{"id":26962,"date":"2026-01-07T10:13:00","date_gmt":"2026-01-07T09:13:00","guid":{"rendered":"https:\/\/contabo.com\/blog\/?p=26962"},"modified":"2026-01-08T12:57:15","modified_gmt":"2026-01-08T11:57:15","slug":"wordpress-hacked","status":"publish","type":"post","link":"https:\/\/contabo.com\/blog\/wordpress-hacked\/","title":{"rendered":"WordPress Hacked? Detect, Recover & Prevent"},"content":{"rendered":"\n
\"WordPress<\/figure>\n\n\n\n

Most owners are shocked to find their WordPress hacked. Your site works fine one day. Next, visitors see warnings, traffic drops, or you notice admin accounts that you don’t recognize. The good news is that recovery is easy if you act quickly and know what to do. <\/p>\n\n\n\n

This guide shows you how to spot the warning signs for a hacked WordPress, contain the infection, get rid of malware completely, and make your hacked WordPress site more secure so it doesn’t happen again. Every step can be taken, whether you do the cleaning yourself or hire someone else to do it. Let’s get started. <\/p>\n\n\n\n

Signs Your WordPress Site Has Been Hacked <\/h2><\/div>\n\n\n\n

Catching a hacked WordPress website early makes the difference between a quick cleanup and a complete site rebuild. Most attacks don’t announce themselves with a defaced homepage. Instead, they operate quietly in the background, siphoning traffic or using your server to attack other sites. <\/p>\n\n\n\n

Unexpected Redirects and Pop-ups <\/h3><\/div>\n\n\n\n

You go to your homepage and end up on a completely different site, which usually sells fake goods or worse. Sometimes the redirect only works for people who aren’t logged in, so you won’t see it when you’re logged into your admin panel. From a different device, open your site in an incognito window. If it takes you to strange URLs, especially pharmaceutical spam or adult sites, that’s a clear sign that your WordPress site has been hacked.  <\/p>\n\n\n\n

Pop-ups that show up out of nowhere, especially ones you didn’t ask for, are a sign of the same problem. Attackers put JavaScript into your site to show these ads and make money off of your visitors. <\/p>\n\n\n\n

Warnings from Google Safe Browsing  <\/h3><\/div>\n\n\n\n

When Google flags your site, search results will say things like “This site may be hacked” or “This site may harm your computer.” Chrome and other browsers might even block visitors completely with a full-page warning. Check Google Search Console. If you see security issue alerts there, it means Google has found malware or something else that looks suspicious.  <\/p>\n\n\n\n

When this happens, your search traffic goes away overnight. It takes time to be taken off of blacklists even after cleaning up. The sooner you act, the less damage your SEO will suffer. <\/p>\n\n\n\n

Suspicious Admin Users <\/h3><\/div>\n\n\n\n

To see all of your users, log into your WordPress dashboard and go to All Users. Check for accounts you didn’t make or know about, especially ones that have Administrator rights. Hackers make backdoor admin accounts on a WordPress site so they can get back in even after you change your passwords. A lot of the time, these fake accounts have generic usernames like “admin2,” “support,” or strings of random characters. Delete any accounts that aren’t yours right away, but remember that this is just one sign of malware; you need to get rid of the real malware too. <\/p>\n\n\n\n

Modified Website Content <\/h3><\/div>\n\n\n\n

If your pages and posts change, it’s a good sign that your WordPress site has been hacked. Attackers could put hidden links in your content that send visitors to dangerous pages, or they could rewrite whole pages to damage your site or send a message. Unlike sudden redirects, content changes often go unnoticed at first because they look like real posts.  <\/p>\n\n\n\n

Look over your most recent posts and pages for any text, links, or formatting that you didn’t add. Look closely at the bottom of old posts, where attackers often put in hidden affiliate links or bad redirects. If you think someone has messed with your hacked WordPress site, check your post revision history (click the post, then scroll down to “Revisions”) to see what changed and when. If you see any changes that you don’t remember making, it’s a sign that someone else has been changing your content. <\/p>\n\n\n\n

Immediate Containment Checklist <\/h2><\/div>\n\n\n\n

When you find out that your site is really hacked, time is of the essence for the WordPress hack recovery. These first steps help keep the damage to a minimum while you get ready for a full WordPress hack cleanup. <\/p>\n\n\n\n

Enable Maintenance Mode Immediately <\/h3><\/div>\n\n\n\n

To stop the public from getting in, turn on maintenance mode. This keeps malware from spreading to visitors and stops more damage to your SEO. You can use a plugin like WP Maintenance Mode or ask your hosting company to send traffic to a different site while you fix the hacked WordPress site. <\/p>\n\n\n\n

Change All Of Your Passwords <\/h3><\/div>\n\n\n\n

Change passwords for these accounts immediately: <\/p>\n\n\n\n

    \n
  1. WordPress admin accounts (all of them) <\/li>\n<\/ol>\n\n\n\n
      \n
    1. Hosting control panel (cPanel, Plesk, etc.) <\/li>\n<\/ol>\n\n\n\n
        \n
      1. FTP\/SFTP accounts <\/li>\n<\/ol>\n\n\n\n
          \n
        1. Database user <\/li>\n<\/ol>\n\n\n\n
            \n
          1. Email accounts tied to your domain <\/li>\n<\/ol>\n\n\n\n

            Use a password manager like 1Password or Bitwarden to make strong, one-of-a-kind passwords that are at least 16 characters long and have a mix of letters, numbers, and symbols. Attackers can often get in by using weak passwords, and once they have your credentials, they’ll try them everywhere. <\/p>\n\n\n\n

            Remove Unauthorized Admin Users <\/h3><\/div>\n\n\n\n

            To see all of your users, log into your WordPress dashboard and click on Users. Look for accounts that you didn’t make, especially ones that have Administrator rights. If you see any accounts that look suspicious, hover over them and delete them right away. This stops attackers from keeping their backdoor access while you fix your hacked WordPress site. <\/p>\n\n\n\n

            Deactivate All Plugins and Themes <\/h3><\/div>\n\n\n\n

            Go to Plugins and turn off all of the plugins. Next, go to Appearance > Themes and choose a default WordPress theme, such as Twenty Twenty-Four. This keeps possible weaknesses separate while you look into which extensions might be at risk. To find out where the infection came from, turn them back on one at a time during the WordPress hack cleanup. <\/p>\n\n\n\n

            Document Everything Before You Start <\/h3><\/div>\n\n\n\n

            Take screenshots of any errors, defacements, or strange activity. Write down when you first saw the problem. If you have a security plugin, look at the activity logs for your WordPress admin. This documentation shows you the entry point and helps you figure out how the WordPress hack recovery process should go. It also keeps you from getting infected again.  <\/p>\n\n\n\n

            Even though your site files are infected, you can still use your FTP client to download a full backup of them. Use the Export function in phpMyAdmin to download your database. Put these hacked copies in a different place. They might help you understand the attack, but you should never restore from them. <\/p>\n\n\n\n

            Why WordPress Sites Get Hacked (Common Attack Types) <\/h2><\/div>\n\n\n\n

            Knowing what kinds of attacks are common can help you stop WordPress hacks from happening again. Most hacks aren’t very complicated; they’re just automated bots looking for known holes in millions of sites. <\/p>\n\n\n\n

            Brute Force Login Attacks <\/h3><\/div>\n\n\n\n

            WordPress hacker bots try thousands of different username\/password pairs against wp-login.php until they get the right one. They go after common usernames like “admin” and use lists of leaked passwords from other breaches. People reuse passwords and stick with defaults, which makes these attacks work. <\/p>\n\n\n\n

            Outdated Plugins and Themes <\/h3><\/div>\n\n\n\n

            A lot of WordPress security holes are in plugins, not in WordPress itself. When developers find a security hole, they release an update. But that same announcement tells WordPress hackers exactly what to look for on sites that haven’t updated yet.  <\/p>\n\n\n\n

            The worst offenders are plugins that have been left behind. It’s likely that a plugin has a lot of unpatched security holes if it hasn’t been updated in more than two years. People who cracked nulled (pirated) premium plugins often put in backdoors on purpose. <\/p>\n\n\n\n

            Weaknesses in SQL Injection <\/h3><\/div>\n\n\n\n

            Poorly coded plugins don’t sanitize database queries properly. Attackers inject malicious SQL commands through form fields, URL parameters, or search boxes. If successful, they can extract your entire database, create new admin users, or modify your site’s content. <\/p>\n\n\n\n

            Modern WordPress uses prepared statements to prevent this, but third-party plugins might not follow best practices. This is why code quality matters when choosing extensions <\/p>\n\n\n\n

            Cross-Site Scripting (XSS) <\/h3><\/div>\n\n\n\n

            XSS attacks use comment forms, user profiles, or any field that shows user input without proper filtering to add JavaScript to your site. This bad code then runs in the browsers of people who visit the site, which could steal session cookies or send them to phishing sites.  <\/p>\n\n\n\n

            Stored XSS is especially dangerous because the bad script is saved in your database and affects everyone who sees that content. Wordfence’s WordPress Annual Security Report<\/a> says that XSS was the most common type of vulnerability in 2024, making up about half of all WordPress vulnerabilities that were made public. <\/p>\n\n\n\n

            File Upload Exploits <\/h3><\/div>\n\n\n\n

            Attackers can upload PHP backdoors that look like images when upload forms don’t check file types correctly. A file with the name “photo.jpg.php” might get past basic checks. After the attacker uploads the file to a public directory, they ask for it directly, and it runs on your server, giving them full control. <\/p>\n\n\n\n

            Step-by-Step: How to Clean a Hacked WordPress Site <\/h2><\/div>\n\n\n\n

            Manual cleanup requires technical confidence, but it’s the most thorough approach. Follow these steps in order on how to clean a hacked WordPress site and you\u2019ll be right as rain in no time. <\/p>\n\n\n\n

            Scan and Identify WordPress Malware <\/h3><\/div>\n\n\n\n

            Before removing anything, identify all infected files. Install a security plugin like Wordfence Security (free version works) if your dashboard is still accessible. Run a full scan and review the results carefully. Wordfence compares your files against clean versions from the WordPress repository and flags anything that doesn’t match. <\/p>\n\n\n\n

            A WordPress virus often hides in places initial scans miss. Download Sucuri’s free SiteCheck scanner or VirusTotal to get a second opinion. Look for base64-encoded strings, eval() functions, and suspiciously named files in core directories. When you find a clean WordPress malware scan result, you’re ready to move to removal. <\/p>\n\n\n\n

            Remove Malicious Users, Backdoors, and Files <\/h3><\/div>\n\n\n\n

            To remove malware from WordPress, first connect via SFTP (FileZilla or similar). Go to wp-content\/uploads\/ and search for .php files. In a typical WordPress setup, uploads should not contain executable PHP, so treat any .php files there as suspicious if you want to remove WordPress malware. If you want to be safe, download a copy for review, then delete them.<\/p>\n\n\n\n

            Next, replace WordPress core files: <\/p>\n\n\n\n