My WordPress Site Was Hacked: A Calm, Step-by-Step Recovery Guide
Your WordPress site was hacked, here is exactly what to do right now to clean it up, lock it down, and get back online safely.
Finding out your WordPress site was hacked is genuinely alarming. Your site might be showing strange content, redirecting visitors to spam pages, or your host may have suspended your account entirely. Take a breath. This is fixable. Thousands of WordPress sites are cleaned and restored every week, and the steps below will walk you through exactly what to do — in the right order — so you do not make things worse while trying to make them better.
Step 1: Confirm the Hack and Understand What You Are Dealing With
Before you change anything, confirm that the site is actually compromised and get a clear picture of the damage. Sometimes a broken plugin or a theme error looks like a hack but is not.
- Check Google Safe Browsing: Visit Google Safe Browsing and enter your domain. If Google has flagged your site as dangerous, it will say so here.
- Run a remote malware scan: Tools like Sucuri SiteCheck scan your site's publicly visible pages for known malware signatures, blacklist status, and injected code, without needing your login details.
- Look at your site as a logged-out visitor: Open your site in a private/incognito browser window. Hackers often hide malicious content from logged-in admins so you do not notice it.
- Check your hosting control panel: Many hosts (cPanel, Kinsta, WP Engine, etc.) send automated malware alerts. Log in and look for any suspension notices or security warnings.
- Review Google Search Console: If your site is verified, Google will flag hacked pages under Security Issues in the left-hand menu.
Step 2: Take the Site Offline Temporarily
While you clean the site, you do not want visitors landing on malicious content. Putting the site into maintenance mode, or asking your host to restrict public access, protects your visitors and stops the hack from spreading further.
- If you can still log into WordPress, activate a maintenance mode plugin to show a holding page instead of your hacked content.
- If you cannot log in, contact your host and ask them to temporarily block public access to the site while you work on it.
- Do not delete anything yet. You need the files intact to clean them properly.
Step 3: Back Up Everything, Even the Infected Version
This sounds counterintuitive, but back up the hacked site before you touch anything. If a cleaning step goes wrong, you need a way to return to a known state. Your host may also need the infected files to investigate how the breach happened.
- Use your host's backup tool to download a full copy of your site files and database.
- If you have a backup plugin installed (such as UpdraftPlus), download the most recent backup to your local computer as well.
- Store the backup somewhere safe and separate from your live server.
Step 4: Change All Passwords and Revoke Unknown Users
Hackers almost always leave themselves a way back in. Closing that door is one of the most important steps you can take, and it costs nothing.
- Change your WordPress admin password: Go to Users > Your Profile in the WordPress dashboard and set a new, strong password (at least 16 characters, mixed case, numbers, and symbols).
- Change passwords for every admin-level user: Go to Users > All Users, click each administrator, and update their password.
- Delete any admin accounts you do not recognise: Hackers often create hidden admin users. In Users > All Users, filter by Administrator role and remove any accounts that should not be there.
- Change your hosting control panel password: Log into your host and update the cPanel or equivalent password.
- Change your database password: This is done inside your hosting control panel under MySQL Databases. After changing it, you must update the new password in your wp-config.php file (the line that reads `DB_PASSWORD`). This is a technical step, if you are unsure, ask your host or a support team to do it.
- Change your FTP/SFTP password: Your host's control panel will have an FTP Accounts section where you can reset this.
- Revoke any API keys or third-party app connections that you do not recognise in your WordPress settings.
Step 5: Scan and Clean the Malware
This is the most technical part of the process. There are two main approaches: using a security plugin to scan and clean from inside WordPress, or manually inspecting and cleaning files via FTP/SFTP (a protocol for transferring files between your computer and your server).
Option A: Use a Security Plugin
If you can still log into WordPress, a reputable security plugin can scan your files and database for known malware patterns and, in many cases, remove them automatically.
- Wordfence Security (free tier available): Install it from Plugins > Add New, then go to Wordfence > Scan and run a full scan. It will flag suspicious files and, for many infections, offer a one-click repair option.
- Sucuri Security (free tier available): Offers file integrity monitoring and malware scanning. The paid version includes a firewall and guaranteed malware removal.
- After the scan, review every flagged item carefully before deleting. Some flags are false positives on customised theme files.
Option B: Manual File Cleaning (Advanced)
Manual cleaning involves connecting to your server via FTP/SFTP or your host's File Manager and comparing your files against clean copies. This is the most thorough method but also the riskiest if you are not comfortable working with code.
- Download a fresh copy of WordPress from wordpress.org and compare core files (wp-admin and wp-includes folders) against your live site. Replace any files that differ and that you did not intentionally modify.
- Check the wp-content/uploads folder for PHP files. There should be none. Any .php file in uploads is almost certainly malicious and can be deleted.
- Check your active theme's files for unfamiliar code, especially in functions.php, header.php, and footer.php. Look for long strings of scrambled characters (base64-encoded malware) or `eval()` calls that were not there before.
- Check the wp-config.php file in your root directory for any code that was not there when you set up the site.
- Search your database (via phpMyAdmin, available in most hosting control panels) for known spam phrases or suspicious URLs injected into your posts and options table.
Option C: Professional Malware Removal
If the infection is deep, the plugin scan did not fully clear it, or you are not comfortable editing server files, professional removal is the safest and fastest path. The TheAppSense malware removal service handles the full clean-up for you, including finding the entry point so the hack does not simply come back.
Step 6: Update Everything
The majority of WordPress hacks exploit known vulnerabilities in outdated plugins, themes, or WordPress core. Once the site is clean, updates are not optional.
- Go to Dashboard > Updates and update WordPress core to the latest version.
- Update every plugin. If a plugin has not been updated by its developer in over two years, consider replacing it with a maintained alternative.
- Update every theme, including themes you are not actively using.
- Delete any plugins or themes you are not using. Inactive plugins still present a security risk if they contain vulnerabilities.
Step 7: Harden Your Site Against Future Attacks
Cleaning a hacked site is only half the job. Hardening means making it significantly harder for attackers to get back in.
| Hardening Action | Where to Do It | Difficulty |
|---|---|---|
| Enable two-factor authentication (2FA) for all admin users | Security plugin or standalone 2FA plugin | Easy |
| Install a web application firewall (WAF) | Wordfence, Sucuri, or Cloudflare | Easy–Medium |
| Limit login attempts | Wordfence or a dedicated plugin | Easy |
| Disable XML-RPC if you do not use it | Security plugin or hosting firewall | Easy |
| Move wp-config.php one directory above the web root | FTP/SFTP, technical step | Advanced |
| Set correct file permissions (644 for files, 755 for folders) | Hosting File Manager or FTP | Medium |
| Enable automatic updates for minor WordPress releases | Dashboard > Updates > Enable automatic updates | Easy |
Step 8: Request a Google Review (If Your Site Was Blacklisted)
If Google flagged your site as dangerous, it will continue showing warnings to visitors even after you have cleaned the malware. You need to ask Google to re-review your site.
- Log into Google Search Console and go to Security Issues in the left menu.
- Review the listed issues. Once you are confident the site is clean, click 'Request a Review'.
- Describe the steps you took to clean the site. Be specific, Google's reviewers look for evidence that you understood and fixed the root cause.
- Reviews typically take one to three business days. Once approved, the warning will be removed from search results.
Step 9: Set Up Ongoing Monitoring and Backups
The best time to set up monitoring was before the hack. The second best time is right now.
- Automated daily backups: Configure your backup plugin or hosting backup tool to run daily and store copies off-server (in cloud storage like Amazon S3 or Google Drive).
- Uptime monitoring: A free tool like UptimeRobot will alert you by email or SMS the moment your site goes down.
- File change monitoring: Wordfence and Sucuri both offer alerts when core WordPress files are modified, a common early sign of a new infection.
- Regular security scans: Schedule weekly automated scans so problems are caught early, not weeks later.
A hacked WordPress site feels catastrophic in the moment, but it is a recoverable situation. Work through the steps in order: confirm the hack, take the site offline, back up, change all credentials, clean the malware, update everything, harden the site, and request a Google review if needed. Most site owners who follow these steps carefully get their site back online within a day or two. If the infection is complex, the malware keeps returning, or you simply do not have time to do this yourself, the TheAppSense malware removal service is there to handle it for you, cleanly, thoroughly, and with an explanation of how the breach happened so it does not repeat.
How do I know if my WordPress site has been hacked?
Common signs include visitors being redirected to unrelated websites, Google showing a 'This site may be hacked' warning in search results, your hosting company suspending your account, unfamiliar admin users appearing in your WordPress dashboard, or spam links appearing in your site's content. Run a free scan at Sucuri SiteCheck to get an immediate external view of your site's status.
Can I just restore a backup instead of cleaning the site?
Only if you have a backup that was made before the hack occurred and you are certain of that date. Many infections go undetected for weeks, which means your most recent backups may already contain the malware. Restoring an infected backup brings the problem straight back. If you are unsure when the hack happened, clean the live site rather than restoring blindly.
Will my SEO rankings recover after a hack?
Yes, in most cases. Once you clean the site and request a review through Google Search Console, Google will remove the security warning and re-crawl your pages. Rankings can dip temporarily while the site is flagged, but they typically recover once the warning is lifted and your content is confirmed clean. The faster you act, the less lasting impact there is on your search visibility.
How did my WordPress site get hacked in the first place?
The most common causes are: an outdated plugin or theme with a known security vulnerability, a weak or reused admin password, a compromised hosting account, or malicious code hidden inside a nulled theme or plugin (a pirated copy of a paid product). After cleaning your site, identifying the entry point is important, otherwise the same vulnerability can be exploited again.
How long does it take to clean a hacked WordPress site?
A straightforward infection cleaned with a security plugin can take two to four hours including all the hardening steps. A complex, deep infection with multiple backdoors (hidden files that let attackers re-enter the site) can take considerably longer. Professional services like TheAppSense malware removal typically complete a clean within one business day.
Do I need to tell my customers that my site was hacked?
It depends on what data was exposed. If your site collected personal information, names, email addresses, payment details, and that data may have been accessed, you likely have a legal obligation to notify affected users under regulations such as GDPR (in Europe) or state breach notification laws (in the US). Consult a legal professional if you are unsure. If the hack only affected your site's front-end content and no customer data was stored or processed, notification may not be required, but transparency is always good practice.