current.
Never download themes and plugins from unknown or unreliable sources. It just might have been created by a hacker.
After updating, test your site to ensure compatibility and functionality remain intact. Regular updates close security gaps and keep your site resilient against attacks.
Hackers often exploit user accounts by adding rogue admins or hijacking existing ones. Restrict admin roles to essential users only, assigning lower roles like Editor for others. Update the wp-config.php security keys to log out all sessions. Add two-factor authentication (2FA) with a plugin like Two Factor for extra security. Regularly check for unauthorized user activity.
In your WordPress dashboard:
Hackers often exploit user accounts by creating unauthorized admin profiles or compromising existing ones. To secure your WordPress site, access the Users > All Users section in your dashboard and review all accounts. Delete any unfamiliar or suspicious users, especially those with admin privileges.
Prevent future hacks by implementing these best practices:
To keep your WordPress site secure and resilient, consistent monitoring and maintenance are essential. Schedule automated backups - daily or weekly. Using plugins like BackupBuddy, storing them securely off-site (e.g., Google Drive or Dropbox) to ensure quick recovery if issues arise. Actively monitor site activity with plugins like User Activity Log to track user actions, plugin changes, or unauthorized logins, helping you spot potential threats early. Set calendar reminders to review logs, test backups, and check for software updates monthly.
By maintaining these habits, you’ll minimize risks, catch issues before they escalate, and keep your site running smoothly and securely.
For complex hacks like rootkits or persistent backdoors, or if you lack technical know-how, hire a professional. Experts from services like Sucuri, WPBeginner, or WP Tangerine/ offer specialized skills to thoroughly remove malware, close security gaps, and restore your site efficiently, often within 24 - 48 hours
WPBeginner, for instance, starts at $249 and includes expert support. While costly, professionals save time and ensure complete cleanup.
Fixing a hacked WordPress website is daunting, but with the right tools and steps, you can restore your site and make it stronger than ever. By scanning for malware, restoring clean backups, securing user accounts, and implementing robust protections, you’ll safeguard your site against future threats. Regular maintenance and monitoring are key to staying ahead of hackers.
Change your passwords just in case the hacker found their way in with one of your old passwords. Also if you changed web designers or companies that no longer work on your site change your PW.
Your WordPress site is an asset, protect it with the same care you’d give your business.
Share your experiences or questions in the comments below!
See our WordPress Tutorials for more WordPress reading.
Digital content writer with a passion for crafting engaging and informative copy. With over 9 years of international copy writing experience and...
This policy contains information about your privacy. By posting, you are declaring that you understand this policy:
This policy is subject to change at any time and without notice.
These terms and conditions contain rules about posting comments. By submitting a comment, you are declaring that you agree with these rules:
Failure to comply with these rules may result in being banned from submitting further comments.
These terms and conditions are subject to change at any time and without notice.
Tweet Share Pin Email
Comments