How to Fix Hacked WordPress Site: Complete Recovery Guide

Discovering your WordPress site has been hacked is a nightmare scenario. Your homepage is defaced, Google is showing malware warnings, or visitors are being redirected to suspicious sites. Don’t panic—most WordPress hacks can be cleaned up and prevented from happening again.

This comprehensive recovery guide walks you through every step of detecting, cleaning, and hardening a compromised WordPress site to restore security and prevent future attacks.

Recognizing the Signs of a Hack

Common Hack Indicators

Visible Changes:

  • Defaced homepage with hacker messages
  • Spam content injected into posts/pages
  • Unwanted redirects to pharmaceutical or adult sites
  • Pop-ups and ads you didn’t add

Performance Issues:

  • Extremely slow loading times
  • Server resource exhaustion
  • Database connection errors

External Warnings:

  • Google Safe Browsing warning (“This site may be hacked”)
  • Hosting provider suspension notice
  • Antivirus alerts when visiting your site
  • Blacklist notifications from security tools

Backend Anomalies:

  • Unauthorized admin accounts
  • Unknown files in WordPress directories
  • Modified file timestamps
  • Can’t log into wp-admin

Immediate Response Actions

Step 1: Don’t Panic—Assess the Situation

Take screenshots of all symptoms. Document everything you notice before making changes.

Step 2: Take Site Offline (If Severely Compromised)

If the site is distributing malware or severely defaced, enable maintenance mode.

// Quick maintenance mode - add to wp-config.php
define('WP_MAINTENANCE_MODE', true);

Or use the .htaccess method:

# In .htaccess (temporary)
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0
RewriteCond %{REQUEST_URI} !/maintenance.html$ [NC]
RewriteRule .* /maintenance.html [R=302,L]

Step 3: Contact Your Hosting Provider

Inform them immediately. They may:

  • Provide server logs
  • Identify the attack vector
  • Temporarily restore from their backups
  • Assist with malware scanning

Step 4: Change ALL Passwords Immediately

Don’t wait—change these NOW from a secure device:

# Via WP-CLI (if available)
wp user update USERNAME --user_pass=NEW_STRONG_PASSWORD

# Database password in wp-config.php
define('DB_PASSWORD', 'new_secure_password');

Change:

  • WordPress admin passwords
  • Database passwords
  • FTP/SFTP credentials
  • Hosting control panel
  • Email accounts associated with site

Scanning for Malware

Automated Scanning Tools

Sucuri SiteCheck (Free Online Scanner):

Visit https://sitecheck.sucuri.net and enter your URL. It detects:

  • Malware signatures
  • Blacklist status
  • Spam injections
  • Outdated software

Wordfence Security Plugin:

# Install via WP-CLI
wp plugin install wordfence --activate
wp wordfence scan

Wordfence scans for:

  • Known malware patterns
  • Modified core files
  • Backdoors
  • Suspicious code

Other Tools:

  • MalCare Security Scanner
  • Quttera Web Malware Scanner
  • VirusTotal (for file uploads)

Manual Detection Methods

Check File Modification Dates:

# Via SSH - find recently modified files
find /path/to/wordpress -type f -mtime -7 -ls

Search for Suspicious Code Patterns:

# Look for base64 encoding (common in malware)
grep -r "base64_decode" /path/to/wordpress

# Find eval() functions
grep -r "eval(" /path/to/wordpress

# Search for malicious functions
grep -r "system\|passthru\|shell_exec\|exec" /path/to/wordpress

Common Malware Locations:

  • wp-content/uploads/ (PHP files shouldn’t be here)
  • Theme’s functions.php (check for appended code)
  • wp-includes/ (core files shouldn’t be modified)
  • Root directory hidden files (.htaccess, index.php)

Cleanup Procedures

Option 1: Restore from Clean Backup

If you have a pre-hack backup:

# Backup current (infected) site first
tar -czf infected-backup-$(date +%Y%m%d).tar.gz /path/to/wordpress

# Restore clean backup
# (Restoration method varies by backup solution)

Verify backup integrity:

  • Check backup date predates the hack
  • Test in staging environment first
  • Confirm no malware in backup

Option 2: Manual Malware Removal

Step 1: Fresh WordPress Core Installation

# Download clean WordPress
wget https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gz

# Replace core files (NOT wp-content!)
cp -r wordpress/wp-admin/* /path/to/site/wp-admin/
cp -r wordpress/wp-includes/* /path/to/site/wp-includes/
cp wordpress/*.php /path/to/site/

Step 2: Clean Theme Files

# Download fresh copy of your theme from source
# Compare with infected version using diff
diff -r clean-theme/ infected-theme/

# Or use WP-CLI to reinstall theme
wp theme install theme-name --force

Step 3: Reinstall All Plugins

# Get list of installed plugins
wp plugin list

# Reinstall each plugin from WordPress.org
wp plugin install plugin-name --force

# For premium plugins, re-upload from original source

Step 4: Clean wp-config.php

Look for suspicious code:

// MALICIOUS - Remove this type of code
@include "\x2fhom\x65/us\x65r/p\x75blic\x5fhtml/\x77p-co\x6efig.p\x68p";

// LEGITIMATE wp-config.php should only have:
// - Database credentials
// - Security keys
// - Table prefix
// - ABSPATH define

Step 5: Clean .htaccess

Replace with default WordPress .htaccess:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Remove suspicious redirects or auto_prepend_file directives.

Database Cleanup

Remove Malicious Database Entries

Check wp_options for injected scripts:

-- Backup database first!
SELECT * FROM wp_options WHERE option_value LIKE '%<script%';
SELECT * FROM wp_options WHERE option_value LIKE '%base64%';
SELECT * FROM wp_options WHERE option_value LIKE '%eval(%';

Clean wp_posts table:

-- Find spam injections
SELECT * FROM wp_posts WHERE post_content LIKE '%viagra%' OR post_content LIKE '%cialis%';

Remove unauthorized admin users:

-- List all administrators
SELECT * FROM wp_users u
JOIN wp_usermeta um ON u.ID = um.user_id
WHERE um.meta_key = 'wp_capabilities'
AND um.meta_value LIKE '%administrator%';

-- Delete suspicious user
DELETE FROM wp_users WHERE ID = suspicious_id;
DELETE FROM wp_usermeta WHERE user_id = suspicious_id;

Clear spam comments:

-- Delete spam comments
DELETE FROM wp_comments WHERE comment_approved = 'spam';

Security Hardening Post-Cleanup

Regenerate Security Keys

Visit https://api.wordpress.org/secret-key/1.1/salt/ and replace all keys in wp-config.php:

define('AUTH_KEY',         'new-unique-key-here');
define('SECURE_AUTH_KEY',  'new-unique-key-here');
define('LOGGED_IN_KEY',    'new-unique-key-here');
define('NONCE_KEY',        'new-unique-key-here');
define('AUTH_SALT',        'new-unique-key-here');
define('SECURE_AUTH_SALT', 'new-unique-key-here');
define('LOGGED_IN_SALT',   'new-unique-key-here');
define('NONCE_SALT',       'new-unique-key-here');

Install Security Plugin

wp plugin install wordfence --activate

Configure:

  • Enable Web Application Firewall
  • Schedule daily scans
  • Enable two-factor authentication
  • Set up email alerts

Harden File Permissions

find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
chmod 440 wp-config.php

Disable File Editing

// Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);

Removing Site from Blacklists

Google Safe Browsing

  1. Log into Google Search Console
  2. Check Security Issues section
  3. Fix all issues identified
  4. Request a review

Malware Databases

Check and request removal from:

  • Norton Safe Web
  • McAfee SiteAdvisor
  • Yandex Safe Browsing
  • PhishTank (if phishing was involved)

Post-Recovery Monitoring

Set Up File Integrity Monitoring

// Wordfence monitors this automatically
// Or use custom solution
$files = get_option('file_hashes');
$current = md5_file('wp-config.php');
if ($files['wp-config.php'] !== $current) {
    // Alert administrator
}

Monitor for Reinfection

  • Daily malware scans for 30 days
  • Review server logs weekly
  • Monitor traffic for unusual patterns
  • Check for new unauthorized users

Ongoing Security Maintenance

Weekly:

  • Review security scan results
  • Check for unauthorized changes
  • Monitor failed login attempts

Monthly:

  • Update all plugins and themes
  • Review user accounts and permissions
  • Audit file permissions

Quarterly:

  • Full security audit
  • Password rotation
  • Review and update security policies

Prevention Checklist

After cleanup, implement these to prevent future hacks:

✅ Keep WordPress, plugins, and themes updated ✅ Use strong, unique passwords ✅ Enable two-factor authentication ✅ Install security plugin with firewall ✅ Regular automated backups (off-site) ✅ Limit login attempts ✅ Disable file editing in wp-admin ✅ Use HTTPS site-wide ✅ Regular security scans ✅ Monitor file integrity

When to Hire Professionals

Consider professional malware removal if:

  • Multiple cleanup attempts have failed
  • You lack technical expertise
  • Site contains sensitive customer data
  • Reinfection keeps occurring
  • You need guaranteed malware-free certificate

Professional services (Sucuri, Wordfence Care, etc.) typically cost $200-$500 but include:

  • Complete malware removal
  • Backdoor elimination
  • Security hardening
  • Blacklist removal
  • Reinfection guarantee

Recovery from a hack is stressful, but following this systematic approach ensures complete cleanup and significantly reduces the risk of future compromises.

  1. Sucuri SiteCheck Scanner
  2. Wordfence Scan
  3. Google Search Console
  4. WordPress Support Forum
  5. VirusTotal File Scanner

Call to Action

Secure your site with bulletproof backups! Backup Copilot Pro offers automated security audits, malware scanning before backups, and instant recovery—try it free!