DEV Community

Cover image for How to Fix a Hacked WordPress Website: Complete Recovery Guide
Calin V.
Calin V.

Posted on

How to Fix a Hacked WordPress Website: Complete Recovery Guide

#wordpress #hacked #cybersecurity #security

Quick Answer: To fix a hacked WordPress website, immediately change all passwords, scan for malware, remove malicious files, restore from a clean backup if needed, update everything, and implement prevention measures like WP Ghost to hide vulnerable paths from future attackers.

I have cleaned hundreds of hacked WordPress sites over the past 20 years. The process is always urgent, often stressful, and sometimes devastating for business owners who lose weeks of content or customer data.

But here's what I've learned: most WordPress hacks follow predictable patterns, and the recovery process, while time-sensitive, is methodical and manageable if you know the right steps.

This guide will walk you through exactly how to fix a hacked WordPress website, from immediate damage control to long-term prevention strategies that actually work.

How to Tell if Your WordPress Site is Actually Hacked
Before you panic, confirm the hack. I've seen site owners waste days "cleaning" false positives while real malware sits undetected.

The most reliable signs include:

  • Google warnings: "This site may be hacked" or "Deceptive site ahead" messages
  • Unexpected redirects: Your site sends visitors to spam, adult, or pharmaceutical sites
  • Unknown admin users: New administrator accounts you didn't create
  • Suspicious files: PHP files with random names in uploads folders or root directories
  • Performance issues: Sudden slowdowns from cryptocurrency mining scripts
  • Hosting alerts: Your web host suspends your account for malware distribution

Check your site in an incognito browser window. Malware often shows different content to logged-in users versus visitors.

If you see any of these signs, proceed immediately to containment.

Step 1: Immediate Damage Control and Site Isolation

Time is critical. Every minute your hacked site stays online, it can infect visitors, damage your reputation, and spread malware to other sites on your server.

Put your site in maintenance mode:

  • Install a maintenance mode plugin if you can access wp-admin, or add this to your .htaccess file:

RewriteRule ^(.*)$ /maintenance.html [R=503,L]

  • Create a simple maintenance.html page explaining temporary downtime

Document everything:

  • Take screenshots of error messages and suspicious content
  • Note when you first noticed issues
  • List any recent changes (plugins, themes, passwords)
  • Check other sites on your hosting account: If you have multiple WordPress installations, scan them all. Hackers often use one compromised site to attack others on the same server.

Do not delete files randomly at this stage. You need to understand what happened before you start removing evidence.

Step 2: Secure Your Access Points

Change every password immediately. I mean every single one.

WordPress admin passwords: Change passwords for all user accounts, especially administrators. Use a password manager to generate unique 20+ character passwords.

Hosting account credentials: Update your cPanel, FTP, and database passwords. Hackers often steal these to maintain persistent access.

Database passwords: Change your MySQL database password and update wp-config.php accordingly.

FTP/SFTP credentials: Generate new passwords for all file transfer accounts.

Here's a critical mistake I see: people change their WordPress admin password but forget about FTP access. Hackers use FTP to re-upload malware even after you clean the site.

After changing passwords, log out of all devices and clear any "remember me" sessions.

Step 3: Scan for Malware and Backdoors

Now comes the detective work. You need to find every piece of malicious code before you can remove it.

Use multiple scanning tools:

  • Wordfence: Install the free version and run a deep scan. It catches most common malware signatures.
  • Sucuri SiteCheck: Free online scanner that checks your site from the outside
  • MalCare or Solid Security: Alternative scanners that might catch what others miss
  • Manual file inspection: Scanners miss sophisticated backdoors.

Check these locations manually:

  • wp-content/uploads/: Look for PHP files (they shouldn't be there)
  • Root directory: Check for files with random names or recent modification dates
  • wp-includes/ and wp-admin/: Compare file sizes to fresh WordPress downloads
  • Active theme folder: Look for suspicious PHP code injected into template files
  • Check your .htaccess file: Hackers often add redirect rules here. Compare it to a backup or fresh WordPress .htaccess.
  • Database inspection: Malware hides in the database too.

Check:

  • wp_posts table for spam content
  • wp_options table for malicious auto-loading scripts
  • wp_users table for unauthorized admin accounts

Document every malicious file and database entry you find. You'll need this list for the cleaning phase.

How to Remove Malware from WordPress Files

This is where most people make dangerous mistakes. Deleting the wrong files can break your site permanently.

Create a backup first: Even of your infected site. You might need to reference original content later.

Start with obvious malware:

  • Delete any PHP files in wp-content/uploads/
  • Remove files with suspicious names (common patterns: wp-config-tmp.php, wp-admin.php, index2.php)
  • Delete any files created after your last known-good backup date

Clean infected core files: Instead of trying to clean individual WordPress core files, replace the entire wp-admin and wp-includes directories.

  • Download fresh WordPress from wordpress.org
  • Delete your wp-admin and wp-includes folders
  • Upload the clean versions from the fresh download
  • Replace wp-config-sample.php (but keep your wp-config.php)

Theme and plugin cleaning: This is trickier because you need to preserve customizations.

  • Deactivate all plugins and switch to a default theme
  • Delete and reinstall plugins from the WordPress repository
  • For custom themes, compare infected files to clean backups line by line
  • Look for base64_decode, eval(), and gzinflate() functions — common in malware

Database cleaning: Use phpMyAdmin or a database tool to:

  • Delete unauthorized admin users
  • Remove spam posts and comments
  • Clean malicious entries from wp_options (especially auto-loading scripts)

Test your site after each major cleaning step. If something breaks, you'll know exactly what caused it.

When to Restore from Backup vs. Manual Cleanup

This decision can save you hours of work, or cost you weeks of content.

Restore from backup when:

  • You have a recent clean backup (within days of the hack)
  • The infection is widespread across multiple themes and plugins
  • You find database corruption or extensive spam content
  • Manual cleaning would take longer than recreating recent content

Manual cleanup when:

  • Your last clean backup is weeks or months old
  • The malware is limited to a few specific files
  • You've made significant content or configuration changes since your last backup
  • You need to preserve recent customer data or orders

If you choose to restore:

  • Verify the backup is actually clean by scanning it first
  • Document any content created since the backup date
  • Restore to a staging environment first to test
  • Manually recreate critical recent changes

I typically recommend the "hybrid approach": restore core WordPress and plugins from backup, but manually recreate recent posts and configuration changes. This gives you the security of a clean installation while preserving important content.

Update Everything After Cleaning

Hackers exploit outdated software. After cleaning, update immediately, before bringing your site back online.

WordPress core: Update to the latest version through the dashboard or by uploading fresh files.

All plugins: Update every single plugin. Delete any you're not actively using.

Active theme: Update your theme, but back up customizations first.

PHP version: Check with your host about updating to the latest supported PHP version. Old PHP versions have known security vulnerabilities.

Server software: If you manage your own server, update Apache/Nginx, MySQL, and all server components.

This is also the perfect time to audit your plugins. I see sites with 50+ plugins where half are inactive or redundant. Each plugin is a potential attack vector.

Keep only plugins you actually need and trust. Research any unfamiliar plugins, some are abandoned or have known security issues.

How WP Ghost Prevents Future Attacks

Cleaning a hacked site addresses the symptoms, but prevention addresses the cause. This is where WP Ghost becomes essential to your security strategy.

WP Ghost is a hack-prevention WordPress plugin that reduces your attack surface by changing and securing default WordPress paths. Instead of cleaning up after attacks, it prevents them from succeeding in the first place.

  • Path security: WP Ghost changes your wp-admin, wp-login.php, wp-content, and other default paths that hackers target. When automated attacks hit /wp-admin, they find nothing — because your admin area is now at a custom URL only you know.

  • 8G Firewall integration: The plugin includes Jeff Starr's 8G firewall rules, blocking SQL injection, XSS, script injection, and other common attack vectors before they reach your WordPress code.

  • Brute force protection: WP Ghost protects login attempts with math reCAPTCHA, Google reCAPTCHA, or passkey authentication (Face ID, Touch ID, hardware security keys). It automatically blocks IPs after repeated malicious behavior.

  • Security headers: The plugin adds modern security headers like Content-Security-Policy and Strict-Transport-Security that protect against clickjacking, code injection, and man-in-the-middle attacks.

It works alongside scanning plugins like Wordfence, they handle detection and cleanup, while WP Ghost prevents most attacks from ever reaching your site.The free version includes all core protection features.

Essential Security Hardening Steps

After recovery, implement these hardening measures to prevent reinfection:

  • File permissions: Set correct permissions on all directories and files:

Directories: 755 or 750
Files: 644 or 640
wp-config.php: 600

  • Disable file editing: Add this to wp-config.php to prevent hackers from editing themes through the dashboard:

define('DISALLOW_FILE_EDIT', true);

  • Limit login attempts: Use WP Ghost's brute force protection or a dedicated plugin to block repeated failed logins.

  • Two-factor authentication: Implement 2FA for all admin accounts. WP Ghost includes free 2FA with authenticator apps, email codes, and passkeys.

  • Regular backups: Schedule automated backups to multiple locations. Test restore procedures monthly.

  • Security monitoring: Set up alerts for file changes, failed logins, and suspicious activity.

  • SSL certificate: Ensure your site uses HTTPS everywhere. This protects data in transit and improves search rankings.

These measures work together. No single security plugin or technique is bulletproof, but layered defenses make successful attacks much harder.

The key insight: these plugins serve different purposes. WP Ghost prevents attacks from reaching your site, Wordfence detects and blocks threats that get through, and Sucuri provides cleanup services when prevention fails.

The most secure WordPress sites use multiple layers: WP Ghost for prevention, a scanning plugin for detection, and regular backups for recovery.

How to Monitor for Future Attacks

Recovery is just the beginning. Ongoing monitoring catches new attacks before they cause major damage.

  • File integrity monitoring: Set up alerts when core WordPress files change. Legitimate updates are scheduled and expected; everything else is suspicious.

  • Login monitoring: Track all admin logins, especially from new IP addresses or unusual times. Failed login attempts often precede successful attacks.

  • Traffic analysis: Monitor for unusual traffic patterns, especially requests to non-existent files or suspicious user agents.

  • Google Search Console: Enable security alerts to catch Google's malware warnings before users see them.

  • Uptime monitoring: Services like Pingdom alert you immediately if your site goes down — often the first sign of a successful attack.

  • Regular security scans: Schedule weekly automated scans with multiple tools. What one scanner misses, another might catch.

I recommend setting up a simple monitoring dashboard that aggregates all these alerts. When something goes wrong, you want to know immediately — not when customers start complaining.

Common Mistakes That Lead to Reinfection

I've seen sites get hacked again within days of cleaning. Here are the mistakes that cause reinfection:

  • Incomplete malware removal: Leaving even one backdoor file allows hackers to regain access. This is why thorough scanning is critical.

  • Not changing all passwords: Hackers often steal FTP or hosting credentials. Changing only your WordPress password isn't enough.

  • Restoring infected backups: Always scan backups before restoring. Infected backups just reintroduce the malware.

  • Ignoring the attack vector: If you don't fix the vulnerability that allowed the initial hack, attackers will use it again.

  • Rushing back online: Take time to properly secure your site before removing maintenance mode. A few extra hours of downtime beats another hack.

  • Not updating immediately: Outdated software is the most common attack vector. Update everything before going live.

  • Skipping prevention measures: Cleaning without hardening is like mopping the floor while the roof still leaks.

The most expensive mistake is treating hacks as one-time events instead of ongoing security challenges. WordPress security requires consistent attention, not just crisis response.

When to Call Security Professionals

Some hacks are beyond DIY repair. Call professionals when:

  • Customer data is compromised: Credit card information, personal data, or login credentials require specialized forensic analysis and legal compliance.

  • Multiple sites are infected: Server-level compromises affect every site on your hosting account and require advanced cleanup techniques.

  • Business-critical downtime: If your site generates significant daily revenue, professional cleanup pays for itself in reduced downtime.

  • Sophisticated malware: Advanced persistent threats, custom malware, or rootkit infections need expert analysis.

  • Repeated reinfections: If your site keeps getting hacked despite your cleanup efforts, you're missing something important.

  • Legal or compliance requirements: Some industries require professional security incident response for regulatory compliance.

Professional cleanup typically costs $300-2000 depending on complexity, but includes forensic analysis, complete malware removal, security hardening, and guarantees against reinfection.

For most small business sites, DIY cleanup with proper tools and procedures works fine. But don't let pride cost you more money in extended downtime or customer trust.

Conclusion: From Crisis to Prevention

Fixing a hacked WordPress website follows a clear process: contain the damage, secure access, scan thoroughly, remove all malware, update everything, and implement prevention measures.

The key insight from 20 years of WordPress security work is this: cleanup is reactive, but security is proactive.

After recovery, focus on prevention. Use WP Ghost to hide vulnerable paths and reduce your attack surface. Implement proper backups, monitoring, and hardening. Keep everything updated.

Most importantly, treat security as an ongoing process, not a one-time fix. The best time to secure your WordPress site was before it got hacked. The second-best time is right now.

Your site will face constant attack attempts — that's the reality of running WordPress in 2026. But with proper prevention and monitoring, those attacks will fail harmlessly instead of turning into expensive cleanup projects.

FAQ

How long does it take to fix a hacked WordPress website?

Simple hacks with good backups can be fixed in 2-4 hours. Complex infections with extensive malware may take 1-2 days. The key is thorough scanning and testing before going back online.

Can I fix a hacked WordPress site without losing content?

Yes, if you have recent clean backups or if the malware is limited to specific files. Manual cleaning preserves content but takes longer. Always backup your infected site before starting cleanup in case you need to recover specific content.

Why does my WordPress site keep getting hacked?

Repeated hacks usually indicate incomplete malware removal, unchanged passwords, outdated software, or vulnerable plugins. The attack vector from the original hack remains open, allowing reinfection.

Should I pay hackers who demand ransom for my website?

Never pay ransoms. There's no guarantee hackers will restore your site, and payment encourages more attacks. Focus on proper backups and recovery procedures instead.

How do I know if my backup is clean or infected?

Scan backups with multiple security tools before restoring. Check the backup date against when you first noticed problems. If the backup predates the hack by several days, it's likely clean.

What's the difference between malware scanning and prevention plugins?

Scanning plugins like Wordfence detect and remove existing threats. Prevention plugins like WP Ghost stop attacks from succeeding in the first place by hiding vulnerable paths and blocking malicious requests. Use both for complete protection.

Top comments (0)