Finding out your WordPress site has been hacked is one of the worst feelings in digital business. Your stomach drops. You start questioning everything — when did it happen, what did they take, who saw it, is it fixable? That panic is completely understandable.
Here is the good news: the vast majority of WordPress hacks are fully recoverable. Sites get cleaned, restored, and hardened every day. The key is to act quickly and methodically — not to start deleting files at random or reinstalling WordPress in a panic. Work through these steps in order.
Step 1: Confirm the Hack and Assess the Damage
Before you do anything, confirm that your site has actually been compromised. There are several ways a hack can surface:
- Google shows a "This site may be hacked" warning in search results
- Your hosting provider has suspended the account and sent a malware notice
- Visitors see unexpected content, redirects, or pharmaceutical spam
- You are locked out of the WordPress admin panel
- Your browser flags the site as dangerous
Start with a free scan from Sucuri SiteCheck (sitecheck.sucuri.net). Paste your URL and it will check for known malware signatures, blacklist status, and visible injections. This gives you a baseline of what you are dealing with before you go deeper.
Step 2: Take the Site Offline and Secure Your Access
Once you have confirmed a hack, limit the damage. Put your site into maintenance mode so visitors stop landing on a compromised page. Most hosts have a one-click option for this, or you can use a maintenance mode plugin if you still have admin access.
Then change every password immediately — in this order:
- WordPress admin accounts
- Hosting control panel (cPanel, Plesk, or equivalent)
- FTP/SFTP accounts
- Database password (and update wp-config.php to match)
- Email account associated with your hosting
Log in to WordPress and check Users > All Users. Remove any admin accounts you do not recognize. Attackers frequently create backdoor admin accounts to maintain access even after a surface-level cleanup.
Step 3: Identify the Entry Point
Cleaning the malware without closing the entry point means you will be hacked again within days. The most common entry points on WordPress sites are:
- Outdated plugins or themes with known vulnerabilities
- Nulled (pirated) themes or plugins containing built-in backdoors
- Weak or reused admin passwords
- A compromised hosting account shared with other infected sites
- Exposed wp-config.php or xmlrpc.php
Check your server's file modification dates. In your hosting file manager or via FTP, sort files by last modified date. Files that were changed recently — especially core WordPress files or plugin files you did not update — are prime suspects. Pay particular attention to wp-config.php, .htaccess, and any PHP files in your uploads folder (there should be none there under normal circumstances).
Step 4: Clean the Malware
If You Have a Clean Backup
This is the fastest and most reliable recovery method. Restore from a backup taken before the hack occurred, then immediately close the entry point that allowed access in the first place. A clean restore followed by the same vulnerabilities is just a repeat attack waiting to happen.
If You Do Not Have a Clean Backup
You will need to clean the site manually or with a tool. Wordfence and MalCare are both capable of scanning and cleaning infected files. Install one, run a full scan, and follow the guided cleanup process.
For manual checks, focus on these areas:
- wp-config.php: Look for obfuscated PHP (base64-encoded strings, eval() calls)
- .htaccess: Check for redirect rules you did not add
- uploads folder: Delete any .php files found here — legitimate uploads are never PHP
- Plugin files: Compare against the official plugin from WordPress.org if anything looks modified
If the infection is extensive or you are not comfortable working at the file level, hire a professional. The cost of a one-time cleanup is far less than the cost of an ongoing hack.
Step 5: Harden the Site After Cleanup
Cleanup is not the finish line — hardening is. Once the site is clean, implement these measures before taking it back online:
- Update WordPress core, all plugins, and all themes to current versions
- Delete any plugins or themes you are not actively using (inactive does not mean safe)
- Enable two-factor authentication on all admin accounts
- Consider changing the database table prefix from the default
wp_to something custom - Block or restrict access to wp-login.php — either by IP whitelist, CAPTCHA, or moving the login URL
- Disable XML-RPC if you do not use it (most sites do not need it)
Step 6: Monitor and Prevent Future Hacks
Most reinfections happen because the entry point was not properly closed, or because the site returned to the same maintenance-free state that allowed the original hack. Prevention requires ongoing attention, not a one-time cleanup.
Put these in place before you walk away:
- Automated malware scanning: Wordfence, MalCare, or Sucuri running on a regular schedule
- Uptime monitoring: Know immediately if your site goes down
- Web application firewall: Blocks common attack patterns before they reach WordPress
- Regular backups stored offsite: So the next incident is a restore, not a crisis
- Update schedule: Core, plugins, and themes updated within days of release, not months
A one-time cleanup restores your site. Ongoing maintenance keeps it clean. Without a consistent maintenance process, the same vulnerabilities reappear — and the same attackers, or their automated bots, will find them again.