If you’re reading this, chances are your WordPress site has been hacked — or you suspect it might have been. Either way, you’re not alone. According to recent reports, over 90% of all hacked websites run on WordPress , and the reasons vary- outdated plugins, weak passwords, vulnerable themes, and brute force attacks.
But here’s the good news- getting hacked doesn’t mean game over. With the right steps, you can recover your site, restore your content, and even strengthen its security for the future.
In this comprehensive guide, I’ll walk you through:-
- How to detect a hack
- Immediate actions to take
- Step-by-step cleanup process
- Tools and plugins to help secure your site
- Real-world examples and use cases
- Common mistakes to avoid
I’ve helped dozens of clients recover from hacked WordPress sites — some had malware injections, others were blacklisted by Google, and a few even had their admin accounts hijacked. The key is to act fast, stay calm, and follow a clear plan.
Let’s get started.
Table of Contents
Open Table of Contents
- First Aid Implementation
- Confirm That Your Site Is Actually Hacked
- Put Your Site in Maintenance Mode
- Change All Passwords Immediately
- Scan for Malware and Vulnerabilities
- Restore From a Clean Backup
- Update Everything
- Remove Suspicious Users and Roles
- Secure Your Server and Files
- Rebuild Your Sitemap and Notify Search Engines
- Real-World Use Cases or Tutorials
- Pros and Cons Table
- Warnings or Common Mistakes to Avoid
- Alternatives Comparison for Security Aspects
- SEO and Performance Considerations
- Conclusion and Summary
- Further Reading
- FAQ
First Aid Implementation
Confirm That Your Site Is Actually Hacked
Before jumping into panic mode, make sure what you’re seeing is indeed a hack. Here are common signs:
- Your homepage redirects to an adult or phishing site
- You see unfamiliar pop-ups or ads
- Search engines warn visitors that your site is unsafe
- Unknown users appear in your WordPress dashboard
- Your site suddenly loads extremely slowly or crashes frequently
🚨 Pro Tip: Use tools like Google Safe Browsing or Sucuri SiteCheck to scan your site for malware.
Put Your Site in Maintenance Mode
The last thing you want is for visitors to land on a hacked version of your site. Putting your blog in maintenance mode prevents further damage and protects your audience.
Option 1: Use a Plugin (Recommended)
Install a plugin like WP Maintenance Mode or Coming Soon Page & Maintenance Mode by SeedProd. These let you display a professional-looking maintenance page while you work behind the scenes.
Option 2: Manual Method
Add this code snippet to your theme’s functions.php file:
function wp_maintenance_mode() {
if (!current_user_can('edit_themes') || !is_user_logged_in()) {
wp_die('<h1>Maintenance in Progress</h1><p>We are currently working on our site. Please check back soon.</p>');
}
}
add_action('get_header', 'wp_maintenance_mode');⚠️ Don’t forget to remove this once the cleanup is complete!
Change All Passwords Immediately
Changing all your passwords is one of the most critical first steps after a hack. Hackers often gain access through weak or reused credentials, and may have compromised multiple accounts. By resetting every password associated with your site, you immediately cut off any unauthorized access and prevent further damage.
This includes:
- WordPress admin account
- FTP/SFTP login
- Database user credentials
- Hosting control panel (cPanel, Plesk, etc.)
Use strong passwords — ideally generated by a password manager like Bitwarden or 1Password.
🔒 Best Practice: Enable two-factor authentication (2FA) on your WordPress login using plugins like Duo Two-Factor Authentication or Google Authenticator – Login Verification.
Scan for Malware and Vulnerabilities
Scanning your WordPress site for malware and vulnerabilities is crucial to identify the full extent of the hack. Even if the symptoms seem minor, hidden backdoors or malicious code can persist. Use both automated and manual methods to detect infected files and ensure your site is completely clean before moving forward.
Automated Scanning Tools:
- Wordfence Security – Free and premium versions available; scans core files, themes, and plugins.
- Sucuri SiteCheck – Online scanner that checks for malware, defacements, and SEO spam.
- iThemes Security Pro – Offers real-time scanning and hardening features.
- MalCare – A cloud-based scanner that can detect malware without slowing down your site.
Manual Inspection Tips:
- Check recently modified files using FTP or cPanel
- Look for obfuscated PHP code like
eval(gzinflate(base64_decode(...))) - Review your database for suspicious entries in the
wp_options,wp_posts, orwp_commentstables - Check for unfamiliar plugins or themes in your WordPress dashboard
- Look for any suspicious JavaScript files in your theme or plugin directories
- Use the WP-CLI command line tool to check for file changes:
wp core verify-checksums - Use the Better Search Replace plugin to find and replace any malicious URLs in your database.
Restore From a Clean Backup
Restoring your site from a clean backup is often the fastest and safest way to recover after a hack. This process ensures you’re starting from a known good state, eliminating hidden malware or backdoors that may be difficult to detect manually. Always verify your backup is clean before proceeding.
If you have a recent backup that predates the hack, now is the time to restore it.
Recommended Backup Plugins:
- UpdraftPlus – Easy-to-use, supports cloud storage
- BackupBuddy – More advanced but powerful
- VaultPress (by Automattic) – Great for automatic backups
- BlogVault – Offers real-time backups and one-click restore
📁 Always restore backups to a new database to prevent reinfection.
Update Everything
Keeping your WordPress installation, plugins, and themes up to date is essential for security. Hackers often exploit known vulnerabilities in outdated software, so regular updates close these security gaps and help protect your site from future attacks. Don’t skip this step, even if everything seems to be working fine.
Outdated software is one of the biggest causes of WordPress hacks. Make sure to update:
- WordPress core
- All plugins
- Themes (including parent and child themes)
- PHP version (if outdated)
You can do this manually via FTP or through the WordPress dashboard under:
- Dashboard > Updates
🔄 Important: Some plugins may break after updates — test on a staging site first if possible.
Remove Suspicious Users and Roles
Hackers often create fake admin accounts to regain access later. Go to Users > All Users and delete any unfamiliar accounts.
Also, ensure no user has unnecessary administrator privileges.
Secure Your Server and Files
Securing your server and file system is a crucial step in preventing future hacks and ensuring your WordPress site remains protected. Even after cleaning up, vulnerabilities at the server level can leave your site exposed. Take the time to harden your hosting environment and follow these best practices:
Your hosting environment plays a big role in security. Take these steps:
- Set proper file permissions:
- Folders:
755 - Files:
644
- Folders:
- Disable directory browsing by adding this to
.htaccess:Options -Indexes - Protect your
wp-config.phpfile by moving it outside the web root (if possible) - Use SSH keys instead of passwords for server access
Rebuild Your Sitemap and Notify Search Engines
After successfully cleaning and securing your WordPress site, it’s important to address your site’s visibility in search engines. Hackers often inject spammy or malicious URLs that can harm your SEO and reputation. Rebuilding your sitemap and notifying search engines ensures your site is re-crawled and any harmful links are removed.
After cleaning up your site, rebuild your sitemap using an SEO plugin like Yoast or Rank Math. Then submit it to Google Search Console and Bing Webmaster Tools to request re-indexing.
This helps remove any malicious URLs from search results .
Real-World Use Cases or Tutorials
Case Study: Recovering a Small Business Blog After a Redirect Hack
Client: Local bakery blog running on shared hosting
Issue: Visitors reported being redirected to a pharmaceutical spam site
Steps Taken:
- Used Wordfence to scan and identify infected files
- Restored from UpdraftPlus backup (pre-hack date)
- Updated all plugins and themes
- Removed rogue admin user created during attack
- Submitted updated sitemap to Google
Result: Within 48 hours, the redirect was gone and the site was removed from Google’s malware list.
Pros and Cons Table
It’s important to understand the pros and cons of each approach. The right solution depends on your technical skills, budget, and the severity of the hack. Here’s a quick comparison to help you choose the best path for restoring your WordPress site.
| Method | Pros | Cons |
|---|---|---|
| Manual Cleanup | Full control, no third-party dependency | Time-consuming, requires technical knowledge |
| Security Plugins | Real-time protection, easy to use | May slow down site or conflict with other plugins |
| Hosting Provider Help | Often included in premium plans | Limited customization, slower response times |
| Professional Recovery Services | Guaranteed results, peace of mind | Can be expensive ($100–$500+) |
| Automatic Backups | Fast restoration, minimal data loss | Requires ongoing management |
Warnings or Common Mistakes to Avoid
When recovering a hacked WordPress site, it’s easy to overlook critical steps or make mistakes that can lead to further issues. Here are some common pitfalls to avoid:
- ❌ Restoring from an infected backup
- ❌ Leaving old plugins/themes installed without updates
- ❌ Using default admin username (
admin) - ❌ Ignoring database cleanup (e.g., malicious scripts in
wp_options) - ❌ Not checking file permissions post-recovery
Alternatives Comparison for Security Aspects
When it comes to securing your WordPress site, there are numerous plugins and services available. Here’s a quick comparison of some of the best options for various security needs:
| Need | Best Plugin/Service | Alternative | Notes |
|---|---|---|---|
| Malware Scanning | Wordfence | Sucuri Security | Wordfence offers deep scans and firewall; Sucuri is cloud-based and lightweight |
| Backups | UpdraftPlus | BlogVault | UpdraftPlus is beginner-friendly; BlogVault offers real-time backups and staging |
| Login Security (2FA) | WP 2FA | Google Authenticator | WP 2FA is easy to set up and supports multiple methods |
| Firewall Protection | Cloudflare | Sucuri Firewall | Cloudflare is free and scalable; Sucuri adds malware removal |
| Database Cleanup | Better Search Replace | WP-Optimize | Better Search Replace handles serialized data; WP-Optimize also cleans up overhead |
| User Activity Logging | WP Activity Log | Simple History | WP Activity Log is detailed; Simple History is lightweight |
| Vulnerability Monitoring | iThemes Security | All In One WP Security | iThemes offers file change detection and brute force protection |
| File Integrity Checking | Wordfence | WP Cerber Security | Both compare core files to originals and alert on changes |
| Spam Protection | Akismet Anti-Spam | Antispam Bee | Akismet is widely used; Antispam Bee is privacy-friendly and GDPR compliant |
| Admin URL Obfuscation | WPS Hide Login | Hide My WP Ghost | WPS Hide Login is simple and free; Hide My WP Ghost offers more advanced options |
| Brute Force Protection | Limit Login Attempts Reloaded | Loginizer | Both limit failed login attempts and block IPs |
| Security Auditing | Sucuri Security | WPScan | Sucuri provides logs and alerts; WPScan checks for known vulnerabilities |
SEO and Performance Considerations
A hacked WordPress site can suffer serious SEO consequences:
- Google may blacklist your domain
- Search rankings drop due to poor user experience
- Trust signals like SSL certificates become irrelevant if the site is compromised
After recovery:
- Resubmit your sitemap to Google Search Console
- Monitor for crawl errors
- Ensure all internal links are working properly
- Keep performance optimized with caching and image compression
Tools like GTmetrix and PageSpeed Insights can help track improvements post-recovery.
Conclusion and Summary
Getting hacked is stressful, but it’s not the end of the road. With the right approach, you can recover your WordPress site and even improve its security going forward.
Here’s a quick recap of what to do:
- Confirm the hack
- Put your site in maintenance mode
- Change all passwords
- Scan for malware
- Restore from a clean backup
- Update everything
- Remove suspicious users
- Secure server settings
- Submit updated sitemap
By following this guide, you’ll not only recover your site but also build a stronger foundation to protect against future threats.
Further Reading
- WordPress Security Best Practices
- Using Google Search Console for Recovery
- How to Choose a Secure Hosting Provider
FAQ
-
Can I fix a hacked WordPress site myself?
Yes, especially if you’re comfortable with basic WordPress functions and file management. However, if the hack is severe or persistent, consider hiring a professional. -
How long does it take to recover a hacked WordPress site?
It depends on the severity. Minor hacks can be fixed in under an hour. Complex infections or outdated sites may take several hours to fully clean. -
Should I change my hosting provider after a hack?
Not necessarily. Many hacks occur due to user-side issues (like weak passwords), not the host itself. However, if your current host lacks security tools or support, consider switching.
If you found this guide helpful, consider subscribing to our newsletter for more WordPress optimization tips, SEO strategies, and development tutorials delivered straight to your inbox. Or explore our other tools and resources below.
Got questions or want to share your own recovery story? Drop a comment below — I’d love to hear from you!