Is Your Site Hacked Right Now? Do This First:
- Change all passwords immediately - WordPress admin, database, FTP, hosting panel
- Enable maintenance mode - Protect your visitors from malware
- Contact your hosting provider - They may be able to help or have detected the issue
- Do not delete anything yet - You may destroy evidence needed for recovery
Take a breath. Most hacks are recoverable. This guide will walk you through the entire process.
Discovering your WordPress site has been hacked is terrifying. Your business, your content, your visitors' trust - all at risk. But here's the good news: with the right approach, you can recover your site, remove the malware, and prevent this from happening again.
This comprehensive guide covers everything you need to know about recovering a hacked WordPress site, from identifying what happened to implementing bulletproof security.
Table of Contents
Signs Your WordPress Site Has Been Hacked
Before diving into recovery, let's confirm your site is actually hacked. Here are the most common warning signs:
Unexpected Redirects
Visitors are sent to spam sites, pharmaceutical pages, or malicious domains. This is one of the most obvious signs of a hack.
Strange Content Appearing
Spam links, foreign text, or unfamiliar content appearing on your pages that you didn't add. Check your posts, pages, and especially the footer.
Google Warnings
"This site may be hacked" or "This site may harm your computer" warnings in search results. Check Google Search Console for security issues.
Unknown Admin Users
New administrator accounts you didn't create. Attackers often create backdoor admin accounts to maintain access.
Dramatically Slower Site
Crypto miners, spam mailers, or malicious scripts consuming server resources can make your site crawl.
Suspicious Files
New PHP files with random names, files in unusual locations, or recently modified core files you didn't touch.
Spam Emails Being Sent
Your hosting provider reports your site is sending spam, or you notice unusual email activity from your domain.
Security Plugin Alerts
Wordfence, Sucuri, or other security tools reporting malware, file changes, or suspicious activity.
Not Sure? Use these free tools to check: Sucuri SiteCheck, VirusTotal, or Google Safe Browsing.
Immediate Steps When You Discover a Hack
Time is critical. Follow these steps immediately:
Change All Passwords Immediately
Change passwords for everything connected to your site:
- WordPress admin accounts (all users)
- Database password (in cPanel or hosting panel)
- FTP/SFTP accounts
- Hosting control panel (cPanel, Plesk, etc.)
- SSH keys (if used)
- Email accounts associated with the domain
Use strong, unique passwords - at least 16 characters with mixed case, numbers, and symbols. A password manager like 1Password or Bitwarden makes this manageable.
Enable Maintenance Mode
Protect your visitors from malware exposure:
<?php
// Create a file called .maintenance in your WordPress root
$upgrading = time();
?>Or use a maintenance mode plugin if you can still access the admin dashboard. This prevents visitors from being infected or redirected while you clean up.
Document Everything
Before making changes, document what you find:
- Take screenshots of any suspicious content
- Note the URLs of any redirects
- Save error messages
- List any unknown users or files
- Check server access logs for suspicious activity
This documentation may be needed for compliance reporting, insurance claims, or if you need professional help later.
Check for Clean Backups
If you have a backup from before the hack, recovery is much simpler:
- Check your hosting provider's backup system
- Review UpdraftPlus, BackupBuddy, or similar plugin backups
- Check any offsite backup services
- Verify the backup date is before you noticed the hack
Important: Don't assume backups are clean. Malware can exist on your site for weeks before becoming visible. Scan backup files before restoring.
Contact Your Hosting Provider
Your host can provide valuable assistance:
- They may have already detected the hack and have logs
- They can help isolate your site to prevent spread
- Some hosts offer free or paid malware removal
- They can restore from server-level backups
How to Identify the Type of Attack
Understanding what type of attack hit your site helps you clean it properly and prevent recurrence.
SEO Spam / Pharma Hack
Injects spam links, keywords, or pages for SEO manipulation. Often targets pharmaceuticals, gambling, or adult content. May only be visible to search engines.
- Signs: Hidden text, spam pages in Google index, cloaked content
- Locations: Database (posts, options), theme files, .htaccess
- Clean: Database search, theme inspection, search console review
Malicious Redirects
Sends visitors to malicious sites. May target specific referrers (Google, social media) or specific devices (mobile only).
- Signs: Unexpected redirects, different behavior from different sources
- Locations: .htaccess, wp-config.php, theme header.php, database
- Clean: Check all redirect-capable files, database wp_options
Backdoor / Web Shell
Hidden access point allowing attackers to return. Often disguised as legitimate files or hidden in existing files.
- Signs: Unknown PHP files, eval/base64 in code, suspicious POST requests in logs
- Locations: wp-includes, wp-content/uploads, plugin folders, theme folders
- Clean: File integrity scan, compare against clean WordPress, check uploads folder
Crypto Miner
Uses your server or visitors' browsers to mine cryptocurrency. Causes high CPU usage and slow performance.
- Signs: High CPU usage, slow site, JavaScript mining scripts in pages
- Locations: Theme files, plugins, injected JavaScript
- Clean: Search for mining scripts (Coinhive, CryptoLoot), check external scripts
Ransomware
Encrypts files or database and demands payment. Less common on WordPress but increasingly seen.
- Signs: Encrypted files, ransom note, inaccessible content
- Locations: All files may be affected
- Clean: Restore from backup (do not pay ransom), full reinstall may be required
Email Spam Relay
Uses your server to send spam emails. Can get your IP/domain blacklisted and suspended by hosting.
- Signs: High email volume, bounce messages, hosting warnings, IP blacklisted
- Locations: Malicious PHP mailer scripts, compromised contact forms
- Clean: Find and remove mailer scripts, check wp-mail.php, update all software
Scanning for Malware
Use multiple tools for thorough scanning. No single scanner catches everything.
Security Plugin Scanning
If you can access wp-admin, install and run these scanners:
Recommended Scanners
- Wordfence - Free scanner with file integrity checks and malware signatures
- Sucuri Security - Remote and server-side scanning, malware removal guides
- MalCare - Deep scanning with one-click cleanup option
- Anti-Malware by GOTMLS - Good for detecting known threats
Manual File Scanning
If you can't access wp-admin, scan manually via FTP/SSH:
# Find recently modified PHP files (last 7 days)
find /path/to/wordpress -name "*.php" -mtime -7
# Search for common malware signatures
grep -r "eval(base64_decode" /path/to/wordpress
grep -r "eval(gzinflate" /path/to/wordpress
grep -r "preg_replace.*\/e" /path/to/wordpress
grep -r "assert(" /path/to/wordpress
grep -r "str_rot13" /path/to/wordpress
grep -r "gzuncompress" /path/to/wordpress
# Find files with suspicious permissions
find /path/to/wordpress -perm -o+w -type f
# Look for PHP files in uploads (shouldn't exist)
find /path/to/wordpress/wp-content/uploads -name "*.php"Database Scanning
Search your database for injected content:
-- Search posts for suspicious scripts
SELECT ID, post_title FROM wp_posts
WHERE post_content LIKE '%<script%'
OR post_content LIKE '%eval(%'
OR post_content LIKE '%base64_decode%';
-- Check options table for injected code
SELECT option_name, option_value FROM wp_options
WHERE option_value LIKE '%<script%'
OR option_value LIKE '%eval(%';
-- Look for suspicious admin users
SELECT * FROM wp_users
WHERE user_registered > DATE_SUB(NOW(), INTERVAL 30 DAY);
-- Check for suspicious user meta
SELECT * FROM wp_usermeta
WHERE meta_key = 'wp_capabilities'
AND meta_value LIKE '%administrator%';Cleaning Infected Files
Option A: Restore from Clean Backup
The fastest and most thorough cleanup method:
- Verify the backup date is before the infection
- Scan the backup files for malware before restoring
- Restore all WordPress core files, themes, and plugins
- Restore the database
- Keep the uploads folder from current site (after scanning)
- Update all software immediately after restore
- Change all passwords again
Warning: If you restore a backup that already contains malware, you'll be back where you started. Always scan backups before restoring.
Option B: Manual Cleanup
If you don't have a clean backup, clean manually:
Step 1: Replace WordPress Core Files
# Download fresh WordPress
wget https://wordpress.org/latest.zip
unzip latest.zip
# Replace core directories (NOT wp-content)
rm -rf wp-admin wp-includes
cp -r wordpress/wp-admin wordpress/wp-includes .
# Replace core files in root (keep wp-config.php and .htaccess for now)
cp wordpress/*.php .Step 2: Clean wp-config.php
Compare your wp-config.php against a fresh copy. Remove any code that doesn't belong:
# Suspicious additions to look for:
eval(
base64_decode(
gzinflate(
str_rot13(
@include(
error_reporting(0);
ini_set('display_errors', 0);Also regenerate your security keys using the WordPress salt generator.
Step 3: Clean .htaccess
Replace with default WordPress .htaccess:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPressStep 4: Clean Plugins
The safest approach is to delete and reinstall all plugins:
- Note which plugins are active (check wp_options table if needed)
- Delete the entire plugins folder
- Download fresh copies from WordPress.org or vendors
- Re-install and activate
Step 5: Clean Themes
Similar approach for themes:
- Delete all themes except what you need
- Download fresh copies of required themes
- If using a child theme, inspect child theme files carefully
- Check functions.php, header.php, and footer.php especially
Step 6: Clean Uploads Folder
The uploads folder is the most common hiding spot for malware:
# Find PHP files in uploads (these should NOT exist)
find wp-content/uploads -name "*.php" -delete
# Find suspicious file types
find wp-content/uploads -name "*.phtml" -o -name "*.php5" -o -name "*.ico" | xargs file | grep PHP
# Check for files with double extensions
find wp-content/uploads -name "*.*.*"Database Cleanup
Malware often hides in the database. Clean it thoroughly.
Check for Unauthorized Users
-- List all admin users
SELECT u.ID, u.user_login, u.user_email, u.user_registered
FROM wp_users u
JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities'
AND m.meta_value LIKE '%administrator%';
-- Delete suspicious users (replace ID)
DELETE FROM wp_users WHERE ID = [suspicious_id];
DELETE FROM wp_usermeta WHERE user_id = [suspicious_id];Clean Injected Content in Posts
-- Find posts with suspicious content
SELECT ID, post_title, post_content
FROM wp_posts
WHERE post_content LIKE '%<iframe%'
OR post_content LIKE '%<script%'
OR post_content LIKE '%style="display:none"%';
-- Clean specific injection pattern (CAREFUL - backup first!)
UPDATE wp_posts
SET post_content = REPLACE(post_content, '[malicious_code]', '')
WHERE post_content LIKE '%[malicious_code]%';Check Options Table
The wp_options table is frequently targeted:
-- Look for suspicious options
SELECT option_name, LEFT(option_value, 200)
FROM wp_options
WHERE option_name LIKE '%base64%'
OR option_name LIKE '%eval%'
OR option_name LIKE 'wp_check_%'
OR option_name NOT LIKE 'widget%' AND option_value LIKE '%<script%';
-- Check siteurl and home (common target for redirects)
SELECT option_name, option_value
FROM wp_options
WHERE option_name IN ('siteurl', 'home', 'blogname', 'admin_email');
-- Check active plugins for anything suspicious
SELECT option_value FROM wp_options WHERE option_name = 'active_plugins';Check User Meta
-- Look for capability escalation
SELECT u.user_login, m.meta_value
FROM wp_users u
JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key LIKE '%capabilities%';
-- Find suspicious user meta entries
SELECT * FROM wp_usermeta
WHERE meta_value LIKE '%eval%'
OR meta_value LIKE '%base64%';Critical: Always backup your database before making changes. One wrong DELETE query can destroy your entire site.
Securing Your Site After Recovery
Once clean, harden your security to prevent reinfection.
Update Everything
The hack likely exploited outdated software:
- Update WordPress core to latest version
- Update all plugins to latest versions
- Update all themes to latest versions
- Update PHP version to 8.2 or higher if possible
Enable Two-Factor Authentication
Protect all admin accounts with 2FA:
- Install WP 2FA or Wordfence Login Security
- Require 2FA for all administrator and editor accounts
- Use authenticator apps (not SMS)
- Save backup codes securely
Install Security Plugin
Add comprehensive security monitoring:
- Wordfence - Firewall, scanner, login security
- Sucuri - Firewall, monitoring, cleanup service
- iThemes Security - Hardening, 2FA, file monitoring
Set Correct File Permissions
# Directories should be 755
find /path/to/wordpress -type d -exec chmod 755 {} \;
# Files should be 644
find /path/to/wordpress -type f -exec chmod 644 {} \;
# wp-config.php should be 400 or 440
chmod 400 wp-config.phpAdd Security Headers
Add these headers to your .htaccess or nginx config:
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"Disable File Editing
Add to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true); // Prevents plugin/theme installs tooRequest Google Review
If your site was blacklisted:
- Go to Google Search Console
- Navigate to Security Issues section
- Review and fix all reported issues
- Request a review once cleaned
- Usually takes 24-72 hours for review
Never Deal With This Again
MojoShine includes autonomous security monitoring, automatic updates, container isolation, and malware scanning. If your site somehow gets infected, we clean it for free.
Start 30-Day Free TrialHow to Prevent Future Hacks
An ounce of prevention is worth a pound of cure. Implement these measures to avoid future hacks:
Prevention Checklist
- Keep WordPress, plugins, and themes updated (enable auto-updates)
- Use strong, unique passwords for everything
- Enable two-factor authentication for all admin users
- Choose secure managed hosting with container isolation
- Use a Web Application Firewall (WAF)
- Implement regular automated backups (daily minimum)
- Remove unused plugins and themes
- Only install plugins from trusted sources
- Never use nulled/pirated themes or plugins
- Limit login attempts and change login URL
- Disable XML-RPC if not needed
- Monitor file changes and security logs
- Use SSL/HTTPS everywhere
- Conduct regular security scans
Managed Hosting vs DIY Security
Compare your options:
| Security Feature | DIY (Self-Managed) | Managed WordPress Host |
|---|---|---|
| Automatic Updates | Configure yourself, risk breakage | AI-validated, automatic rollback |
| Malware Scanning | Plugin required, manual review | Automatic with AI detection |
| Container Isolation | Not available on shared hosting | Standard, prevents cross-site attacks |
| Web Application Firewall | $10-20/month extra | Included |
| Malware Cleanup | DIY or $150-500 professional | Free, handled by host |
| Recovery Time | Hours to days | Minutes with automatic restoration |
Bottom Line: Quality managed WordPress hosting ($12-50/month) costs less than a single professional malware cleanup and prevents most attacks entirely.
When to Seek Professional Help
Some situations require expert assistance:
- Ransomware: Files are encrypted and you don't have backups
- Persistent reinfection: The hack keeps coming back after cleanup
- No technical skills: You're not comfortable with the technical steps
- Legal requirements: You need documented chain of custody for compliance
- Complex infection: Multiple backdoors, database corruption, or server-level compromise
- Business critical: Site generates significant revenue and needs immediate recovery
Professional Services
| Service | Cost | Best For |
|---|---|---|
| Sucuri | $199-499/year (includes unlimited cleanups) | Ongoing protection + cleanup |
| Wordfence Care | $490/year (includes cleanups) | WordPress-specific expertise |
| MalCare | $99-299/year | One-click cleanup + prevention |
| Freelance Specialist | $150-500 one-time | Budget-conscious cleanup |
| Switch to Managed Hosting | $12-50/month ongoing | Prevention + free cleanup |
Frequently Asked Questions
How do I know if my WordPress site has been hacked?
Common signs include: unexpected redirects to spam sites, strange content or links appearing on pages, Google "This site may be hacked" warnings, new admin users you didn't create, dramatically slower site speed, suspicious files in your WordPress directory, spam emails being sent from your server, and being blacklisted by security services.
Can I recover a hacked WordPress site myself?
Yes, many hacks can be cleaned yourself if you have technical skills. The process involves scanning for malware, cleaning infected files and database, updating all software, and hardening security. However, if you're not confident or the infection is severe, professional malware removal services can help. Using managed hosting with automatic malware scanning can prevent this situation entirely.
How long does it take to clean a hacked WordPress site?
A basic hack cleanup takes 2-4 hours for someone experienced. Complex infections with multiple backdoors, database injection, and file modifications can take 8-24 hours. If you restore from a clean backup, recovery can take under an hour. Professional services typically clean sites within 4-12 hours.
Will I lose my content if my WordPress site was hacked?
Usually not. Most hacks add malicious code without deleting your content. However, some destructive attacks do delete databases or files. This is why regular backups are critical. If you have a clean backup from before the hack, you can restore it and lose minimal data.
How do I prevent my WordPress site from being hacked again?
Key prevention measures include: keeping WordPress, plugins, and themes updated; using strong unique passwords with two-factor authentication; choosing secure hosting with container isolation and automatic updates; using a Web Application Firewall; implementing regular automated backups; removing unused plugins and themes; and using security monitoring to detect threats early.
How much does it cost to fix a hacked WordPress site?
DIY cleanup is free but time-consuming (2-24 hours). Professional malware removal services range from $150-500 for basic cleanup to $500-1500 for complex infections. Services like Sucuri ($199-499/year) include unlimited cleanups. Prevention through quality managed hosting ($12-50/month) is far more cost-effective than repeated cleanups.
What should I do first when I discover my site is hacked?
Immediately: 1) Change all passwords (WordPress admin, database, FTP, hosting account), 2) Enable maintenance mode to protect visitors, 3) Document what you see (take screenshots), 4) Check if you have a clean backup to restore from, 5) Scan for malware using security plugins, 6) Contact your hosting provider for help. Don't panic - most hacks are recoverable.
Ready to Prevent Future Hacks?
MojoShine's autonomous security catches threats before they become problems. Container isolation, automatic updates, malware scanning, and free cleanup if anything gets through.
Start Your 30-Day Free Trial