Objective;
This blog helps WordPress website owners quickly detect a hack, clean it safely, remove hidden backdoors, and rebuild stronger security to prevent repeat attacks.
A hacked WordPress website can affect your business, your visitors, and your online reputation. It may cause your website to show unwanted content, redirect users to unknown pages, or even stop working completely. If the problem is not fixed quickly, you could lose customer trust, search engine rankings, and valuable website data. Knowing how to fix a hacked WordPress website is important for getting your site back to normal and preventing future attacks.
Fact: According to Wordfence, over 81% of hacked WordPress websites trace back to weak or stolen passwords, not sophisticated exploits.
The first step is to stay calm and identify the signs of the hack. You should scan your website for malware, change all passwords, remove harmful files, and update WordPress, themes, and plugins. Taking the right steps in the correct order helps restore your website safely and reduces the risk of further damage.
This blog explains how to fix a hacked WordPress website using simple and practical steps. It also shares useful tips to improve your website’s security, protect your data, and reduce the chances of your WordPress site being hacked again in the future.
Hire WordPress developers from Mandy Web Design starting at $10/Hour
Key Takeaways
- Hidden hacks often show no visible damage while quietly harming rankings and traffic.
- Backdoors, not surface malware, cause most WordPress sites to get hacked repeatedly.
- Password resets and host verification matter before you touch a single file.
- Post-cleanup hardening prevents reinfection far better than any one-time malware scan.
- Professional recovery costs far less than the revenue lost during a prolonged hack.
Table of Contents
- How to Know if Your WordPress Website Has Been Hacked
- What to Do Before Fixing a Hacked WordPress Website
- Step-by-Step Guide to Fix a Hacked WordPress Website
- How to Secure Your WordPress Website After Cleaning It
- When You Should Get Professional WordPress Security Help
- How Mandy Web Design Can Help Build and Secure Your WordPress Website
- Frequently Asked Questions
How to Know if Your WordPress Website Has Been Hacked
Most hacks don’t announce themselves with a giant “You’ve been hacked” banner. They’re quiet, and that’s what makes them dangerous. A website can look completely normal on the surface while it’s already redirecting visitors, serving spam, or running malicious code behind the scenes. Regularly monitoring your website health can help you spot unusual activity before it becomes a serious problem. Recognizing these early warning signs is the difference between a quick cleanup and months of damage control.
Common Signs of a Hacked WordPress Site
- Unexpected redirects — visitors land on your homepage but get bounced to unfamiliar or spammy websites
- Strange content appearing — pharmaceutical ads, gambling links, or foreign-language text showing up in posts, pages, or even your site’s title tag
- New admin accounts you didn’t create — a classic sign that someone else has access to your dashboard
- Google flags your site — a “This site may be hacked” or “Deceptive site ahead” warning in search results or Chrome
- Sudden drop in traffic or rankings — Google quietly de-indexes or penalizes compromised sites, and your organic traffic can fall off a cliff within days
- Slow loading or server errors — malware often runs background scripts that eat up server resources
- Unfamiliar files or plugins — files with random names in your wp-content folder, or plugins you never installed
- Emails from your host — many hosting providers proactively flag or suspend accounts once they detect malicious activity
How to Confirm a Hack
Don’t rely on guesswork. Use a combination of these checks:
- Google Search Console — check the Security Issues panel for manual actions or malware warnings
- A malware scanner — Sucuri SiteCheck, Wordfence, or MalCare will scan your live site and files
- Server logs — unusual login attempts, spikes in traffic to admin-ajax.php, or repeated failed logins from unknown IPs
- File comparison — compare your current core files against a fresh WordPress download to spot unauthorized changes
If two or more of these point to something suspicious, treat it as confirmed and move to containment immediately.
What to Do Before Fixing a Hacked WordPress Website
Jumping straight into deleting files can actually make things worse. A rushed cleanup often misses backdoors, which means the hacker walks right back in a few weeks later. Before you touch anything, take these preparation steps.
1. Take the Site Offline (Temporarily)
Put your site into maintenance mode or restrict access so the malware can’t keep infecting new visitors or spreading to other files while you work.
2. Back Up Everything, Even the Infected Version
It sounds counterintuitive, but you need a snapshot of the hacked state. If your cleanup goes wrong or you need to compare before-and-after, this backup is your safety net.
3. Contact Your Hosting Provider
Most hosts, especially managed WordPress hosts, can tell you exactly when the infection started, which files were flagged, and whether other accounts on the same server were affected. This step alone can save hours of manual investigation.
4. Change Every Password Immediately
- WordPress admin accounts
- Database credentials
- FTP/SFTP access
- Hosting cPanel or control panel login
- Any connected email accounts used for password resets
5. Document What You Find
Screenshot warnings, note timestamps, and record which pages were affected. This documentation matters if you need to file a report with your host, and it’s useful evidence when you review web development cost decisions around future security investment.
Common Mistakes to Avoid
- Deleting files randomly without checking what they do first
- Restoring from a backup that’s already infected
- Assuming a single plugin update fixes everything
- Skipping the password reset because “nothing looks suspicious yet”
Step-by-Step Guide to Fix a Hacked WordPress Website
This is where the actual cleanup happens. Follow these steps in order — skipping ahead is one of the most common reasons hacked sites get reinfected.
Step 1: Scan Your Entire Website for Malware
Run a full scan using a dedicated security tool rather than relying on visual inspection alone. Modern malware is increasingly injected directly into legitimate WordPress core, plugin, and theme files instead of being dropped as standalone files, according to 2026 research from Patchstack and Monarx — which means a simple “scan and delete” approach can miss infections hiding inside files that look completely normal.
Step 2: Identify and Remove Malicious Files
Once the scan flags suspicious files:
- Compare flagged core files against a clean WordPress download
- Check theme and plugin folders for files that shouldn’t exist
- Look inside wp-config.php, .htaccess, and functions.php for injected code — these are the three most commonly targeted files
- Remove anything confirmed malicious, but keep a backup copy in case you need to reference it later
Step 3: Remove Unauthorized Admin Users
Go to Users → All Users and delete any account you don’t recognize. Hackers frequently create a hidden admin account as a backdoor, so even after cleanup, they can log back in without needing to re-exploit anything.
Step 4: Reset All Passwords and Secret Keys
Update your WordPress secret keys (found in wp-config.php) using the official WordPress secret key generator, and reset every password again — this invalidates old login sessions and cookies that a hacker might still be using.
Step 5: Update WordPress Core, Themes, and Plugins
Outdated plugins remain the single largest attack vector in WordPress. Industry research attributes over half of WordPress breaches to vulnerable plugins, since the platform’s ecosystem includes tens of thousands of them, many built without formal security review. Update everything to the latest version, and remove any plugin or theme you no longer actively use.
Step 6: Check for Backdoors
This is the step most DIY cleanups miss. Backdoors are hidden scripts that let hackers regain access even after you’ve “cleaned” the site. Look for:
- Suspicious eval(), base64_decode(), or gzinflate() functions in files
- Unfamiliar .php files in uploads folders (uploads should never contain executable PHP)
- Scheduled tasks (cron jobs) you didn’t create
Backdoor detection is genuinely the hardest part of a hacked-site cleanup, and it’s the reason so many site owners eventually bring in outside help rather than risk missing something.
Step 7: Reinstall a Clean WordPress Core
For extra peace of mind, delete and reinstall WordPress core files directly from wordpress.org, keeping your wp-content folder and wp-config.php intact (after they’ve been individually reviewed).
Step 8: Ask Google to Review Your Site
If your site was flagged with a security warning, request a review through Google Search Console once you’ve confirmed the cleanup is complete. This typically takes a few days to a couple of weeks depending on Google’s review queue.
How to Secure Your WordPress Website After Cleaning It
Cleaning up a hack is only half the job. Without hardening your site afterward, you’re simply leaving the door open for another attack. Security should be an essential part of the website development process, not something that’s only addressed after a problem occurs. A 2026 industry review estimated that roughly 90% of WordPress attacks are preventable through basic security practices. Most breaches don’t result from highly sophisticated attackers—they happen because of outdated software, weak passwords, poor access controls, and missing security updates.
Enforce Strong Login Security
- Require strong, unique passwords across every account
- Enable two-factor authentication (2FA) for all admin users
- Limit login attempts to block brute-force attacks
- Move away from the default /wp-login.php path where possible, since automated attacks overwhelmingly target that exact URL
Keep Everything Updated
Set WordPress core, themes, and plugins to auto-update whenever possible, and remove anything inactive. An unused plugin is still a potential entry point even if you’re not actively using it.
Install a Web Application Firewall (WAF)
A firewall filters malicious traffic before it ever reaches your site. This is one of the most effective ways to protect your website from malware, since it blocks known attack patterns, bad bots, and suspicious requests in real time rather than reacting after damage is done.
Set Up File Integrity Monitoring
Tools that alert you the moment a core file changes unexpectedly give you a massive head start — the difference between catching a compromise on day one versus discovering it three months later when Google sends a manual action notice.
Schedule Regular Backups
Automated daily backups stored off-server mean that even in a worst-case scenario, you can restore a clean version of your site within minutes rather than hours.
Review User Roles and Permissions
Not every team member needs administrator access. Assign the lowest level of permission necessary for each role, and audit user accounts periodically to remove anyone who no longer needs access.
Expert Insight
Working with businesses recovering from WordPress hacks, one pattern shows up again and again: the sites that get hacked a second time almost always skipped the hardening step and went straight back to “business as usual” after cleanup. Security isn’t a one-time fix — it’s an ongoing habit, similar to how website maintenance services work best as a continuous process rather than a once-a-year checkup.
Monitor Core Web Vitals and Site Health Alongside Security
Security and performance are more connected than most site owners realize. A compromised site often shows sudden spikes in server load, broken scripts, or failing core web vitals scores, since malicious code competes for the same server resources your legitimate pages need. Keeping an eye on performance metrics is a useful early-warning system, and improving website performance optimization as part of your recovery plan helps rebuild the trust signals Google uses to re-evaluate your site after a security incident.
When You Should Get Professional WordPress Security Help
DIY cleanup works for straightforward cases — a single injected script, one flagged plugin, a quick password reset. But there are situations where bringing in professional help isn’t optional caution, it’s the only realistic path to a full recovery.
Signs You Need Expert Help
- The hack keeps coming back after multiple cleanup attempts
- You can’t identify how the attacker got in
- Your site handles customer data, payments, or sensitive information
- Google has issued a manual action and your review request was rejected
- You’ve found evidence of a backdoor but aren’t confident you’ve removed all of them
- Your business depends on the site staying online and losing more time isn’t an option
The Real Cost of Getting It Wrong
Industry estimates put the average recovery cost for a small business dealing with a hacked website at around $14,500 once you account for lost revenue, reputation damage, and technical cleanup — compared to a fraction of that for proactive, ongoing protection. That gap is exactly why more business owners are shifting from reactive fixes to planned, professional WordPress development services that build security into the site from the start rather than bolting it on after an incident.
What to Look For When Hiring Help
If you’re at the point where you need outside support, take the time to choose the right website developer rather than the first name that comes up in a search. Ask about their experience specifically with hacked-site recovery, not just general WordPress builds. A developer who understands custom WordPress development can also rebuild vulnerable or outdated sections of your site properly instead of patching over them, and increasingly, teams are using AI web development tools to speed up malware pattern detection and file comparison during recovery, cutting down investigation time significantly.
How Mandy Web Design Can Help Build and Secure Your WordPress Website
A hacked website usually points to a bigger problem weak security from the start. That’s where Mandy Web Design comes in. We are a web development agency that builds, maintains, and protects WordPress websites so business owners don’t have to worry about attacks, downtime, or lost data.
Every website we build starts with clean code, updated themes and plugins, and strong security settings from day one. If your current site got hacked because of an old theme, weak plugins, or a poor original setup, we can rebuild it the right way. We also offer ongoing maintenance plans that handle updates, backups, and malware checks regularly, so problems get caught early.
Our website development packages start from $350, so professional, security-focused WordPress development is affordable whether you need a full rebuild, a stronger new site, or ongoing protection for the one you already have.
Frequently Asked Questions
Common signs include unexpected redirects, spam content, unknown admin users, slow website performance, security warnings from Google, and a sudden drop in search rankings or website traffic. Running a malware scan can help confirm whether your site has been compromised.
Take your website offline if possible, back up all files and the database, change every password, contact your hosting provider, and scan the website for malware before making any changes.
Yes, if the infection is minor and you are comfortable working with WordPress files. However, if the hack keeps returning, involves customer data, or you cannot find the source of the infection, it’s best to seek professional WordPress security assistance.
Most WordPress hacks happen because of weak passwords, outdated plugins or themes, insecure hosting, outdated WordPress versions, or poorly coded third-party software.
Use a trusted malware scanner, remove infected files, delete unauthorized users, reinstall clean WordPress core files if needed, update all themes and plugins, and reset all passwords and security keys.
Keep WordPress, themes, and plugins updated, use strong passwords, enable two-factor authentication, install a web application firewall (WAF), schedule regular backups, and monitor your website for suspicious activity.
Yes. A hacked website can lose search engine rankings, receive Google security warnings, and experience a significant drop in organic traffic. Cleaning the website quickly and requesting a Google review can help restore your rankings over time.
A simple malware infection may take a few hours to clean, while a severe hack involving backdoors or multiple infected files can take several days. The recovery time also depends on how quickly the issue is detected.
About the Writer
Mandeep Singh Chahal
Founder/CEO, Mandy Web Design
Mandeep Singh Chahal is the Founder/ CEO of Mandy Web Design, a top-rated web design and development agency in India. With over 22 years of experience in digital marketing, he has helped businesses across various industries establish and strengthen their online presence through strategic design and SEO implementation. He focuses on creating digital solutions that address real business challenges and drive measurable growth. His approach combines deep industry knowledge with practical execution in web design, development, and search engine optimization, enabling him to transform business objectives into effective digital strategies that deliver results.