Skip to content

How to Fix a Hacked WordPress Site

If your WordPress site has been hacked, don’t panic—this guide walks you through the recovery process. You’ll learn how to identify the breach, clean infected files, restore from backups, and strengthen security to avoid future hacks.

Key Takeaways

  • Act quickly: The faster you respond, the less damage hackers can cause to your site and reputation.
  • Scan for malware: Use trusted tools like Wordfence or Sucuri to detect hidden malicious code.
  • Restore from a clean backup: Always use a backup from before the hack occurred to ensure full recovery.
  • Update everything: Outdated themes, plugins, and WordPress core are common entry points for hackers.
  • Change all passwords: Reset admin, database, FTP, and hosting account credentials immediately.
  • Harden security: Enable two-factor authentication, limit login attempts, and use security plugins.
  • Monitor regularly: Set up alerts and routine scans to catch future threats early.

How to Fix a Hacked WordPress Site

Finding out your WordPress site has been hacked is stressful—but it’s not the end. With the right steps, you can recover your site, remove malicious code, and prevent future attacks. This guide will walk you through a clear, step-by-step process to fix a hacked WordPress site and restore your peace of mind.

Whether you’re seeing strange redirects, spam content, or a “Site Under Maintenance” message that you didn’t create, this guide covers everything you need to know. We’ll help you clean your site, secure it, and get back online safely.

Step 1: Stay Calm and Confirm the Hack

How to Fix a Hacked WordPress Site

Visual guide about How to Fix a Hacked WordPress Site

Image source: blog.hosterbox.com

The first rule of fixing a hacked site: don’t panic. Acting rashly can make things worse. Instead, confirm that your site is actually hacked.

Signs Your Site Is Hacked

  • Your homepage shows spam links or gibberish text.
  • You’re redirected to unknown websites when visiting your own site.
  • Google Search Console shows a “This site may be hacked” warning.
  • Your hosting provider sends a malware alert.
  • You notice unfamiliar admin users or posts you didn’t create.

Check with Online Tools

Use free tools like Sucuri SiteCheck or VirusTotal to scan your site. These tools check for malware, phishing content, and blacklisting status.

Once confirmed, move quickly—but methodically.

Step 2: Take Your Site Offline (Optional but Recommended)

How to Fix a Hacked WordPress Site

Visual guide about How to Fix a Hacked WordPress Site

Image source: majauskas.com

To prevent further damage or visitor exposure, consider putting your site in maintenance mode. This stops users from accessing potentially harmful content.

You can do this by:

  • Using a plugin like WP Maintenance Mode.
  • Adding a temporary index.html file to your root directory.
  • Using your hosting control panel to enable a “coming soon” page.

This step is optional but wise if the hack is severe.

Step 3: Restore from a Clean Backup

How to Fix a Hacked WordPress Site

Visual guide about How to Fix a Hacked WordPress Site

Image source: maketecheasier.com

The fastest and safest way to fix a hacked WordPress site is to restore it from a clean backup—one created before the hack occurred.

How to Restore a Backup

  1. Log in to your hosting control panel (like cPanel or Plesk).
  2. Navigate to the backup section or use a backup plugin like UpdraftPlus.
  3. Find a backup dated before the hack started.
  4. Restore the entire site—files and database.

Pro Tip: Always keep regular backups. If you don’t have one, skip to Step 4.

What If You Don’t Have a Backup?

If no clean backup exists, you’ll need to manually clean the site. This is riskier and more time-consuming, but still possible.

Step 4: Scan and Remove Malware

If you can’t restore from backup, you must scan and clean your site manually.

Use a Security Plugin

Install a trusted security plugin like Wordfence or Sucuri Security. These tools scan your files for malware, backdoors, and suspicious code.

After installing:

  • Run a full scan.
  • Review the results—look for infected files, unknown users, or modified core files.
  • Let the plugin quarantine or delete malicious files.

Check for Hidden Files and Folders

Hackers often hide malicious scripts in obscure locations. Use FTP or your hosting file manager to look for:

  • Files with strange names (e.g., “wp-config-backup.php”).
  • Folders in unexpected places (e.g., inside /wp-content/uploads/).
  • Files with recent modification dates that you don’t recognize.

Delete anything suspicious—but be careful not to remove legitimate files.

Inspect Key Files

Check critical files like:

  • wp-config.php – Look for unauthorized database changes or base64 code.
  • .htaccess – Hackers often inject redirect rules here.
  • index.php in root and theme folders – Watch for obfuscated PHP code.

If you find strange code, replace the file with a clean version from a fresh WordPress download.

Step 5: Update Everything

Outdated software is the #1 cause of WordPress hacks. After cleaning, update everything.

Update WordPress Core

Go to Dashboard > Updates and click “Update Now” if a new version is available.

Update Themes and Plugins

Go to Appearance > Themes and Plugins > Installed Plugins. Update all themes and plugins to their latest versions.

Important: Delete any unused themes or plugins. Even if they’re inactive, they can be exploited.

For example, if you’re not using a theme, consider how to delete a theme in WordPress to reduce risk.

Update Your PHP Version

Older PHP versions have security flaws. Check with your host to ensure you’re using PHP 8.0 or higher.

Step 6: Change All Passwords

Hackers often steal login credentials. Change every password related to your site.

Change These Passwords

  • WordPress admin users (go to Users > All Users).
  • Database password (via phpMyAdmin or hosting panel).
  • FTP/SFTP credentials.
  • Hosting account login.
  • Email accounts linked to your site.

Use strong, unique passwords with a mix of letters, numbers, and symbols. Consider a password manager like LastPass or Bitwarden.

Enable Two-Factor Authentication (2FA)

Add an extra layer of security by enabling 2FA on your WordPress login. Plugins like Wordfence Login Security or Google Authenticator make this easy.

Step 7: Harden Your WordPress Security

Prevention is better than cure. After fixing the hack, secure your site to avoid repeat attacks.

Install a Security Plugin

Use a plugin like Wordfence or Sucuri to:

  • Block brute force attacks.
  • Monitor file changes.
  • Set up email alerts for suspicious activity.

Limit Login Attempts

Prevent hackers from guessing passwords by limiting login attempts. Most security plugins include this feature.

Disable File Editing

Add this line to your wp-config.php file to prevent code editing from the WordPress dashboard:
define('DISALLOW_FILE_EDIT', true);

Use HTTPS

Ensure your site uses SSL (HTTPS). Most hosts offer free SSL certificates via Let’s Encrypt.

Regularly Update Themes

Keep your themes updated. If you’re using a custom theme, consider how to update a theme on WordPress safely to avoid breaking your site.

Step 8: Monitor and Test

After cleaning and securing your site, monitor it closely.

Set Up Alerts

Use your security plugin to receive email alerts for:

  • Failed login attempts.
  • File changes.
  • New admin users.

Test Your Site

  • Visit your site from different devices and locations.
  • Check for redirects or spam content.
  • Use Google Search Console to request a review if your site was blacklisted.

Schedule Regular Scans

Run weekly malware scans to catch issues early.

Troubleshooting Common Issues

Site Still Shows Hacked Content After Cleaning

This could mean:

  • The hack left behind a backdoor script.
  • Your browser or DNS is caching old content.
  • Malware is hosted on a CDN or external server.

Clear your browser cache, flush DNS, and rescan with multiple tools.

Can’t Log In to WordPress

If you’re locked out:

  • Use FTP to rename the plugins folder (temporarily disables all plugins).
  • Check for a corrupted .htaccess file—replace it with a default version.
  • Contact your hosting provider for assistance.

Google Still Flags Your Site

Even after cleaning, Google may still show warnings. Submit your site for review in Google Search Console under “Security Issues.”

Conclusion

Fixing a hacked WordPress site is challenging, but entirely possible with the right approach. By acting quickly, restoring from a clean backup, scanning for malware, and strengthening security, you can recover your site and protect it from future attacks.

Remember: prevention is key. Keep your WordPress core, themes, and plugins updated, use strong passwords, and install a reliable security plugin. Regular monitoring and backups will save you time and stress in the long run.

Don’t let a hack define your website’s future—take control, clean up, and come back stronger.