Recover a Hacked WordPress Site
Clean malware from your WordPress site, close the vulnerability, and get back online.
Your WordPress site is showing malware warnings, redirecting visitors, or displaying spam content. Here’s how to clean it up and prevent reinfection.
🔧 Skill Level: Developer or IT professional required
This involves server access, file system changes, and database operations. If you’re not comfortable with FTP, phpMyAdmin, or editing code, share this guide with your developer.
What this covers: How to confirm a hack, lock down access, scan and remove malware, clean your database, restore from backup if needed, and harden your site against reinfection.
Who it’s for: WordPress site owners or developers dealing with malware warnings, spam redirects, or unauthorized admin accounts.
Key outcome: You’ll have a clean WordPress installation with malware removed, all passwords reset, security plugins installed, and hardening measures in place to prevent future compromises.
Time to read: 8 minutes
Part of: Security & Infrastructure series
Confirm You’re Actually Hacked
Before cleanup, verify it’s malware and not a plugin conflict:
- Google Search Console – Check Security Issues section
- Sucuri SiteCheck – Free scan for malware
- VirusTotal – Submit your URL
- Visit in incognito – See what visitors see
Common signs:
- Redirects to spam/casino/pharma sites
- Foreign language content you didn’t add
- Unknown admin users in WordPress
- Google showing “This site may be hacked” warning
- Hosting provider suspended your account
Emergency Recovery Steps
Step 1: Lock Down Access (15 minutes)
Change ALL passwords immediately:
- All WordPress admin users
- Hosting control panel (cPanel, Plesk)
- FTP/SFTP accounts
- Database (MySQL) password
Remove unauthorized users:
- Go to Users → All Users
- Delete any admin accounts you didn’t create
- Look for recent registrations with suspicious names
Step 2: Update Everything (30 minutes)
Outdated software is how most sites get hacked:
- Dashboard → Updates → Update WordPress core
- Update ALL plugins (Plugins → Installed Plugins → Select All → Update)
- Update ALL themes
- Delete unused plugins and themes (don’t just deactivate)
Step 3: Scan and Clean (60 minutes)
Option A: Use Wordfence (recommended):
- Install Wordfence Security
- Go to Wordfence → Scan → Start New Scan
- Wait for scan (15-30 min)
- Review results and clean detected threats
Option B: Manual inspection:
Check these locations for suspicious .php files:
/wp-content/uploads/– Should only have images, not .php files/wp-includes/– Should match a fresh WordPress download/.htaccess– Look for redirect code/wp-config.php– Check for injected code at beginning/end
Red flags in code:
eval(base64_decode(...))- Suspicious
file_get_contents() - Hidden iframes
- Encoded/obfuscated strings
Step 4: Clean Database (30 minutes)
Access phpMyAdmin through your hosting panel.
Find spam posts:
SELECT * FROM wp_posts WHERE post_content LIKE '%casino%'
OR post_content LIKE '%pharmacy%' OR post_content LIKE '%viagra%';Find unauthorized users:
SELECT * FROM wp_users WHERE user_registered > '2026-01-01';Check for malicious options:
SELECT * FROM wp_options WHERE option_value LIKE '%eval%'
OR option_value LIKE '%base64%';Delete spam content and unauthorized users.
Step 5: Replace .htaccess (5 minutes)
Replace your .htaccess with a clean version:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPressStep 6: Regenerate Security Keys (5 minutes)
- Go to WordPress Secret Key Generator
- Copy the generated keys
- Replace the keys section in
wp-config.php
Prevent Reinfection
Immediate actions:
- Install Wordfence or Sucuri for ongoing protection
- Enable automatic updates (Settings → General or via plugin)
- Set up daily backups with UpdraftPlus
- Enable 2FA for all admin accounts (see our 2FA Guide)
Security hardening:
- Change database table prefix if using default
wp_ - Disable file editing: Add
define('DISALLOW_FILE_EDIT', true);to wp-config.php - Limit login attempts (Wordfence does this)
- Use strong passwords (12+ chars, mixed)
Request Google Review
If Google flagged your site:
- Go to Google Search Console → Security Issues
- Review all flagged issues
- Click “Request Review” after cleanup
- Wait 24-72 hours for re-evaluation
When to Call a Professional
- Infection keeps returning after cleanup
- You can’t access wp-admin at all
- Hosting provider won’t restore access
- Site handles payments or sensitive data
- You don’t have a clean backup to restore from
Professional cleanup services:
Confirming Your Site Is Clean
- Wordfence/Sucuri scan comes back clean
- No unauthorized admin users
- Site loads normally without redirects
- Google Search Console shows no security issues
- Automatic backups and security monitoring are running
Sources
Hacked Site Recovery Questions
How do I know if my WordPress site is really hacked?
Real signs: Google “This site may be hacked” warning, strange redirects, unknown admin users, unfamiliar files in wp-content, or your host suspended you. Phishing emails claiming you’re hacked (with no evidence) are usually scams.
Should I pay a ransom if my site is held hostage?
No. There’s no guarantee you’ll get access back, and payment encourages more attacks. Restore from backup instead. If you don’t have backups, hire a professional security firm—but don’t pay attackers.
How long does it take to clean a hacked site?
Simple malware: 2-4 hours. Complex compromise with backdoors: 1-2 days. Complete rebuild from clean backup: 1-4 hours depending on site complexity. Clean backups are always faster than cleaning infections.
How do I prevent getting hacked again?
Strong passwords + 2FA for all admin users, keep WordPress/plugins/themes updated, use a security plugin (Wordfence, Sucuri), and maintain regular backups. Most hacks exploit outdated software or weak passwords.
Hacked WordPress Site Questions Answered
How do I know if my WordPress site has been hacked?
Common signs: unexpected redirects to spam sites, new admin users you did not create, modified files (especially index.php or .htaccess), Google Search Console security warnings, hosting provider suspension notices, or your site appearing in Google results with spam keywords.
What should I do first when my WordPress site is hacked?
Immediately change all passwords (WordPress admin, hosting, FTP, database). Take the site offline or put it in maintenance mode to stop further damage. Do not delete anything yet. Scan with Wordfence or Sucuri to identify all infected files before cleaning.
Can I recover a hacked site without a backup?
Yes, but it is harder. Replace all WordPress core files with fresh copies from wordpress.org. Reinstall plugins and themes from original sources. Scan the database for injected content. The wp-content/uploads folder needs manual inspection since it cannot be replaced from a clean source.
How do I prevent my WordPress site from being hacked again?
Keep WordPress core, plugins, and themes updated. Use strong unique passwords and two-factor authentication. Remove unused plugins and themes. Install a security plugin (Wordfence or Sucuri). Limit login attempts. Choose hosting with server-level firewalls.
✓ Your Hacked Site Is Fully Recovered When
- Malware scanner (Wordfence or Sucuri) returns a clean bill of health with zero findings
- All admin accounts are verified as legitimate and passwords have been reset
- WordPress core, all plugins, and all themes are updated to latest versions
- A fresh backup has been created and stored offsite after cleanup
- Google Search Console shows no security issues or manual actions
Test it: Run a full Wordfence scan, then check your site in Google’s Safe Browsing transparency report (transparencyreport.google.com) — both should show clean.