How to Fix a Hacked WordPress Site: A Step-by-Step Guide for Recovery

To fix a hacked WordPress site, you must immediately change all the credentials, scan for malware, remove all the malicious files, restore a clean backup of the website, update all plugins, themes, and PHP versions. Lastly, make sure to integrate essential security plugins like WP Ghost and WordFence to hide all the vulnerable paths from hackers.  

As a trusted web development company, working in the industry for more than a decade, we have recovered more than hundreds of WordPress websites. The process isn’t always urgent but also stressful; oftentimes it could be devastating for businesses as vulnerability could lead to loss of precious customer data, hampering overall business reputation.

 

Key Takeaways

 

After analyzing multiple client cases, in which they came to us after their websites were hacked. We have determined that the majority of these WordPress hacks follow predictable patterns, and the recovery process is systematic and manageable, but only if a developer knows the right set of recovery steps.

In this guide, we will walk you through the steps that you must take to fix a hacked WordPress website. From identification of the attack to instant damage control and long-term prevention strategies to secure your website, this guide covers it all.

 

How to know if Your WordPress Site is Hacked?

Not every weird glitch is a sign of a breach. Plugins conflict. Themes break. Servers hiccup. But when several strange things happen at once, that combination deserves a serious look.

Here is what a compromised WordPress site commonly looks like:

• Visitors are being redirected to unrelated, suspicious, or adult websites
• Your homepage has been defaced or now shows content you never published
• New admin accounts have appeared that nobody on your team created
• Google Search Console is showing a "Hacked content" or "Malware detected" warning
• Chrome greets your visitors with a "Deceptive site ahead" message
• You are locked out of your own dashboard despite entering the right password
• Traffic has dropped off suddenly with no clear SEO reason behind it
• Suspicious PHP files have appeared inside your /wp-content/uploads/ folder
• Emails sent from your domain are landing in spam or not arriving at all
• Customers are reporting pop-ups, strange redirects, or failed checkouts

Two or more of these together? Do not wait for more evidence. Treat it as confirmed and move straight to the steps below.

 

To confirm quickly: Run your URL through Sucuri SiteCheck (free, takes 60 seconds). Install Wordfence and run a full scan. Open Google Search Console and check under Security Issues. That combination will tell you almost everything you need to know.

 

Why Do WordPress Sites Get Hacked in the First Place?

Here is something worth knowing upfront: WordPress core is not the problem. It is not only actively maintained but is also patched on a regular basis and utilized by hundreds of millions of websites. The weaknesses that are exploited are nearly always in its surroundings.

Outdated plugins and themes are the biggest culprit by far. A known security weakness in a plugin turns into a public target as soon as this weakness is publicized. Bots will discover it in case the update has not been implemented. They are scanning constantly.

Weak or recycled passwords are the second most common entry point. Credential stuffing attacks involve using actual passwords obtained from other data breaches and automatically checking them on WordPress log-in pages. And in the absence of 2FA, there is no barrier between a compromised password and complete access to the administration.

A special mention should be given to nulled themes and nulled plugins. They are the illegal downloads of high-quality software, free of charge, and most frequently contain malware. The backdoor is built into the code prior to your installation. Scanning or cleaning will not help, as long as the source of infection is still in your plugins folder.

Other common factors include loose file permissions that allow PHP to run inside upload folders, exposed backup files that contain database credentials, and the complete absence of a web application firewall, letting every brute force attempt hit the site directly.

All this is not complex to repair. The majority of hacks are successful because simple maintenance was not performed, rather than because the attackers are very advanced. Therefore, to ensure that your WordPress website is secured, it is best to connect with a reliable website maintenance company as they do not just monitor, resolve, and prevent such attacks. But they also offer services such as fixing of bugs, technical glitches, UI UX enhancements, and content updates to ensure your website is secure, up-to date, and responsive across all devices.

 

How to Fix a Hacked WordPress Site: A Step by Step Guide

Read the steps below carefully to fix your hacked WordPress website.

 

Step 1: Take the Site Offline Immediately

Before anything else is touched, visitors need to be blocked from accessing the infected site. This is not optional. An active hack can push malware to your users, redirect them to phishing pages, or silently collect their data.

If dashboard access is still available, a plugin like SeedProd or LightStart can enable maintenance mode within minutes. Lost dashboard access? Use your hosting control panel to password-protect the directory or suspend public access temporarily.

Let your hosting provider know at this stage. On shared servers, infections have been known to spread across accounts. Getting ahead of that early saves a lot of trouble.

 

Step 2: Back Up the Entire Site, Infected or Not

Back up the hacked version before a single file is changed. This seems counterintuitive, but it matters.

If something goes wrong during cleanup and a critical file gets accidentally deleted, that backup is the only thing standing between you and a completely broken site. Security professionals also use infected backups to trace the attack vector, which helps prevent repeat incidents.

What needs to be included in the backup?

• The full /wp-content/ folder (themes, plugins, uploads)
• The wp-config.php file
• A complete database export from phpMyAdmin or your hosting panel

Tools like UpdraftPlus or BlogVault handle this cleanly. Manual ZIP exports through File Manager work too. Once the backup is saved, move it off the server entirely. Store it locally or in cloud storage. Label it something unmistakable like infected_backup_April2025.zip so it never gets confused with a clean restore point.

 

Step 3: Run a Full Malware Scan

Now the site is contained and backed up. Time to find out exactly what was planted and where.

Wordfence is the most widely used option here. It scans for modified core files, injected code, unfamiliar admin accounts, and suspicious file changes. Sucuri SiteCheck is good for a quick surface-level check. MalCare and WPScan go deeper into plugin-level vulnerabilities.

Run a plugin-based scan and, if the hosting provider offers one, a server-level scan on top of it. More data is better at this stage.

After the scans finish, every flagged item should be noted: file name, location, and what was found. Nothing gets deleted yet. Some items flagged by scanners are false positives, and deleting the wrong file can create new problems. Build the list first, act on it next.

 

Step 4: Clean Out Infected Files

This is the step most people dread, but it is more methodical than technical.

Open your files through your hosting File Manager or via FTP using FileZilla. Work through the main WordPress directories: /wp-admin/, /wp-includes/, and /wp-content/. What you are looking for are files that do not belong there or files that contain code that looks deliberately obscured.

Common signs of infected files include:

• Strange filenames like wp-login-old.php, config-backup.php, or random strings
• PHP files sitting inside /wp-content/uploads/ where PHP should never be
• Functions like eval(), base64_decode(), gzinflate(), or long unreadable encrypted strings inside otherwise normal files

The procedure when suspicious stuff is detected is: download the file, delete the malicious code in a text editor and upload the clean version. In the case of core WordPress files, you should download a new copy at wordpress.org and overwrite any file that is not an exact match of the original.

Two items to never touch when performing this process wp-config.php (it contains your database connection details) and the contents of /wp-content/uploads/ without looking at each item separately.

 

Step 5: Check the Database for Injected Code

Files get most of the attention during cleanup, but databases are frequently targeted too. Malicious scripts, spam links, fake users, and hidden redirects can all be planted directly inside your WordPress database tables.

Log into phpMyAdmin through your hosting dashboard. Three tables deserve close attention:

wp_posts: Search for script tags, iframe embeds, or suspicious external URLs injected into your post and page content.

wp_options: Look for unfamiliar entries, especially ones with long strings of encoded or encrypted text as their values.

wp_users: Every admin account should be recognized and verified. Unknown accounts get deleted.

Export a full database backup before editing anything. One wrong deletion can break core site functionality, and the export gives you an immediate rollback option.

For WooCommerce sites, order tables and customer records deserve extra scrutiny. Payment skimming scripts are frequently injected close to checkout-related database entries.

Step 6: Delete Unknown Users and Reset Every Password

Go to Users > All Users inside your dashboard. Filter by Administrator. Any account that cannot be verified gets removed. If there is uncertainty about an account, downgrade its role to Subscriber first and confirm with your team before permanently deleting it.

Then reset passwords everywhere, not just inside WordPress:

•       All WordPress admin and editor accounts
•       Hosting control panel login
•       FTP and SFTP credentials
•           Database user password
•      API keys for connected third-party tools (email platforms, payment gateways, analytics)

Each password must be a unique 12-character password. A password manager such as Bitwarden or 1Password will take the responsibility to remember passwords away.

All admin accounts should be turned on to two-factor authentication immediately. This is made easy by the WP 2FA plugin. It is among the most impactful security changes that can be performed and it takes approximately five minutes.

Step 7: Reinstall WordPress Core, Themes, and Plugins

A clean reinstall removes any lingering traces that manual cleaning might have missed.

For WordPress core, download the latest version from wordpress.org. Using File Manager or FTP, delete the /wp-admin/ and /wp-includes/ folders from the server. Upload fresh replacements from the downloaded package. The wp-config.php file and /wp-content/ folder should not be touched during this process.

For plugins and themes, every single one gets deleted and reinstalled fresh from official sources. WordPress.org for free tools, the developer's verified website for premium ones. Old plugin folders copied from the previous installation should not be reused as they may still carry infected files.

Reactivate plugins one by one after reinstalling. This catches any that cause conflicts or reintroduce problems. Anything that is inactive and no longer needed should simply be deleted. Unused plugins sitting dormant on a server still present a vulnerability.

Step 8: Block PHP Execution in the Uploads Folder

The /wp-content/uploads/ folder is a frequent target because it is writable by default. Attackers upload disguised PHP files there and execute them remotely. Blocking PHP from running in that folder closes this specific attack vector.

Inside File Manager, navigate to /wp-content/uploads/ and create a new file called .htaccess. Add this code:

deny from all

Save it, and PHP execution in that folder is blocked.

While in the file system, check permissions across the site. Files should be set to 644. Folders should be 755. Anything sitting at 777 is a wide-open security gap that needs correcting immediately

Step 9: Test the Site Thoroughly Before Going Live

The cleanup is done, but the site does not go back online until it has been tested properly.

Open a private/incognito browser window and go through the site as a visitor would. Test the home page, category pages, article pages, contact form, login and logout processes, and in the case of eCommerce sites, the whole checkout process.

Run one final malware scan. Wordfence or Sucuri both work fine for this. Only when everything comes back clean and functions normally should maintenance mode be turned off.

The moment the site is back online, take a fresh clean backup immediately. This becomes the new security baseline going forward.

If Google flagged the site during the attack, open Google Search Console, go to Security Issues, and submit a review request. Describe the steps taken to clean the site. Warnings are typically removed within a few days once Google confirms the site is clean.

How to Prevent Future Attacks on Your WordPress Website

Most sites that get hacked once, get hacked again. Not due to a particular attention of attackers, but because the circumstances under which the initial breach happened were not fully resolved.

Update everything, regularly. Plugins, themes, and WordPress core must be kept up-to-date. Trusted tools can be configured to automatically update. Anything that is abandoned or not maintained must be removed.

 

Use a Web Application Firewall

Both Cloudflare and Sucuri provide WAF solutions, which filter bad traffic even before it reaches the server. The protection provided is considerable considering the cost incurred.

 

Back up every day and offsite

Do not use the backups of your hosting provider as the sole copy. Daily backups to Google Drive, Dropbox, or a more specific service like BlogVault are automated and saved automatically to provide you with a reliable place to restore to, regardless of what occurs.

 

Run weekly malware scans

Set Wordfence to scan automatically. Catching an infection in its early stages is dramatically easier than cleaning up a full-scale compromise discovered weeks later.

 

Never install nulled software

No premium plugin or theme is worth the risk of pre-installed malware. The cost of the real thing is always less than the cost of recovering from a breach.

A plug-in such as Limit Login Attempts Reloaded can be used to add rate limiting to the login page to prevent the brute force bots, which can run thousands of password combinations without limit.

 

Final Words

Hackers often look for weak points in a WordPress website to inject malware and access customer data or files, causing serious harm to the website infrastructure and ultimately the brand. To prevent such attacks from occurring it is best to secure your website by ensuring you never use null plugins or themes, frequently run malware scans, and integrate a trusted web application firewall like Cloudflare.

Still if your website gets hacked, follow the step-by-step process discussed in the articles above to fix your hacked WordPress website. Once recovered, focus on prevention, monitor the website frequently, and hide vulnerable paths to eliminate the attack surface. Although it might sound simple, these measures demand technical knowledge and programming skills. This, in turn, necessitates hiring a professional web design and development company that can handle all these hectic yet time-sensitive tasks, while ensuring security and optimal performance of your WordPress website.

 

FAQs

Q1. How long does it take to fix a hacked WordPress site?

It usually takes around 2-3 hours to fix a hacked WordPress site if the latest backup of the website is available. However, complex attacks employing heavy obfuscation and polymorphic code might take up around 24-48 hours to fix.

 

Q2. Can I fix a hacked WordPress site without losing existing content?

Yes, but this is only possible if you have the latest clean backups of your website.

 

Q3. Why do hackers frequently target my WordPress site?

Vulnerabilities such as incomplete malware removal, weak passwords, null software, and vulnerable plugins make your website prone to frequent hacker attacks.  

 

Q4. What are the immediate steps to fix a hacked WordPress site?

You must immediately change all the credentials, scan for malware, remove all the malicious files, restore a clean backup of the website, and update all plugins, themes, and PHP versions.