If you’ve just discovered you have a hacked WordPress site, you’re not alone—and you can recover it. This guide will show you how to:
- Confirm your WordPress site is hacked
- Clean the infection and fix hacked WordPress site fast
- Secure your website to prevent future attacks
- Decide when to get professional help
Quick WordPress Security Statistics at a Glance
- 43% of all websites run on WordPress, making it the most targeted CMS for hackers
- The best estimate suggests that at least 13,000 websites are hacked every day — that’s roughly 9 hacks per minute, 390,000 per month, and over 4.7 million websites each year.
- More than 14,000 WordPress sites have been hacked and are actively being used to spread malware.
How to Tell if Your WordPress Site Is Hacked
Here are the most common signs of a hacked WordPress site:
| Sign | What You’ll Notice |
|---|---|
| Strange redirects | Visitors are sent to spam, adult, or scam sites |
| Unknown admin users | New admin accounts you didn’t create |
| Spam content or links | Hidden or visible spam posts, pages, or links in your content |
| Security warnings from Google | “This site may be hacked” or browser malware warnings |
| Drop in traffic or SEO rankings | Sudden decline in organic traffic and ranking |
| Excessive server usage | Hosting alerts about CPU usage, bandwidth spikes, or mass emails |
| Disabled security plugins | Your security plugin is deactivated or removed without your knowledge |
| Unusual files in wp-content | Suspicious PHP files or strange file names in wp-content or wp-includes |
If you see one or more of these, assume your WordPress site is hacked and act immediately.
Step 1: Put Your Site in Maintenance Mode (Optional but Smart)
You may want to hide the hack from visitors while you work.
- Log in to WordPress (if you can).
- Install a maintenance plugin (e.g., “Maintenance” or “SeedProd Coming Soon”).
- Enable maintenance mode.
If you can’t log in at all, move straight to the next step.
Step 2: Back Up Your Hacked WordPress Site
Before you start cleaning, back up everything, even if it’s infected. This gives you a restore point in case something goes wrong.
Backup:
- WordPress files (via FTP/File Manager)
- Database (via phpMyAdmin or your host’s backup tools)
Tip: Name the backup clearly (e.g., site-backup-before-cleaning-2025-12-16.zip) so you don’t confuse it with clean ones later.
Step 3: Change All Passwords Immediately
To fix hacked WordPress site fast, you must cut off the attacker’s access.
Change:
- WordPress admin passwords (for all users)
- Hosting control panel (cPanel/Plesk) password
- FTP/SFTP account passwords
- Database password (and update wp-config.php)
- Any SSH passwords or keys
Also revoke and reissue:
- API keys (payment gateways, email services, etc.)
- Application passwords (WordPress “Application Passwords” feature)
Step 4: Scan Your Hacked WordPress Site for Malware
Use both a plugin and an external scanner for better coverage.
Use a Security Plugin
Install one of these (if not already installed):
- Wordfence Security
- iThemes Security
- Sucuri Security
Then:
- Update the plugin to the latest version.
- Run a full scan.
- Note all malicious files or suspicious changes it reports.
Use an External Malware Scanner
Use online scanners like:
- Sucuri SiteCheck
- VirusTotal (for specific files)
- Google Safe Browsing (via Search Console)
These tools often show:
- Known malicious URLs on your site
- Blacklist status (Google, Norton, etc.)
Step 5: Manually Clean the Hacked Files
If you’re comfortable with files and code, you can fix hacked WordPress site manually. If not, you may prefer a professional service like WP Enchant (see below).
Replace Core WordPress Files
- Download the latest WordPress from wordpress.org.
- Extract it locally.
- Overwrite these folders on your server via FTP/File Manager:
- wp-admin
- wp-includes
- Overwrite all root WordPress files except:
- wp-config.php
- wp-content folder
This ensures all core files are clean.
Clean the wp-content Folder
This is where most hacks hide.
Check:
- wp-content/themes
- wp-content/plugins
- wp-content/uploads
Actions:
- Delete unused themes and plugins (not just deactivate).
- Reinstall active themes/plugins from official or trusted sources.
- Look for suspicious files:
- Random names (e.g., x1k9.php, wp-ajax-new.php)
- PHP files inside uploads (most sites should not have PHP there)
- Files with very recent modified dates that you don’t recognize
If a file looks suspicious and is not part of the original theme/plugin, remove it (after backup).
Check wp-config.php for Backdoors
Open wp-config.php and look for:
- Unknown include or require statements
- Encoded/obfuscated code (e.g., base64_decode, long random strings)
- Strange constants or variables
If you see anything abnormal:
- Compare with a fresh wp-config-sample.php
- Remove malicious lines carefully
Step 6: Clean the Database
Many hacks inject spam into the database.
Use phpMyAdmin (or a similar tool) to:
- Search for spam keywords in tables like wp_posts, wp_options, and wp_postmeta.
- Look for:
- Unknown admin users in wp_users
- Malicious code in wp_options (siteurl, home, or unknown options with long code)
- Remove or correct malicious entries.
If you’re unsure, export the database first, then edit. One mistake can break your site.
Step 7: Remove Unknown Users and Tighten Permissions
Remove Unknown Users
In your WordPress dashboard:
- Go to Users > All Users
- Delete any accounts you don’t recognize, especially with the Administrator role
- Reassign their content to a known, valid user
Fix File Permissions
Correct file permissions help prevent future infections.
Typical recommended settings:
| Item | Permission |
|---|---|
| Files | 644 |
| Folders | 755 |
| wp-config.php | 600–640 |
You can set these via FTP, File Manager, or command line (if you have SSH).
Step 8: Remove Blacklist Warnings (Google & Browsers)
If your hacked WordPress site triggered browser or Google warnings:
- Ensure the site is fully cleaned.
- Sign in to Google Search Console.
- Add & verify your site (if not already).
- Go to Security & Manual Actions > Security Issues.
- Request a review stating:
- What happened (WordPress site hacked)
- What did you do to clean it
- How have you improved security
Google typically reviews within a few days.
Step 9: Strengthen Security So It Doesn’t Happen Again
To truly fix hacked WordPress site fast, you must also prevent repeat attacks.
Keep Everything Updated
- WordPress core
- Themes
- Plugins
- PHP version (via hosting panel)
Turn on automatic updates for minor releases at a minimum.
Use a Security Plugin for Ongoing Protection
Enable features like:
- Firewall / Web Application Firewall (WAF)
- Login rate limiting
- File change detection
- 2FA (Two-Factor Authentication) for admins
Harden Your Login and Admin Area
- Use strong, unique passwords for all accounts.
- Enable 2FA for admin users.
- Change the default login URL (/wp-login.php) with a security plugin.
- Limit login attempts.
Disable PHP in uploads
To stop many malware scripts, disallow PHP execution in uploads by adding this .htaccess file inside wp-content/uploads:
When You Should Use a Professional Service
Cleaning a hacked WordPress site manually can be:
- Time‑consuming
- Technically complex
- Risky if you’re not comfortable with code or databases
If you want to fix hacked WordPress site fast and safely, a specialized service is often the best option.
Why Consider WP Enchant?
WP Enchant is a WordPress-focused service that can:
- Quickly identify and remove malware and backdoors
- Restore your site if it’s down or defaced
- Fix issues causing Google or browser warnings
- Harden your site with best-practice security
Typical benefits:
| Benefit | What It Means for You |
|---|---|
| Faster cleanup | Your hacked WordPress site is restored sooner |
| Deeper malware detection | Hidden backdoors and database infections are properly removed |
| Expert handling | Less risk of breaking your site while cleaning it |
| Post-clean hardening | Stronger protection so you’re less likely to be hacked again |
| Ongoing support options | Help if anything suspicious reappears |
If you’re unsure about any of the steps above, or your WordPress site hacked issue keeps coming back, WP Enchant is a strong option for getting professional, WordPress-specific help.
Quick Comparison: DIY vs Professional Cleanup
| Option | Pros | Cons |
|---|---|---|
| DIY Cleanup | Free, full control, good if you’re technical | Time‑consuming, risk of missing malware or breaking site |
| Security Plugin Only | Easy, fast, automatic scanning | May not catch custom/backdoor code; limited guarantees |
| WP Enchant (Pro) | Fast, thorough, handled by experts, hardening done | Paid service; you rely on a third party |
FAQs About Hacked WordPress Sites
1. How do I know for sure my WordPress site is hacked?
Common indicators include:
- Spam redirects or pop-ups
- Unknown admin users
- Suspicious files in wp-content
- Browser or Google “This site may be hacked” warnings
- A sudden drop in traffic or SEO rankings
Using a malware scanner (plugin + external) is the best way to confirm.
2. Can I fix a hacked WordPress site myself?
Yes, you can fix a hacked WordPress site yourself if you:
- Are comfortable with FTP, databases, and editing files
- Carefully follow a structured cleaning process like the one above
If you’re not technical or the infection is severe or recurring, using a service like WP Enchant is safer and faster.
3. How long does it take to fix a hacked WordPress site fast?
It depends on:
- Size of your site
- Severity of the hack
- Your technical skill
For a small site and a simple infection, cleanup can take 1–3 hours. For more complex infections, it may take longer. Services like WP Enchant are designed to minimize downtime and usually handle it much faster than a non‑technical site owner.
4. Will cleaning my hacked WordPress site fix SEO and Google warnings?
Cleaning the site is the first step. You also need to:
- Remove all malware and spam content.
- Request a review in Google Search Console under Security Issues.
Once Google confirms your site is clean, warnings typically disappear within a few days. SEO rankings may gradually recover, especially if the hack was recent and you act quickly.
5. How do I prevent my WordPress site from being hacked again?
Key steps:
- Keep WordPress, themes, and plugins updated
- Remove unused plugins/themes
- Use strong passwords and enable 2FA for admins
- Install a reputable security plugin with a firewall
- Limit admin access to only trusted users
- Consider an expert hardening service like WP Enchant for ongoing protection
Final Thoughts
A hacked WordPress site is stressful, but it’s fixable. To recap:
- Confirm the hack and back up your site.
- Change all passwords and lock down access.
- Clean files and database, remove malicious code and users.
- Update everything and harden your security.
- Use professional help like WP Enchant if you want a fast, thorough, and safer cleanup.
References
1: Colorlib, “WordPress Hacking Statistics (How Many Websites Get Hacked?),” 2023. https://colorlib.com/wp/wordpress-hacking-statistics/
2: Mashable, “About WordPress Hack,” 2025. https://mashable.com/article/wordpress-hacked-unc5142-etherhiding-blockchain-malware-spreading
3: WP Manage Ninja, “WordPress Security Statistics 2020,” https://wpmanageninja.com/wordpress-security-statistics/
