Discovering your WordPress site has been hacked is a nightmare scenario. Your homepage is defaced, Google is showing malware warnings, or visitors are being redirected to suspicious sites. Don’t panic—most WordPress hacks can be cleaned up and prevented from happening again.
This comprehensive recovery guide walks you through every step of detecting, cleaning, and hardening a compromised WordPress site to restore security and prevent future attacks.
Recognizing the Signs of a Hack
Common Hack Indicators
Visible Changes:
- Defaced homepage with hacker messages
- Spam content injected into posts/pages
- Unwanted redirects to pharmaceutical or adult sites
- Pop-ups and ads you didn’t add
Performance Issues:
- Extremely slow loading times
- Server resource exhaustion
- Database connection errors
External Warnings:
- Google Safe Browsing warning (“This site may be hacked”)
- Hosting provider suspension notice
- Antivirus alerts when visiting your site
- Blacklist notifications from security tools
Backend Anomalies:
- Unauthorized admin accounts
- Unknown files in WordPress directories
- Modified file timestamps
- Can’t log into wp-admin
Immediate Response Actions
Step 1: Don’t Panic—Assess the Situation
Take screenshots of all symptoms. Document everything you notice before making changes.
Step 2: Take Site Offline (If Severely Compromised)
If the site is distributing malware or severely defaced, enable maintenance mode.
// Quick maintenance mode - add to wp-config.php
define('WP_MAINTENANCE_MODE', true);Or use the .htaccess method:
# In .htaccess (temporary)
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0
RewriteCond %{REQUEST_URI} !/maintenance.html$ [NC]
RewriteRule .* /maintenance.html [R=302,L]Step 3: Contact Your Hosting Provider
Inform them immediately. They may:
- Provide server logs
- Identify the attack vector
- Temporarily restore from their backups
- Assist with malware scanning
Step 4: Change ALL Passwords Immediately
Don’t wait—change these NOW from a secure device:
# Via WP-CLI (if available)
wp user update USERNAME --user_pass=NEW_STRONG_PASSWORD
# Database password in wp-config.php
define('DB_PASSWORD', 'new_secure_password');Change:
- WordPress admin passwords
- Database passwords
- FTP/SFTP credentials
- Hosting control panel
- Email accounts associated with site
Scanning for Malware
Automated Scanning Tools
Sucuri SiteCheck (Free Online Scanner):
Visit https://sitecheck.sucuri.net and enter your URL. It detects:
- Malware signatures
- Blacklist status
- Spam injections
- Outdated software
Wordfence Security Plugin:
# Install via WP-CLI
wp plugin install wordfence --activate
wp wordfence scanWordfence scans for:
- Known malware patterns
- Modified core files
- Backdoors
- Suspicious code
Other Tools:
- MalCare Security Scanner
- Quttera Web Malware Scanner
- VirusTotal (for file uploads)
Manual Detection Methods
Check File Modification Dates:
# Via SSH - find recently modified files
find /path/to/wordpress -type f -mtime -7 -lsSearch for Suspicious Code Patterns:
# Look for base64 encoding (common in malware)
grep -r "base64_decode" /path/to/wordpress
# Find eval() functions
grep -r "eval(" /path/to/wordpress
# Search for malicious functions
grep -r "system\|passthru\|shell_exec\|exec" /path/to/wordpressCommon Malware Locations:
- wp-content/uploads/ (PHP files shouldn’t be here)
- Theme’s functions.php (check for appended code)
- wp-includes/ (core files shouldn’t be modified)
- Root directory hidden files (.htaccess, index.php)
Cleanup Procedures
Option 1: Restore from Clean Backup
If you have a pre-hack backup:
# Backup current (infected) site first
tar -czf infected-backup-$(date +%Y%m%d).tar.gz /path/to/wordpress
# Restore clean backup
# (Restoration method varies by backup solution)Verify backup integrity:
- Check backup date predates the hack
- Test in staging environment first
- Confirm no malware in backup
Option 2: Manual Malware Removal
Step 1: Fresh WordPress Core Installation
# Download clean WordPress
wget https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gz
# Replace core files (NOT wp-content!)
cp -r wordpress/wp-admin/* /path/to/site/wp-admin/
cp -r wordpress/wp-includes/* /path/to/site/wp-includes/
cp wordpress/*.php /path/to/site/Step 2: Clean Theme Files
# Download fresh copy of your theme from source
# Compare with infected version using diff
diff -r clean-theme/ infected-theme/
# Or use WP-CLI to reinstall theme
wp theme install theme-name --forceStep 3: Reinstall All Plugins
# Get list of installed plugins
wp plugin list
# Reinstall each plugin from WordPress.org
wp plugin install plugin-name --force
# For premium plugins, re-upload from original sourceStep 4: Clean wp-config.php
Look for suspicious code:
// MALICIOUS - Remove this type of code
@include "\x2fhom\x65/us\x65r/p\x75blic\x5fhtml/\x77p-co\x6efig.p\x68p";
// LEGITIMATE wp-config.php should only have:
// - Database credentials
// - Security keys
// - Table prefix
// - ABSPATH defineStep 5: Clean .htaccess
Replace with default WordPress .htaccess:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPressRemove suspicious redirects or auto_prepend_file directives.
Database Cleanup
Remove Malicious Database Entries
Check wp_options for injected scripts:
-- Backup database first!
SELECT * FROM wp_options WHERE option_value LIKE '%<script%';
SELECT * FROM wp_options WHERE option_value LIKE '%base64%';
SELECT * FROM wp_options WHERE option_value LIKE '%eval(%';Clean wp_posts table:
-- Find spam injections
SELECT * FROM wp_posts WHERE post_content LIKE '%viagra%' OR post_content LIKE '%cialis%';Remove unauthorized admin users:
-- List all administrators
SELECT * FROM wp_users u
JOIN wp_usermeta um ON u.ID = um.user_id
WHERE um.meta_key = 'wp_capabilities'
AND um.meta_value LIKE '%administrator%';
-- Delete suspicious user
DELETE FROM wp_users WHERE ID = suspicious_id;
DELETE FROM wp_usermeta WHERE user_id = suspicious_id;Clear spam comments:
-- Delete spam comments
DELETE FROM wp_comments WHERE comment_approved = 'spam';Security Hardening Post-Cleanup
Regenerate Security Keys
Visit https://api.wordpress.org/secret-key/1.1/salt/ and replace all keys in wp-config.php:
define('AUTH_KEY', 'new-unique-key-here');
define('SECURE_AUTH_KEY', 'new-unique-key-here');
define('LOGGED_IN_KEY', 'new-unique-key-here');
define('NONCE_KEY', 'new-unique-key-here');
define('AUTH_SALT', 'new-unique-key-here');
define('SECURE_AUTH_SALT', 'new-unique-key-here');
define('LOGGED_IN_SALT', 'new-unique-key-here');
define('NONCE_SALT', 'new-unique-key-here');Install Security Plugin
wp plugin install wordfence --activateConfigure:
- Enable Web Application Firewall
- Schedule daily scans
- Enable two-factor authentication
- Set up email alerts
Harden File Permissions
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
chmod 440 wp-config.phpDisable File Editing
// Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);Removing Site from Blacklists
Google Safe Browsing
- Log into Google Search Console
- Check Security Issues section
- Fix all issues identified
- Request a review
Malware Databases
Check and request removal from:
- Norton Safe Web
- McAfee SiteAdvisor
- Yandex Safe Browsing
- PhishTank (if phishing was involved)
Post-Recovery Monitoring
Set Up File Integrity Monitoring
// Wordfence monitors this automatically
// Or use custom solution
$files = get_option('file_hashes');
$current = md5_file('wp-config.php');
if ($files['wp-config.php'] !== $current) {
// Alert administrator
}Monitor for Reinfection
- Daily malware scans for 30 days
- Review server logs weekly
- Monitor traffic for unusual patterns
- Check for new unauthorized users
Ongoing Security Maintenance
Weekly:
- Review security scan results
- Check for unauthorized changes
- Monitor failed login attempts
Monthly:
- Update all plugins and themes
- Review user accounts and permissions
- Audit file permissions
Quarterly:
- Full security audit
- Password rotation
- Review and update security policies
Prevention Checklist
After cleanup, implement these to prevent future hacks:
✅ Keep WordPress, plugins, and themes updated ✅ Use strong, unique passwords ✅ Enable two-factor authentication ✅ Install security plugin with firewall ✅ Regular automated backups (off-site) ✅ Limit login attempts ✅ Disable file editing in wp-admin ✅ Use HTTPS site-wide ✅ Regular security scans ✅ Monitor file integrity
When to Hire Professionals
Consider professional malware removal if:
- Multiple cleanup attempts have failed
- You lack technical expertise
- Site contains sensitive customer data
- Reinfection keeps occurring
- You need guaranteed malware-free certificate
Professional services (Sucuri, Wordfence Care, etc.) typically cost $200-$500 but include:
- Complete malware removal
- Backdoor elimination
- Security hardening
- Blacklist removal
- Reinfection guarantee
Recovery from a hack is stressful, but following this systematic approach ensures complete cleanup and significantly reduces the risk of future compromises.
External Links
- Sucuri SiteCheck Scanner
- Wordfence Scan
- Google Search Console
- WordPress Support Forum
- VirusTotal File Scanner
Call to Action
Secure your site with bulletproof backups! Backup Copilot Pro offers automated security audits, malware scanning before backups, and instant recovery—try it free!

