Skip to content 
Picture this: you try to log into your WordPress dashboard and your password no longer works. Or you spot strange ads on your homepage. Unfortunately, a WordPress site can be hacked more easily than you think. WordPress powers more than 43% of the top 10 million websites, making it a prime hacker target. In this guide, you’ll learn how to recover a hacked WordPress site, remove malware, restore backups, and tighten your security.
Identify Hack Signs
Not sure how to know if your WordPress site has been hacked? Here are common red flags.
Check Login Failures
Login problems often start small, like intermittent errors or slow redirects. If you can’t access your dashboard despite correct credentials, hackers may have taken over admin accounts and changed your login data.
Spot Content Modifications
Attackers often inject spammy links or replace pages with defaced content. These changes can tank your SEO and drive away visitors.
Notice Google Warnings
Google may flag your site as “This site may be hacked” in search results or Chrome may display a “Deceptive site ahead” warning. These alerts let visitors and search engines know your site is unsafe.
Monitor Traffic Drops
A sudden dip in site visits often means hackers are redirecting traffic or Google has blacklisted your site. Check your analytics for unusual referral patterns or sharp declines.
Safeguard Your Data
Before you dive into cleanup, protect your current site state.
Create a Site Backup
Make a full backup of your files and database before you start. Use your hosting control panel or a plugin to export everything. This backup ensures you can recover if cleanup steps go wrong.
Activate Maintenance Mode
Put your site in maintenance mode to block visitors during cleanup. Most caching or maintenance plugins let you display a simple message while you work. This step protects users and prevents further damage.
Remove All Malware
Ready to clean your site? Let’s dig in.
Scan for Malware
Run a malware scanner to locate infected files. You can use security plugins or an external service to spot threats. Scanners check core files, themes, and plugins for suspicious code.
Delete Malicious Files
After scanning, delete or quarantine any files flagged as malicious. Check your wp-content folder for unfamiliar PHP scripts or backdoors. Be cautious and double-check before removing core files.
Clean the Database
Hackers often leave bad links in your database. Search for suspicious entries in tables like wpposts or wpoptions and delete them. This step stops hidden redirects or spam injections.
Restore From Backup
Got a clean backup? Now restore it.
Choose a Clean Backup
Pick a backup from before the hack. Make sure it’s free of malware or spam. If you have multiple backups, test one on a staging site first.
Reinstall WordPress Core
Download a fresh copy of WordPress and overwrite core files via FTP. This replaces any infected files in wp-admin and wp-includes. Do not delete wp-content or your wp-config.php.
Lock Down Security
Now that your site is clean, seal the gaps hackers exploited.
Update Themes and Plugins
Outdated components pose major risks. Update your WordPress core, themes, and plugins to their latest versions. This step seals vulnerabilities that hackers exploit.
Change Passwords and Keys
Reset passwords for all users, FTP accounts, and your database. Rotate your WordPress security keys (SALT) in wp-config.php to invalidate old sessions.
Implement HTTPS and Firewall
Enable HTTPS for your login pages and admin area to encrypt data in transit. Install a web application firewall to block malicious traffic and clean up malware automatically:
- Cloudflare
- Sucuri
Audit User Accounts
Look for unrecognized or inactive admin users. Remove any you don’t know or switch their roles to subscriber. This reduces your attack surface.
Monitor Ongoing Security
A one-time cleanup isn’t enough. Keep watch.
Set Up Security Alerts
Enable email alerts in your security plugin for file changes, failed logins, or new user registrations. Real-time alerts help you catch threats early.
Schedule Regular Scans
Plan daily or weekly malware scans. Automated scans spot issues before they cause havoc. Use your plugin’s scheduler or a third-party tool.
Follow Security Checklist
Use our WordPress Security Checklist to ensure your site stays secure. A simple list can prevent common oversights.
Now you’ve recovered your site and beefed up your defenses. Keep scanning regularly and updating your code. Got a tip or question? Drop it in the comments below.
