If your WordPress site has been hacked, it can feel overwhelming. Your website might be down, showing spam content, or redirecting visitors to malicious pages. The most important thing is to act quickly and methodically to remove the infection and secure your site.
This guide walks through the essential steps to clean a hacked WordPress site and prevent future attacks.
Step 1: Put the Website in Maintenance Mode
If your site is actively hacked, the first step is to limit damage. You should prevent visitors from accessing infected pages while you investigate.
You can:
- enable maintenance mode
- temporarily disable the site via hosting
- restrict access using .htaccess or firewall rules
This helps protect visitors and prevents further spread of malware.
Step 2: Identify the Type of Hack
Before cleaning, you need to understand what you’re dealing with. Different hacks require different approaches.
Common signs include:
- spam redirects to other websites
- unknown admin users in dashboard
- modified or missing files
- Google warnings about malware
You can use a malware scanner or manually inspect files and database changes to identify the issue.
Step 3: Backup the Current State
Before making any changes, create a full backup of your site — even if it’s infected.
This backup can help:
- restore data if something breaks
- analyze how the hack happened
- recover lost content if needed
Store the backup safely outside your hosting environment.
Step 4: Remove Malware from Files
Next, clean infected files. Attackers often inject malicious code into core files, plugins, themes, or upload folders.
Focus on:
- recently modified files
- unknown PHP files in uploads
- obfuscated or encoded code
In many cases, it’s safer to replace WordPress core files and reinstall plugins/themes from trusted sources.
Step 5: Clean the Database
Hackers often inject malicious scripts into the database, especially in posts, options, or user tables.
Check for:
- spam links in posts or pages
- suspicious JavaScript in content
- unknown admin users
Remove anything that does not belong. This step is often missed but critical.
Step 6: Remove Backdoors
Even after cleaning visible malware, attackers may have left backdoors to regain access.
Search for:
- randomly named PHP files
- files with functions like
eval,base64_decode - hidden scripts in plugin or theme folders
If backdoors are not removed, the site will likely be hacked again.
Step 7: Reset All Access Credentials
After cleaning, assume all credentials are compromised.
Reset:
- WordPress admin passwords
- FTP/SFTP accounts
- hosting account passwords
- database credentials
Use strong, unique passwords and enable two-factor authentication where possible.
Step 8: Update Everything
Outdated software is one of the main causes of hacks. After cleaning, update:
- WordPress core
- all plugins
- all themes
Remove any unused plugins or themes to reduce attack surface.
Step 9: Improve Security
Cleaning alone is not enough. You must secure the site to prevent future attacks.
Important measures include:
- installing a login protection system
- monitoring file changes
- disabling XML-RPC if not needed
- setting correct file permissions
Ongoing monitoring helps detect threats early.
Step 10: Request Google Review (If Needed)
If your site was flagged by Google, you need to request a review after cleaning.
This can be done through Google Search Console once the site is fully secure.
Reviews typically take a few days.
Conclusion
Fixing a hacked WordPress site requires more than just removing visible malware. Without proper cleanup and security improvements, the site can easily be compromised again.
The safest approach is to follow a structured process: identify the issue, clean files and database, remove backdoors, and secure the site properly. Regular maintenance and monitoring are key to preventing future problems.
If you prefer not to handle this manually, professional cleanup services can ensure everything is properly removed and secured.
If you need help check our website cleaning service.