Your WordPress site is showing a Google warning. Or redirecting to a spam site. Or you found files you did not upload.
Do not panic. Most WordPress hacks are fixable. Here is exactly how to clean it up.
Signs Your Site is Hacked
| Sign | Severity |
|---|---|
| Google shows "This site may be hacked" | Critical |
| Redirects to spam sites | Critical |
| Unknown admin users in dashboard | Critical |
| Strange files in wp-content | High |
| Modified .htaccess file | High |
| Sudden traffic drop | High |
Step 1: Do Not Delete Anything Yet
Take a full backup first. You might delete evidence you need, and backdoors are often in multiple locations.
Step 2: Change ALL Passwords Immediately
- WordPress admin password
- Database password
- FTP/SFTP password
- Hosting control panel password
Step 3: Identify the Infection
Using WP-CLI (SSH access)
Verify WordPress core files, find recently modified PHP files, search for common malware signatures like eval base64_decode and FilesMan, and find any PHP files in the uploads directory.
Common Malware Locations
- wp-config.php (extra code at top/bottom)
- .htaccess (redirect rules you did not add)
- wp-content/uploads/ (any .php files should not exist)
- Theme functions.php and header.php
- /tmp/ directory
Step 4: Clean the Infection
- Replace WordPress Core - Download fresh WordPress, replace wp-admin and wp-includes
- Clean wp-config.php - Compare with sample, remove injected code
- Replace .htaccess - Use default WordPress rewrite rules
- Block PHP in Uploads - Add deny rules for .php files in uploads
- Reinstall Plugins - Delete all, reinstall from trusted sources only
Step 5: Harden Your Site
Essential Hardening
- Disable file editing: DISALLOW_FILE_EDIT = true
- Force SSL admin: FORCE_SSL_ADMIN = true
- Regenerate security keys from WordPress salt API
- Set file permissions: directories 755, files 644, wp-config.php 600
- Add security headers: X-Content-Type-Options, X-Frame-Options, Permissions-Policy
- Disable XML-RPC if not needed
Step 6: Request Google Review
If Google flagged your site, go to Search Console, Security Issues, click Request Review, describe your cleanup, and wait 7-14 days.
Prevention Checklist
- Keep WordPress core and plugins updated always
- Delete unused plugins and themes
- Never use nulled or pirated plugins (99 percent have backdoors)
- Strong passwords plus Two-Factor Authentication
- Regular backups with UpdraftPlus or BlogVault
- Install Wordfence free for firewall
- Limit login attempts
- Use SFTP instead of FTP
When to Get Professional Help
DIY cleanup works for simple infections. Get professional help if the malware keeps coming back, you are not comfortable with SSH, or you are losing revenue.
Professional Services
| Service | Price | Specialty |
|---|---|---|
| FixMalware.com | From $49 | WordPress and OpenCart manual cleanup, 9 plus years experience |
| Sucuri | From $199/yr | Security platform with cleanup |
| Wordfence Care | Premium | Cleanup plus monitoring |
FixMalware.com provides manual malware removal with detailed reports. They handle WordPress malware removal and OpenCart malware removal within 1-24 hours.
Common Malware Types
Backdoor/Webshell - Allows attackers remote command execution via encoded PHP files.
SEO Spam Injection - Injects hidden keywords. Your site looks normal but Google sees spam.
Redirect Malware - Redirects visitors to spam sites via .htaccess or theme files.
Crypto Miner - Runs mining JavaScript in visitor browsers causing slowness.
Conclusion
Getting hacked is fixable. Act fast, be thorough, and harden after cleanup. Prevention is always cheaper than recovery.
Have you dealt with a WordPress hack? Share your experience in the comments.
Top comments (0)