How to Fix a Hacked WordPress Site: Complete Recovery Guide

Discovering your WordPress site has been hacked is stressful — but fixable. This guide walks you through every step of the recovery process, from identifying what happened to cleaning up and preventing future attacks.

Step 1: Identify the Hack

Signs your site has been hacked:

• Google shows spammy results: search site:yourdomain.com in Google
• Google Safe Browsing flags your site
• Visible defacement or unexpected content
• Visitors redirected to other sites
• Unusual slowness or server resource exhaustion
• Unknown admin accounts in your WordPress admin
• PHP files in unexpected locations

Server-side investigation:

# Find recently modified PHP files
find /var/www/html -name "*.php" -newer /var/www/html/wp-login.php -ls

# Look for suspicious POST requests in access logs
grep -E "POST.*(wp-content|uploads)" /var/log/nginx/access.log | tail -50

# Search for common backdoor patterns
grep -r "eval(base64_decode" /var/www/html/ --include="*.php" -l
grep -r "<?php @" /var/www/html/ --include="*.php" -l

Step 2: Isolate the Site

Take the site offline temporarily with a maintenance page redirect:

location / {
    return 503;
}
error_page 503 /maintenance.html;

Change all passwords immediately: WordPress admin, FTP/SFTP, cPanel, database.

Revoke all API keys associated with the site.

Notify stakeholders if user data may have been exposed. Consult your legal team about breach notification requirements (GDPR has 72-hour notification requirement).

Step 3: Backup the Compromised State

Even of the hacked site — this preserves forensic evidence:

tar -czf /tmp/hacked-site-backup-$(date +%Y%m%d).tar.gz /var/www/html/
mysqldump -u root -p dbname > /tmp/hacked-db-$(date +%Y%m%d).sql

Step 4: Identify the Malware

Common malware locations:

• /wp-content/uploads/: Malicious PHP files uploaded as images
• /wp-content/themes/: Backdoors in theme functions.php or header.php
• /wp-content/plugins/: Compromised or fake plugins
• WordPress core files: Injected code in wp-includes or wp-admin

Use a dedicated malware scanner: Wordfence (plugin), Sucuri SiteCheck (free online scanner), or MalCare.

Step 5: Clean the Malware

Option A: Restore from clean backup (fastest when you have reliable pre-hack backups):

cd /var/www && mv html html-hacked
tar -xzf /backup/clean-backup.tar.gz
mysql -u root -p dbname < /backup/clean-db.sql

Option B: Manual cleaning:

# Reinstall WordPress core files
wget https://wordpress.org/latest.tar.gz && tar -xzf latest.tar.gz
cp -r wordpress/wp-admin /var/www/html/
cp -r wordpress/wp-includes /var/www/html/
# DO NOT overwrite wp-config.php or wp-content

# Remove PHP files from uploads
find /var/www/html/wp-content/uploads -name "*.php" -exec rm -f {} ;

Clean the database:

SELECT ID, post_title FROM wp_posts
WHERE post_content LIKE '%eval(base64%' OR post_title LIKE '%viagra%';
SELECT option_name FROM wp_options WHERE option_value LIKE '%eval(base64%';

Step 6: Harden Before Going Live

Apply the full 50-step security checklist before bringing the site back online:

• Update all passwords to new, strong, unique values
• Enable 2FA on all admin accounts
• Remove unused plugins and themes
• Set correct file permissions
• Disable XML-RPC
• Add security headers

Steps 7-10: Verify, Go Live, and Monitor

Run a full malware scan (confirm clean), then a vulnerability scan with SecureCheap Scanner. Remove the maintenance page. Monitor closely for 48-72 hours. If Google flagged your site, request a review in Google Search Console.

Implement continuous monitoring going forward:

SecureCheap provides:

• Uptime monitoring: Know within 60 seconds if your site goes down again
• File change monitoring: Detect malware injection before it causes damage
• CVE scanning: Know when a plugin vulnerability is discovered
• Error tracking: Catch application anomalies indicating compromise

A hack caught within hours causes a fraction of the damage of one discovered after weeks. Start free with SecureCheap — no credit card required, setup in 5 minutes.

Tags