WordPress website hacked? Here's what to do

Your WordPress site is behaving strangely. There are posts you didn't write, you see unknown users, or you're being redirected to weird websites. Your site is probably hacked.

This is no reason to panic. Thousands of WordPress sites are hacked daily, but with the right steps you can get your site clean and secure again.

In this guide you'll learn how to recognize a hack, how to clean your site and how to prevent future hacks.

Signs your WordPress site is hacked

These are the most common signs of a hacked WordPress site:

Unknown users in your WordPress admin - You see admin accounts you didn't create. Hackers often create new admin accounts for future access.

Strange posts or pages - There are posts with spam links, often in Russian, Chinese or with casino/medicine ads.

Redirects to other websites - Your site automatically redirects visitors to spam sites, often only Google visitors.

Google warning - Google shows a red warning "This site may be hacked" or "Deceptive site ahead" in search results.

Site is slow or crashes - Malware uses your server resources to send spam or perform DDoS attacks.

Unknown files via FTP - You see new files you didn't upload, often with names like "wp-config-backup.php" or random characters.

Hosting account suspended - Your hosting provider has taken your site offline due to malware or spam activity.

Changed admin passwords - You can't log in anymore because your password has been changed.

Do you recognize one or more of these signals? Then your site is probably compromised.

Step 1: Stay calm and isolate the damage

Before you do anything, take these steps:

Do NOT take your site offline - Leave your site online unless it's actively harmful (spreading malware or stealing credit card data). You need the live site to analyze.

Don't warn anyone yet - Only tell visitors and customers about the hack when you know what happened. Panic doesn't help anyone.

Change passwords on a SAFE device - If your WordPress password is compromised, change it from a computer that is definitely clean (not the one you always log in on).

Check other sites - If you have multiple sites on the same hosting, check them all. Hacks often spread.

Step 2: Make a backup (yes, even of the hacked version)

This sounds strange, but make a backup of your hacked site:

1. Download all files via FTP
2. Export your database via phpMyAdmin
3. Save this in a separate folder on your computer

Why? Because you might do something wrong during cleaning. With a backup you can go back. And you can analyze the files later to see how the hack happened.

Do you have an old, clean backup from before the hack? Keep it safe. That's your safety net.

Step 3: Scan your site for malware

There are several tools to find malware:

Wordfence Security (plugin):

1. Install Wordfence Security
2. Go to Wordfence > Scan
3. Start a complete scan
4. Wordfence shows all infected files

Sucuri SiteCheck (online):

1. Go to Sucuri SiteCheck
2. Enter your website URL
3. View the results

MalCare (plugin):

1. Install MalCare
2. The plugin scans automatically upon activation

These tools find most malware, but not everything. Manual checking is also necessary.

Step 4: Remove malware and backdoors

Now you know where the malware is. Here's how to remove it:

Infected core files:

1. Download a clean WordPress version
2. Extract the ZIP file
3. Remove wp-content and wp-config.php from the extracted files
4. Upload the rest via FTP (overwrite the hacked files)

This replaces all WordPress core files with clean versions.

Plugins:

1. Remove all plugins you don't use
2. For plugins you keep: delete them and reinstall from WordPress.org
3. Check plugin folders via FTP for leftover files

Themes:

1. Remove all themes except your active theme and one default theme
2. Download your active theme again from the developer
3. Replace the theme files via FTP

Uploads folder:

Malware often hides in /wp-content/uploads/. Check this folder via FTP for:

• .php files (normally only images are here)
• Suspicious file names
• Recently added files you don't recognize

Remove anything suspicious.

Root folder:

Check the root of your site for unknown files:

• wp-config-backup.php
• wp-includes.php
• connection.php
• Random names like "d7x4k.php"

Remove these files.

Step 5: Clean your database

Malware often injects code into your database:

Check wp_users table:

1. Log in to phpMyAdmin
2. Open your WordPress database
3. Go to the wp_users table
4. Remove unknown admin accounts

Check wp_options table:

Search in wp_options for strange values, especially in:

• siteurl
• home
• admin_email
• active_plugins

Hackers sometimes change these to maintain access.

Search-Replace for malware:

Malware can inject JavaScript into all your posts. Use Better Search Replace plugin:

1. Install the plugin
2. Search for suspicious code (like base64_decode, eval, etc.)
3. Replace with nothing (empty field)

Note: be careful with search-replace. Test first on one post.

Step 6: Remove all unknown users

Hackers often create new admin accounts:

1. Go to Users in your WordPress admin
2. Sort by "Role" to see all Administrators
3. Remove all accounts you don't recognize
4. Also check the Subscriber accounts (hackers sometimes use low-level accounts as backdoor)

Then change the password of ALL remaining users, including yourself.

Step 7: Update everything

Old software contains security vulnerabilities. Update immediately:

• WordPress core to the latest version
• All plugins to the latest version
• Your theme to the latest version
• PHP version of your hosting (minimum 8.0)

Check in your hosting control panel which PHP version you're running. Upgrade to PHP 8.1 or 8.2 for better security.

Step 8: Strengthen your security

Now that your site is clean, prevent future hacks:

Install a security plugin:

Choose one of these plugins:

• Wordfence Security - free firewall and malware scanner
• iThemes Security - extensive security features
• Sucuri Security - hardening and monitoring

Force strong passwords:

Install Force Strong Passwords. This plugin forces all users to use strong passwords.

Enable two-factor authentication:

Use Two Factor Authentication plugin. With this, a password alone is not enough to log in.

Limit login attempts:

Install Limit Login Attempts Reloaded. This blocks IP addresses after too many failed login attempts.

Hide wp-admin:

Change the login URL from /wp-admin to something unique with WPS Hide Login.

SSL certificate:

Force HTTPS on your entire site. Most hosting providers offer free SSL certificates via Let's Encrypt.

Step 9: Monitor your site

Keep monitoring your site:

Uptime monitoring:

Use a service like:

• UptimeRobot (free)
• Pingdom (paid)
• StatusCake (free tier)

You'll get immediate notification if your site goes offline.

Google Search Console:

Register your site with Google Search Console. Google warns you if they detect malware or spam.

Wordfence alerts:

If you use Wordfence, turn on email alerts for:

• Login from new locations
• Core file changes
• Plugin/theme changes

Regular scans:

Scan your site weekly for malware. Create a recurring task in your calendar.

Step 10: Contact Google

If Google shows a warning for your site:

1. Log in to Google Search Console
2. Go to Security Issues
3. Resolve all reported problems
4. Click "Request Review"
5. Google checks your site again (this can take 3-5 days)

After approval the warning disappears from search results.

Prevention: how to prevent hacks?

These are the most important prevention measures:

Make daily backups - Use a backup plugin that automatically makes daily backups and stores them offsite. In case of a hack you can quickly roll back.

Update within 24 hours - Install updates immediately. Hackers actively scan for sites with known security vulnerabilities.

Use strong passwords - At least 16 characters, with numbers, letters and symbols. Use a password manager like Bitwarden or 1Password.

Remove unused plugins and themes - Every plugin is a potential security vulnerability. Only keep what you really use.

Check plugin/theme reviews - Before installing a plugin, check:

• Last update (not older than 6 months)
• Number of active installations (popular plugins are safer)
• Reviews and ratings
• Support forum (does the developer fix bugs?)

Choose secure hosting - Cheap hosting often has poor security. Managed WordPress hosting offers better protection.

Use a firewall - A Web Application Firewall (WAF) blocks malicious traffic. Cloudflare offers a free WAF for all sites.

Scan weekly - Use Wordfence or MalCare to automatically scan weekly.

Limit user access - Only give people admin rights who really need it. Use Editor or Author rights for content managers.

Common hack methods

This is how hackers often get in (so you can prevent it):

Brute force attacks - They try thousands of passwords until one works. Solution: strong passwords + login limit.

SQL injection - They abuse forms to get database access. Solution: update plugins, use security plugin.

XSS attacks - They inject JavaScript in comments or forms. Solution: security plugin with XSS protection.

Old plugins - They use known bugs in old plugin versions. Solution: update everything within 24 hours.

Nulled themes - Downloading free "premium" themes from sketchy sites. These often contain malware. Solution: buy themes from reliable sources.

FTP credentials - They steal your FTP password via phishing. Solution: use SFTP instead of FTP, use strong passwords.

Need help?

If you can't figure it out, these are your options:

Sucuri Website Cleanup - Paid service that professionally cleans your site. Costs about $200-300 per time.

Wordfence Premium - Includes website cleanup service as part of subscription ($119/year).

Your hosting provider - Some WordPress hosts offer free malware removal. Check your hosting package.

WordPress developer - Hire a specialist for complex hacks. Costs $50-150 per hour.

Restore via backup - If you have a recent clean backup, that's often the fastest solution. Restore the backup and then update everything.

A hacked WordPress site is annoying, but not a disaster. With systematic work you can get your site clean again. And with good security you prevent future hacks.

Frequently Asked Questions

Is WordPress free?

WordPress itself is free open-source software. You only pay for hosting, a domain name, and any premium themes or plugins you want to use.

How difficult is WordPress to learn?

WordPress is relatively easy to learn. You can master the basic functions within a few hours. Advanced customizations require more time.

Can I move WordPress to a different host later?

Yes, WordPress websites can be moved to a different hosting provider. Most providers offer free assistance for this.