Is Your WordPress Site Hacked? Here’s the Guide to Protect & Clean it

Do not panic, I repeat do not panic!

So, your WordPress site hacked.

But like I said, no need to panic, we are here with a step-by-step guide to help you recover from the typical WordPress site hacks.

And WordPress and hacking are the two words that you never want to hear together. All the more, when cleaning a hacked WP website is not an easy task.

Just take a deep breath and focus all your energy on finding the solution.


Are you really hacked?

WordPress powers 30% of websites on the Internet and the company does a good job of securing the websites with updates. But the problem could arise from different computer software’s end.

Before going forward with a solution, make sure your WP website is actually hacked. It is possible that an update went astray or some other problem is the issue here.

So, when is your WordPress site hacked?

These are the signs that tell that your website is hacked!

  • If you receive a report from your web hosting service provider that your website is doing something malicious.
  • If you are getting complaints from your customers of being redirected to a spammy website.
  • If you are seeing spam appearing in header or footer of your website with adverts of pornography and illegal substances, or any dark object that may not be visible to you.
  • If you are typing in the right passwords but it isn’t working, you have every chance to get suspicious. However, it is good to check after 10 to 15 minutes again, as the website you are trying might be having some technical difficulties. 
  • Unexpected and unwanted installations on your system are run by malicious programs which is a sure sign that you are hacked. These are often installed by the legitimate programs as well, so check your licensing agreements.
  • Nothing confirms this like your organization’s data sitting somewhere on the Internet or the dark web. You might also be informed by the media either wanting to confirm it or to know what are you going to do about it. 
  • Is your antivirus program disabled? Then you surely are exploited, especially if your task manager won’t start or starts in a reduced state.
  • Other instances involve random popups, your online account missing a lot of money, your mouse moving between programs and making working selections, and fake email and social media invitations sent from your account.

Now that you are sure your site is actually hacked, follow these steps to clean your WordPress site hack.

Hire a Professional

If your website underwent a bad attack or your website needs to be cleaned fast, hiring a professional is the best option.

Also, if you are not tech-savvy, you wouldn’t want to mess things up by trying to clean the website yourself.

But if you decide to do it yourself, read on.

Step:1 Scan the Website

You can use a remote scanner to find malware locations and malicious payloads. In case it is not able to find a payload, you can use other tests or manually review the Links/ iFrames, Scripts for suspicious elements.

If you have multiple websites running on one server, scan every one of them.

Check Core File Integrity & Recently Modified Files

Because most core WordPress files should never be modified, check for integrity issues in the wp-admin, wp-content, wp-includes, and root folders. 

The quickest way to do this is to use the diff command in the terminal or check it manually via SFTP. If nothing is modified, your core files are clean. 

Newly modified files could be part of the hack as well. Hacked files can be identified by seeing if they were recently modified.

To check it manually, log into your server using an FTP client or SSH terminal. If using SFTP, review last modified date column for all files while for SSH, use command, $ find ./ -type f -mtime -15, to list all files modified in the last 15 days.

Step:2 Backup

The next step is to make a backup of your current site.

Why would you need the backup of your site, you ask? Well, whether you are able to edit your database to clean out the hacked content of your find yourself installing a fresh version of WordPress, you would need to reference your hacked site to figure out what needs to be port over.

Also, many hosting providers immediately suspend the site once you report about being hacked.

Here are a few free backup plugins to download a copy. 

  • UpdraftPlus – It supports WordPress backups to Dropbox, GoogleDrive, and others while performing a quick restore, and automatic backups periodically
  • Duplicator – It provides automated backup and the facility of manual backup
  • BackWPup – Easy to use free backup provider that gives the option to use external backup services and check your database

Step:3 Remove the Hack

Now that you know the malware locations, remove the malware from WordPress.

Some malware are inserted into new files whereas others into existing files. It is safe to remove the file which contains just the malware code. However, for files where malicious code is added to existing code, just the malicious text should be deleted.

The best way to identify hacked files is by comparing the current state of your site with the backup. By comparing the two, you can identify what has been modified. 

Step:4 Clean the Files 

If the infection is in plugins or core files, you can fix it manually. Replace the custom files with fresh copies. 

To remove an infection from your website database, use the database admin panel. 

Don’t forget to check the hidden files to ensure any compromised files are deleted.

If you have other sites hosted on the same account, then you have to follow the same process on these sites as well because cross-infection is quite common. But don’t take your time with this one. Do it as you did the other website and fast or you’ll run the risk of infecting the cleaned website yet again.

Step:5 Restore the Website

Now, you just have to restore from a previous clean version of your website.

You might have to re-do a few things that have changed since the last backup but it’s far easier than rebuilding everything.

Step:6 Reset Passwords

Assume none of your passwords is safe. Now, log in, change all the usernames and passwords, and ensure that passwords are unique, strong, and not easy for a hacker to guess.

Moreover, if you start making edits to the site before you change the passwords, you could very well get re-hacked before you even get finished with your website.

Also, change your secret keys and salts to ensure your site is safe and secure. 

Step:7 Edit wp-config.php file

Now that you have changed passwords, you need to update your wp-config.php file with the new information to tell WordPress how to access the database again.

wp-config.php is one of the most important files in your WordPress installation. Located in the root of your WordPress file directory, it contains configuration details of your website like database connection information.

The file doesn’t come included when you first download WordPress, rather the WordPress setup process creates a wp-config.php file based on the information you provide.

Step:8 Change the Permissions

Check the permission for all your WordPress users. See that only you and your team members are given the admin access and user permission isn’t tampered with. If you see any other username, it means you are compromised and you need to contact a professional.

Step:9 Fix Your Website

Reinstall Plugins and Themes

Do not use plugins that are old or not maintained. Simply reinstall.

Same for the themes. Reinstall them and do not use the old ones because you don’t know which ones are hacked. If you use customized themes, make changes to your new theme by referencing to the backup.

Also, delete anything that you are not using. Because hackers can use them to get access to your site.

.htaccess Issues

To restore your .htaccess file, so that the URLs of your website start working again, create a new .htaccess file in your WordPress directory through FTP or SSH. Now, change the permissions to 777. Log-in to your dashboard, navigate to settings, permalinks, and update them. When done, change the permissions back to 644.

Be sure not to leave any hacked .htaccess file as that can be used to maliciously redirect people from your site to other sites. 

Step:10 Keep your WordPress Up-to-date

Now that you have cleaned your site, make sure to backup everything and that you are using the latest WordPress version.

Automatic updates will help stay current. If you have a customized site, try to set up a schedule to check for WordPress and plugin updates regularly.

To make sure you have covered all your bases, install a WordPress security plugin. Once everything is in place, set up automatic backups. 

Congratulations! You have successfully restored your website.


Now that you have cleaned your WordPress site hack, make sure to backup periodically and that you are using the latest version of WordPress.

Although having your website hacked is scary, it happens to everyone eventually.

But What about Not getting Hacked in First Place!

You already know the steps you need to take after you have been hacked. But nothing is better than being proactive, Right!

After all, prevention is better than cure.

It starts right from your workstation

The most overlooked thing is your computer which must be free from any viruses and malware. Workstation protection is essential not only because you are using the Internet but because a keylogger, a type of surveillance technology used to monitor the keys typed, is often used by cybercriminals to steal login credentials, sensitive company data, and personally identifiable information (PII).

Regularly update your software and browser.

Use a good antivirus.

Keep your eyes peeled for any vulnerabilities and get it removed without any delay before it makes an even bigger of a mess.

Set a Strong Password

When hackers use website credentials to hack a website, that’s called a brute force attack. 

Hackers take advantage of the fact that a startling number of people keep small and uncomplicated passwords, considering long and complex passwords to be overrated. 

So, have a strong password in place, one that is comprised of numbers, characters, and symbols. Though the scope of the brute force attacks is endless, a strong password goes a long way to protect your blogs and website and would take longer to find.

Use a password tool to create complex passwords and to further keep track of them. 

Be always updated

So, you perform your updates every month or so. Good, right! No. It isn’t enough to deter hackers.

Update your themes, plugins, and core regularly, as in whenever a new one is released by the company.

More so when it comes to WP updates because whenever a new version is released, it accompanies a security vulnerabilities report with itself. With every new update, while we get new features, lazy hackers get the opportunity to exploit the listed security issues.

So, install the latest version as soon as it comes in.

Secured Hosting Server

With the majority of websites and blogs running on shared servers, if one site gets infected others are running the risk of getting infected as well, no matter how secured your website is.

Your main priority should be finding a secured server. If you are going for a shared server, check out their security and maintenance schedule before renting the space.

Furthermore, delete the unused versions of WordPress from the server. If they are not being used or not even connected with the installed, they can be exploited. 

Why give hackers another entry point to exploit!

Use Trusted Sources to Download

Are you tempted to try out the free premium plugin options? Don’t be!

These sources are best-known hackers’ tools to infect your site with malware and viruses. A hidden backdoor is all they need to turn your brand appearance into a giant poster for enlargement pills. 

Don’t make the mistake of setting file permissions to 777

Never set file/directory permission to 777 unless you want to give others complete access to your website. 

Beginners generally tend to go with this option because they’ll ‘change it later’ or its the ‘easier one’.

However, open permissions like 777 give unlimited access to modify and execute code, leaving your site vulnerable to attacks.

Don’t leave your website open for anyone to access, change the file permissions. So, balance the security of your website by starting with low and gradually increasing it to get it right.

A Website Firewall

A great option to prevent your WordPress website from hacking is the Web Application Firewall (WAP). A protocol layer 7 defense, it is designed to protect web applications from attacks such as SQL injection, file inclusion, and cross-site-scripting.

So, now you know how to prevent your WP website from being hacked and if it does get attacked, you know the steps to clean your website.

Remember, WordPress security is not a one-time thing rather a continuous effort because hackers will never stop trying.

So, be prepared and equipped with all the knowledge and tools.

Leave a Comment