Stay Calm and Work Systematically

A compromised WordPress site is serious, but it is recoverable in the vast majority of cases. The worst outcomes — permanent data loss, extended downtime, lasting SEO damage — are almost always the result of either panic-driven mistakes or delayed action, not the compromise itself.

Work through the steps below in order. Do not skip ahead.

Step 1: Confirm the Compromise

Frequently Asked Questions

How do I know if my WordPress site has been hacked?

Key signs of WordPress compromise: Google Search Console showing a security warning, manual action, or unknown pages being indexed; your browser displaying a “Deceptive site ahead” warning; customers reporting redirects to unfamiliar sites or security warnings; unexpected admin accounts in your user list; unfamiliar files in your WordPress directory (especially in wp-content/uploads or theme directories); a sudden drop in organic search traffic; your payment gateway sending a security or compliance notice; and server resource usage significantly higher than normal without a corresponding traffic increase.

What is the first thing to do when my WordPress site is hacked?

Take the site offline or into maintenance mode immediately to stop active damage to visitors. Then change all passwords: WordPress admin accounts, database password, FTP/SFTP credentials, and hosting control panel. Contact your hosting provider — they can isolate the account, provide server access logs that identify the attack vector, and may offer emergency malware removal. Do not attempt to “clean” the site while it is still live and potentially serving malware to visitors. Acting systematically matters more than acting fast.

Can I restore a hacked WordPress site from backup?

Yes, if you have a clean backup from before the compromise and can identify when the compromise occurred. This is the most reliable cleanup method — restoring clean files and database rather than trying to remove all malware manually. Verify the backup date predates the earliest signs of compromise in your logs. After restoration, immediately patch the vulnerability that was exploited, update all passwords, and enable additional security measures. If you do not have a clean backup, professional malware removal is required and is significantly more complex and expensive.

How long does it take to recover from a hacked WordPress site?

Recovery time depends on: whether clean backups are available (restoration from backup takes hours; manual cleanup without backups takes days to weeks), the type of malware deployed (simple file injections are faster to clean than database-stored malware with multiple backdoors), how long the infection persisted (longer dwell time means more vectors to address), and whether Google Safe Browsing issued a warning (requesting review after cleanup typically adds 24-72 hours). Professional malware remediation services typically quote 3-7 days for complex infections. Budget for 1-2 weeks of reduced site availability.

How do I prevent my WordPress site from being hacked again?

Post-cleanup prevention must address the original attack vector: if it was an outdated plugin, implement automatic security updates; if it was a weak password, enforce strong passwords and 2FA across all admin accounts; if it was shared hosting cross-contamination, move to isolated managed hosting; if it was a server misconfiguration, review all file permissions and access controls. General prevention: keep all software updated, enable 2FA on all admin accounts, deploy a server-level WAF with WordPress-specific rules, implement daily off-site backups, and switch to managed hosting with continuous malware scanning. Most reinfections occur within days of cleanup because the root cause was not addressed.

Before doing anything else, confirm that your site is actually compromised rather than experiencing a plugin conflict, hosting issue, or some other problem with similar symptoms.

Signs of compromise

  • Google Search Console showing a security warning or manual action
  • Your browser showing a “Deceptive site ahead” warning
  • Visitors reporting spam pages or unexpected redirects
  • Hosting provider has suspended the account citing malware
  • You can see unfamiliar files or code when browsing via FTP or file manager
  • Admin emails arriving from an address you don’t recognise

Quick verification steps

  1. Search Google for site:yourdomain.com — if you see spam pages in the results that you didn’t create, you’re compromised
  2. Use Google’s Safe Browsing check: https://transparencyreport.google.com/safe-browsing/search?url=yourdomain.com
  3. Run your site through Sucuri’s free SiteCheck: sitecheck.sucuri.net

Step 2: Contain the Situation

Once you’ve confirmed a compromise, the priority is preventing further damage before you start cleaning.

Enable maintenance mode — put your site into maintenance mode so visitors don’t encounter malware or spam content while you’re working. A simple static maintenance page is sufficient.

Change all credentials immediately

  • WordPress admin password (all admin accounts)
  • WordPress database password (update wp-config.php after changing in your database)
  • Hosting control panel password
  • FTP/SFTP credentials
  • Any email accounts associated with the site Do this even before you understand how the compromise happened. Attackers often install backdoors that allow re-entry even after an apparent clean-up; changing credentials limits the immediate damage.

Contact your hosting provider. If you’re on managed hosting, contact support immediately. They should be able to identify the infection vector, scan for malware, and assist with containment. On managed hosting with included malware remediation (such as WP Pro Host), this process is handled for you.

Preserve a copy of the infected site. Before cleaning, make a copy of the infected files. This is useful for forensics — understanding how the compromise happened helps prevent recurrence.

Step 3: Identify the Infection

Understanding what happened and how is necessary to prevent reinfection. Common infection types:

File injection — malicious code injected into existing PHP files, particularly wp-config.php, functions.php, or index.php. Look for obfuscated code (often base64_decode, eval, or gzinflate patterns) in files that shouldn’t contain complex code.

Backdoor files — new files placed in the WordPress directory that provide persistent access. Common locations: wp-content/uploads/, theme directories, plugin directories. Look for .php files in the uploads folder (there should be none) and unfamiliar .php files in theme/plugin folders.

Database injection — malicious content injected into the WordPress database, often in posts, the options table (wp_options), or user metadata. This is often used for spam SEO — creating thousands of invisible pages with keyword-stuffed content.

Admin user creation — attackers sometimes create a new admin account to maintain access. Review Users > All Users for accounts you don’t recognise.

Plugin/theme vulnerability — identify the exploited entry point by checking your server access logs for unusual requests around the time the compromise is believed to have occurred. Look for requests to specific plugin files that had known vulnerabilities at the time.

Step 4: Clean the Site

If you have a clean backup from before the compromise, restoring it is faster and more reliable than manual cleaning. The risk is that you restore the same vulnerability that allowed the compromise — so restoration must be followed by updating everything.

Before restoring: confirm the backup predates the compromise. Check your access logs to establish when unusual activity started.

After restoring:

  1. Update WordPress core, all plugins, and all themes immediately
  2. Remove any plugin or theme that has a known unpatched vulnerability
  3. Change all credentials again (the backup may contain the old, compromised credentials)
  4. Scan the restored site with a malware scanner to confirm it’s clean

Option B: Manual Cleaning

If you don’t have a clean backup, manual cleaning is possible but time-consuming.

  1. Replace WordPress core files — download a fresh copy of WordPress from wordpress.org and replace all core files except wp-config.php and the wp-content directory
  2. Reinstall plugins from source — delete all plugin folders and reinstall from wordpress.org or your original purchase source
  3. Review theme files — compare your theme files against the original source; replace any modified files
  4. Scan remaining files — use Wordfence, MalCare, or a manual scan for obfuscated code patterns in wp-content
  5. Clean the database — review wp_options for injected scripts (look for <script> tags in option values), review posts for spam content, remove unrecognised admin users

Running a Malware Scanner

After manual cleaning or restoration, run a thorough malware scan:

  • Wordfence (plugin): Run a full scan including checking files against WordPress.org repository checksums
  • MalCare: Cloud-based scanning that doesn’t rely on signature matching alone
  • Sucuri Scanner: Good for identifying SEO spam injection specifically Do not trust a single scanner to be definitive. Run two if in doubt.

Step 5: Request Google Review

If Google flagged your site:

  1. Fix the issue completely first — Google reviewers check that the problem is resolved
  2. Log into Google Search Console
  3. Navigate to Security & Manual Actions > Security Issues
  4. Click “Request Review” and describe what you found and fixed Review times are typically 24-72 hours. Your site will remain flagged in browsers until Google confirms it’s clean.

Step 6: Prevent Reinfection

Cleaning up without addressing the root cause results in reinfection, often within days.

Update everything — every outdated plugin, theme, and WordPress core version is a potential entry point. Update all of them.

Remove unused plugins and themes — delete them, don’t just deactivate.

Harden your installation — implement the measures in our WordPress Security Guide: strong passwords, 2FA, file permission review, disabling file editing from admin.

Consider a security plugin — Wordfence or Sucuri Security with ongoing monitoring active going forward.

Review and improve your backup strategy — daily off-server backups with at least 30-day retention. The backup you had going into this incident may have saved you hours of work; a better backup strategy will make the next incident (if any) even easier to recover from.

When to Call a Professional

If the compromise is extensive, you can’t identify the infection vector, or you’re not confident in your ability to clean the site thoroughly, engage a professional WordPress security service. Sucuri’s paid clean-up service is well-regarded. Wordfence also offers incident response services.

The cost of professional remediation is almost always lower than the cost of an incomplete clean-up and reinfection cycle.