Discovering that your WordPress website has been hacked can be an incredibly stressful experience. Whether your site is redirecting to shady URLs, displaying strange pop-ups, or has been blacklisted by Google, the panic is completely understandable.
However, you need to act quickly and methodically. This step-by-step guide will walk you through the process of cleaning up the malware, securing your site, and getting everything back to normal.
Step 1: Stay Calm and Put Your Site in Maintenance Mode
Before you do anything else, try to prevent visitors from seeing the compromised version of your site. If you still have access to your WordPress dashboard, install a maintenance mode plugin or use your hosting control panel to display a temporary “Site Under Maintenance” page.
Why This is Important
This protects your visitors from potentially downloading malware and prevents your brand’s reputation from suffering further damage while you fix the issue.
Step 2: Assess the Damage and Scan for Malware
You need to know exactly what you are dealing with before you start deleting files.
Using Security Scanners
If you can still log in to your dashboard, install a reputable security scanner like Wordfence, Sucuri, or MalCare. Run a complete scan of your website. These tools will highlight infected files, suspicious code injections, and modified core files.
If you are locked out of your dashboard, you can use remote scanners like Sucuri SiteCheck, though they only scan surface-level files.
Step 3: Restore from a Clean Backup
The easiest and fastest way to fix a hacked site is to restore it from a backup taken before the hack occurred.
What if You Have a Backup?
Log in to your hosting account or backup plugin (like UpdraftPlus) and restore both your database and files to a date when you are 100% sure the site was clean.
What if You Don’t Have a Backup?
If you don’t have a clean backup, you will have to manually clean the site, which requires the following steps.
Step 4: Change All Passwords and Access Keys
Hackers often leave backdoors to regain access after you clean your site. You must change all credentials immediately.
What Passwords Need Changing?
- WordPress Admin Accounts: Change the passwords for every administrator.
- Hosting Control Panel (cPanel): Update your primary hosting password.
- FTP/SFTP Accounts: Change your FTP passwords.
- Database (MySQL): Change the database user password and update your
wp-config.phpfile with the new credentials.
You should also regenerate your WordPress security keys (SALT keys) in the wp-config.php file to instantly log out all active users.
Step 5: Clean Core Files, Themes, and Plugins
Most malware hides in your core files, outdated themes, or vulnerable plugins.
Reinstalling Core Files
You can safely replace your WordPress core files without affecting your content. Download a fresh copy of WordPress from WordPress.org. Using an FTP client, delete the /wp-admin/ and /wp-includes/ folders on your server, and upload the fresh ones. Do not delete the /wp-content/ folder or your wp-config.php file.
Cleaning Themes and Plugins
- Plugins: Delete all plugins via FTP and reinstall fresh copies from the official repository. Do not just deactivate them; delete them completely.
- Themes: Delete any themes you are not actively using. For your active theme, if you haven’t made custom code changes, delete it and reinstall a fresh copy.
Step 6: Check User Accounts and Remove Ghost Admins
Hackers frequently create hidden administrator accounts so they can log back in whenever they want.
Go to Users > All Users in your WordPress dashboard. Review the list carefully. If you see any administrator accounts that you or your team did not create, delete them immediately and assign their content to your primary admin account.
Step 7: Request a Malware Review from Google
If your site was flagged by Google with a warning like “This site may be hacked,” you will need to tell them that the site is clean so they can remove the warning.
Log in to Google Search Console, navigate to the Security Issues section, and click on Request a Review. Explain the steps you took to clean and secure the site. It may take a few days for Google to process the request and remove the warning.
Conclusion
Recovering a hacked WordPress site requires patience and attention to detail. Once your site is clean, your top priority should be preventing it from happening again. Make sure to set up automated daily backups, install a robust firewall (WAF), enforce strong passwords, and keep your core, themes, and plugins updated at all times.