WordPress Site Hacked? Here's How to Recover It Fast

Discovering your WordPress site has been hacked is one of the worst feelings for any website owner. You might see a defaced homepage, a Google warning, your hosting account suspended, or strange redirects sending visitors elsewhere. Whatever the symptom — the fix needs to happen fast.

In this guide, I'll walk you through exactly how to recover a hacked WordPress site, step by step. I've cleaned dozens of compromised WordPress installations over my 14+ years as a WordPress developer, and this is the same process I follow every time.

How Do You Know Your WordPress Site Is Hacked?

Common signs include:

• Your homepage is replaced with a defacement message
• Google Search Console shows a "This site may be hacked" warning
• Your hosting provider suspended your account for malware
• Visitors are being redirected to spam or phishing sites
• Google search results show spammy Japanese or pharmaceutical keywords under your domain
• You're locked out of wp-admin
• New admin users appeared that you didn't create
• Your site is extremely slow or sending spam emails

Even one of these signs means you need to act immediately.

Step 1: Put Your Site in Maintenance Mode and Back Up Everything

Connect to your server via FTP (FileZilla) or cPanel File Manager and download the entire public_html folder. Also export your database from phpMyAdmin.

Then put your site in maintenance mode so visitors don't hit the infected pages while you work. You can do this by adding a simple .htaccess redirect or placing a temporary HTML page.

Step 2: Scan for Malware

The best free options:

• Wordfence Security (free plugin) — run a full scan from wp-admin
• MalCare — deep scan, shows file-level changes
• Sucuri SiteCheck — paste your URL at sitecheck.sucuri.net for a quick external scan
• VirusTotal — upload suspicious files for multi-engine analysis

If you're locked out of wp-admin, install Wordfence via FTP by uploading the plugin folder directly to /wp-content/plugins/ and activating it from the database.

Step 3: Remove Malicious Code and Files

Common places hackers inject malware:

• wp-config.php — check for added base64-encoded strings at the top or bottom
• functions.php in your active theme
• .htaccess — look for added redirect rules
• /wp-content/uploads/ — PHP files here are almost always malware (no PHP should exist in uploads)
• Plugin files — especially nulled/pirated plugins

For core WordPress files, the safest approach is to replace them entirely. Download a fresh copy of WordPress from wordpress.org matching your current version, then overwrite wp-admin/ and wp-includes/ completely. Do not overwrite wp-content/ or wp-config.php.

// Check wp-config.php for anything like this — it's malware:
eval(base64_decode('aGVsbG8gd29ybGQ='));

// Or obfuscated code like:
$_0x4f3a = array(...); // suspicious variable names with hex

Step 4: Change All Passwords and Secret Keys

• WordPress admin password — change from wp-admin or directly in the database
• Database password — update in cPanel and in wp-config.php
• FTP/SFTP passwords — update in hosting control panel
• Hosting account password
• WordPress secret keys — regenerate at wordpress.org/secret-key and paste into wp-config.php (this logs out all users)

Also delete any admin users you don't recognize in Users → All Users.

Step 5: Update Everything

• WordPress core → update to latest version
• All plugins → update every single one
• All themes → update, and delete unused themes
• Delete any nulled/pirated plugins or themes permanently

Step 6: Clean the Database

In phpMyAdmin, run these SQL queries to find injected content:

-- Check for suspicious admin accounts
SELECT * FROM wp_users;

-- Look for spam links or injected scripts in posts
SELECT ID, post_title, post_content FROM wp_posts 
WHERE post_content LIKE '%eval(%' 
   OR post_content LIKE '%base64_decode%'
   OR post_content LIKE '%

  
Delete or clean any rows that look suspicious. Pay special attention to wp_options rows like siteurl and home — make sure they point to your actual domain.

  
Step 7: Harden Your WordPress Security

  

    Step 07
    
Cleaning is only half the job. You need to prevent reinfection.
  

  
Disable PHP execution in uploads folder
  
Create a new .htaccess file inside /wp-content/uploads/ with this content:

  
<Files *.php>
  deny from all
</Files>

  
Protect wp-config.php
  
<Files wp-config.php>
  order allow,deny
  deny from all
</Files>

  
Disable XML-RPC if not needed
  
<Files xmlrpc.php>
  order deny,allow
  deny from all
</Files>

  
Other hardening steps:
  

    
Change default wp_ database table prefix to something custom
    
Limit login attempts using Wordfence or Limit Login Attempts Reloaded
    
Enable two-factor authentication for admin accounts
    
Set correct file permissions: folders = 755, files = 644, wp-config.php = 600
    
Use a Web Application Firewall (WAF) — Wordfence free version includes one
  

  

    💡 Pro tip: For production WooCommerce stores, consider hosting on a managed server with DDoS protection and daily backups. OceanWebHosting Dedicated Servers provide isolated environments that significantly reduce cross-site contamination risk common on shared hosting.
  

  
Step 8: Request Google Review (If Blacklisted)

  

    Step 08
    
If Google flagged your site with a "Dangerous site" warning, you need to request a manual review after cleaning.
  

  

    
Go to Google Search Console → Security Issues
    
Confirm all issues are fixed
    
Click Request Review and describe what you cleaned
    
Google typically reviews within 1–3 days
  

  
Also check your hosting provider's blacklist removal process — some hosts (like SiteGround, Bluehost) suspend accounts automatically and require you to submit a ticket after cleanup.

  
Should You Hire a WordPress Developer to Clean Your Hacked Site?

  
If you're not comfortable editing PHP files, running SQL queries, or connecting via FTP — the risk of making things worse is real. A single missed backdoor file means your site gets reinfected within days.

  
As a professional WordPress developer with 14+ years of experience, I've recovered hacked sites for clients across the US, UK, and Australia. I can audit your site, remove all malware, harden your setup, and deliver a clean site — usually within 24 hours.

  
If you need urgent help, contact me directly or reach out via WhatsApp for a fast response.

  
How to Prevent Your WordPress Site From Being Hacked Again

  

    
Keep WordPress, plugins, and themes always updated
    
Never use nulled/pirated plugins or themes
    
Use strong, unique passwords for all accounts
    
Enable two-factor authentication on wp-admin
    
Take automated daily backups (UpdraftPlus free version works well)
    
Use a security plugin like Wordfence with firewall enabled
    
Choose quality hosting with server-level malware scanning
    
Limit the number of admin-level users on your site
  

  
WordPress powers over 40% of the web — which also makes it the most targeted platform by hackers. But with the right practices, it's also very easy to keep secure.

  

    
WordPress Site Hacked? I Can Fix It Fast.
    
Get professional malware removal, full site cleanup, and security hardening — usually within 24 hours.
    Get Emergency Help →
  

  

    
Frequently Asked Questions

    

      
How do I know if my WordPress site has been hacked?
      
Common signs include: your homepage is defaced, Google shows a security warning for your site, visitors are redirected to spam pages, your hosting is suspended, or new admin users appeared that you didn't create. You can also run a free scan at sitecheck.sucuri.net.
    

    

      
Can I recover a hacked WordPress site without losing data?
      
Yes, in most cases. The key is to clean malicious files without deleting your database or wp-content folder. Replacing WordPress core files (wp-admin and wp-includes) is safe and doesn't affect your content or plugins.
    

    

      
How long does it take to clean a hacked WordPress site?
      
A straightforward cleanup typically takes 2–6 hours for someone experienced. Complex infections with database injections and multiple backdoors can take longer. Professional malware removal services often complete it within 24 hours.
    

    

      
Will my SEO rankings recover after a hack?
      
Yes, but it takes time. Once you clean the site and request a Google review, the security warning is usually removed within 1–3 days. Ranking recovery depends on how long the site was flagged — typically a few weeks to a few months.
    

    

      
What is the most common cause of WordPress hacks?
      
Outdated plugins and themes are the leading cause, followed by weak passwords and nulled (pirated) plugins. Keeping everything updated and using only legitimate software eliminates the majority of attack vectors.
    

    

      
Do I need to reinstall WordPress completely after a hack?
      
Not necessarily. In most cases, replacing just the core files (wp-admin and wp-includes folders) and cleaning infected plugin/theme files is sufficient. A full reinstall is only needed for severe infections where the entire codebase is compromised.