WordPress powers over 40% of the entire internet, which
makes it the most targeted website platform by a significant margin. If you
manage a WordPress site and suddenly see your Google Search Console showing
security alerts, visitors warning you about malware, your host suspending your
account, or you notice strange pages, links, or code you never added — your
site has likely been compromised.
Recovering a hacked WordPress site can feel overwhelming,
but it is absolutely doable if you approach it methodically. This guide walks
you through every step from diagnosis to full recovery and hardening.
First: How Do You Know Your Site Is Hacked?
•
Google search results for your site show warnings like
"This site may harm your computer."
•
Visitors are being redirected to spam, gambling, or
pharmacy websites.
•
Your hosting provider has suspended your account or
sent security alerts.
•
New admin users appeared in your WordPress dashboard
that you did not create.
•
You notice unfamiliar files on your server, especially
PHP files in unexpected locations.
•
Your site displays content in a foreign language or
entirely different content.
•
Website performance has degraded drastically — the
server is being used for malicious purposes.
Step 1: Put Your Site in Maintenance Mode and Back Up Everything
Before cleaning anything, create a full backup of your
current infected site. This may sound counterintuitive, but having a backup of
the infected version lets you compare files, identify exactly what was changed,
and restore specific clean content. Use your hosting control panel (cPanel,
Plesk) to create a full backup including all files and the database.
Step 2: Scan Your Site for Malware
Using Wordfence (WordPress Plugin)
If you can still access your WordPress dashboard, install
and activate Wordfence Security (free version). Run a full scan. Wordfence
compares your WordPress core files against the official versions and flags any
modifications. It also detects common malware patterns, backdoors, and
suspicious files. Review all flagged items carefully before acting — some may
be legitimate customizations.
Using Sucuri SiteCheck
Even if you cannot access your dashboard, visit
sitecheck.sucuri.net and enter your domain. This free external scanner checks
your site for known malware signatures, blacklist status, and security
anomalies from the outside. It will not find everything but is a fast way to
confirm a compromise and identify the type of attack.
Server-Level Scanning
If your host provides shell access or a file manager, use an
antivirus scanner like ImunifyAV or ClamAV through your hosting control panel.
Server-level scanning catches malware hidden in locations that WordPress-side
plugins might miss.
Step 3: Identify the Entry Point
Knowing how the attacker got in is essential for preventing
recurrence. Check:
•
Server error logs and access logs for suspicious
requests (typically found in /var/log/ or your cPanel logs).
•
Recently modified files — use your FTP client or file
manager to sort files by modification date. Mass modifications around a
specific date indicate when the breach occurred.
•
Outdated plugins or themes (the most common attack
vector). Go to Dashboard > Updates and check your version history.
•
Compromised admin passwords via brute force or
credential stuffing.
Step 4: Clean the Infection
Option A: Restore from a Clean Backup
If you have a clean backup from before the hack (and you
know when the hack occurred), restoring from that backup is the cleanest
approach. Make sure the restoration includes both your files and your database.
After restoring, immediately update all passwords and plugins before
reconnecting the site.
Option B: Manual Cleaning
If no clean backup is available, manual cleaning is
required:
1. Reinstall
WordPress core files: Download a fresh copy of WordPress and replace the
wp-admin and wp-includes directories. Do not overwrite wp-content or
wp-config.php.
2. Reinstall
all plugins and themes from official sources. Delete compromised versions
first.
3. Carefully
review wp-config.php and .htaccess for injected malicious code.
4. Audit
your database: Look for eval(), base64_decode(), and iframe injections in post
content, options, and user meta tables.
5. Remove
all unrecognized admin accounts from Users > All Users.
6. Change
the WordPress security keys in wp-config.php (generate new ones at
api.wordpress.org/secret-key/1.1/salt/).
Step 5: Harden Your WordPress Installation
•
Update WordPress core, all plugins, and all themes to
their latest versions immediately.
•
Delete all inactive themes and plugins — they are
attack surfaces even when deactivated.
•
Install a security plugin: Wordfence, Sucuri, or
iThemes Security.
•
Enable WordPress two-factor authentication for all
admin accounts.
•
Change all passwords: WordPress admin, FTP, hosting
panel, database.
•
Set proper file permissions: 644 for files, 755 for
directories, 400 or 440 for wp-config.php.
•
Disable file editing in the dashboard by adding
define('DISALLOW_FILE_EDIT', true) to wp-config.php.
•
Install a Web Application Firewall (WAF) — Cloudflare's
free plan provides significant protection.
Step 6: Request Google Review
If Google flagged your site as dangerous, you need to
request a review once it is clean. In Google Search Console, go to Security
Issues. Review the detected issues and after cleaning, click "Request
Review." Google typically reviews within a few days and removes the warning
once satisfied your site is clean.
Final Thoughts
A hacked WordPress site is stressful but recoverable. The
most important lessons to take away are about prevention: keep everything
updated, use strong unique passwords, use two-factor authentication, and back
up your site regularly to an external location. A clean daily backup means the
worst case of a future hack is a few hours of restoration work rather than a
catastrophic loss.
