Cleaning up a hacked WordPress site

A practical guide to recovering a hacked WordPress site by scanning for malware, cleaning compromised files, removing backdoors, resetting credentials and hardening security.

Cleaning up a hacked WordPress site

Discovering that your WordPress site has been compromised is stressful, but the cleanup process is well established. Most WordPress hacks are automated and opportunistic rather than targeted. Bots scan the internet for known vulnerabilities in outdated plugins, themes and WordPress core, then exploit them to inject malicious code. This means any WordPress site can be affected, regardless of its size or audience.

The priority when dealing with a hack is to stop further damage, remove all malicious code, identify and close the entry point and harden the site to prevent reinfection. Missing any of these steps, particularly identifying the entry point, significantly increases the chance of being hacked again.

Recognising the signs of a hack

Hacked WordPress sites don't always look obviously broken. Some of the most common signs include unexpected redirects sending your visitors to spam or phishing sites, unfamiliar content or pop-ups appearing on your pages and unknown user accounts (particularly administrator accounts) appearing in your WordPress dashboard.

You might also notice browser warnings or a "This site may be hacked" message in Google search results, which means Google's Safe Browsing service has flagged your site. Unexpected spikes in server resource usage or traffic to pages you didn't create can also indicate a compromise.

Attackers often upload files to directories where they're less likely to be noticed. Unexpected .php files in wp-content/uploads/ are a strong indicator, since that directory should primarily contain images, documents and other media.

If you're seeing any of these signs, work through the steps below.

Quarantine the site

Before you start cleaning, put the site into maintenance mode to protect visitors from being exposed to malicious redirects, downloads or injected content. If you can access the WordPress dashboard, a maintenance mode plugin can do this. If not, your hosting provider can usually restrict access at the server level.

Contact your hosting provider and let them know the site has been compromised. They may have additional tools or server-level access that can help identify the scope of the compromise, and they may be able to tell you when the infection started based on their logs.

Take a full backup of the site in its current compromised state. This might seem counterintuitive, but having a copy of the infected files and database is valuable for forensic analysis, particularly for identifying the entry point and understanding what was changed.

Scan for malware

Use both remote and server-side scanning approaches to get a full picture of the compromise.

Remote scanners check your site's public-facing pages against databases of known malware signatures, malicious URLs and suspicious patterns. These are useful for confirming a compromise and identifying what visitors are being exposed to, but they can only see what's publicly visible.

Server-side scanners examine the actual files on your server and can detect backdoors, modified core files and suspicious code patterns that aren't visible from the outside. Look for a security tool that can compare your WordPress core files against the official release, flag modified plugin and theme files and identify common malware patterns.

Note any flagged files and directories for manual inspection in the next step.

Identify the entry point

Understanding how the attacker gained access is critical for preventing reinfection. The most common entry points are outdated plugins or themes with known vulnerabilities, weak or reused passwords on admin accounts, FTP or hosting control panel credentials that have been compromised, and nulled (pirated) plugins or themes that contain built-in backdoors.

Check your server access logs for unusual activity around the time the hack likely occurred. Look for POST requests to unexpected files, access to files in unusual directories or requests from IP addresses that don't match your normal traffic patterns. Your hosting provider can help with this if you don't have direct access to the logs.

If you can identify the specific vulnerability that was exploited, make sure it's patched before you bring the site back online.

Clean compromised files

Start with WordPress core files. Download a clean copy of the exact same version of WordPress you're running from wordpress.org and compare the files against your installation. Replace any files that have been modified, but do not overwrite wp-content or wp-config.php at this stage.

For plugins and themes, replace every plugin and theme with a fresh copy downloaded from its official source (wordpress.org for free plugins, or the marketplace where you purchased premium ones). Delete any plugins or themes you're not actively using. Never reinstall nulled or pirated plugins or themes, as these are one of the most common infection vectors.

Check file timestamps for recently modified files, particularly in wp-content/uploads/, theme directories and plugin directories. Attackers often leave traces in files that were modified around the time of the compromise. Review these manually and look for suspicious code patterns such as eval(), base64_decode(), long obfuscated strings or unfamiliar @include statements that reference files in unexpected locations.

Clean the database

Attackers sometimes inject malicious content directly into the database rather than (or in addition to) modifying files. Spam links, malicious JavaScript and redirect code can be injected into posts, pages, comments or the wp_options table.

Using phpMyAdmin or WP-CLI, search your database for patterns commonly associated with injected code: eval(, base64_decode(, <script tags that you didn't add and long encoded strings that don't correspond to any legitimate content.

Be cautious when editing the database directly. It's easy to accidentally delete legitimate content or break your site's configuration. If you're not confident working with database queries, this is a good point to seek professional help.

Remove backdoors

Backdoors are pieces of code that allow the attacker to regain access even after the initial malware has been removed. They're often separate from the main infection and can be well hidden.

Common backdoor locations include .php files in wp-content/uploads/ (there should be very few legitimate PHP files in this directory), files with random or nonsensical names in theme or plugin directories, injected code in functions.php or wp-config.php and unexpected user accounts with administrator or editor roles.

Delete any suspicious files, remove injected code and delete unknown user accounts. If you're not sure whether a file is legitimate, compare it against a clean copy of the plugin, theme or core version you're running.

Reset all credentials

After cleaning the infection, assume that all credentials associated with the site have been compromised and change them all.

Reset passwords for every WordPress administrator and editor account. Change your hosting control panel password, FTP and SFTP passwords and your database password (and update the DB_PASSWORD value in wp-config.php to match).

In wp-config.php, replace the authentication keys and salts with fresh values generated at api.wordpress.org/secret-key/1.1/salt/. These keys are used to encrypt the tokens stored in login cookies. Replacing them immediately invalidates all existing logged-in sessions, forcing every user (including any attacker who still has access) to log in again.

Request a security review from Google

If your site was flagged by Google Safe Browsing (showing a "This site may be hacked" or "This site may harm your computer" warning), you'll need to request a review after cleanup. Log into Google Search Console, go to the Security Issues section and submit a review request once you've confirmed the site is clean. Google typically processes these reviews within a few days, but it can take longer.

Harden the site against reinfection

Update WordPress core, all plugins and all themes to their latest versions. Outdated software with known vulnerabilities is the most common entry point for WordPress hacks, and leaving anything out of date after a cleanup is an invitation for reinfection.

Enable two-factor authentication on all administrator accounts and enforce strong, unique passwords. Limit login attempts to slow down brute-force attacks.

Consider adding a web application firewall (WAF) to your site. A WAF filters incoming traffic and blocks common exploit patterns before they reach your server. Many hosting providers offer basic WAF features, or you can use a dedicated service.

Set up regular malware scans and file integrity monitoring so you'll be alerted quickly if anything changes unexpectedly. Schedule regular backups and store copies offsite so you always have a clean version to restore from.

Need professional help with a hacked site?

If you suspect a deep compromise, keep getting reinfected after cleanup or aren't comfortable working through these steps, my emergency WordPress support service includes full malware removal, root cause analysis, credential resets and post-cleanup monitoring to make sure the infection doesn't return.

Last reviewed 7 April 2026

Adam Greenough

Written by Adam Greenough

Freelance web developer with over 15 years of experience building and fixing WordPress sites. I work with businesses across the UK on everything from emergency support to full builds.

About me Services Get in touch

Also in WordPress

WordPress site not updating or showing old content How to fix a WordPress site that is not showing recent changes, covering browser cache, page caching plugins, server-side caching, CDN cache and object caching. WordPress critical error and white screen of death How to diagnose and fix the WordPress critical error or white screen of death by enabling debug mode, deactivating plugins, increasing memory, checking custom code and restoring core files. Resolving the WordPress 403 forbidden error Common causes of the 403 forbidden error in WordPress and how to fix them, including file permissions, .htaccess corruption, security plugin lockouts and server-level blocks. Recovering a WordPress site broken by an update What to do when a WordPress core, plugin or theme update breaks your site, including using recovery mode, removing the .maintenance file, disabling plugins and rolling back safely.

Need hands-on help?

I offer emergency WordPress support with a no-fix, no-fee guarantee.

Get Emergency Help Contact Me