How to Fix a Hacked WordPress Site

It is every website owner’s nightmare. You try to log in to your site, only to find a strange screen, or worse, a message from your browser saying your site is dangerous. If your WordPress site has been hacked, you need to act quickly but calmly.

The good news is that most hacks are fixable. By following a clear, step-by-step process, you can clean your files, secure your data, and get back to business.

Step 1: Stay Calm and Use Maintenance Mode

Before you start poking around, put your site into maintenance mode if you still have access to the dashboard. If you don’t have access, you might need to use a “Coming Soon” page through your hosting provider. This prevents visitors from seeing the hacked content and keeps the hackers from seeing what you are doing to fix it.

Step 2: Scan Your Site for Malware

You need to know exactly what you are dealing with. There are two ways to do this:

1. Use a Security Plugin: If you can still log in, install a plugin like Wordfence or Sucuri. These tools can scan your core files and compare them to the official WordPress versions to find changes.
2. External Scanners: If you are locked out, use a remote scanner. These tools check your site from the outside to see if there is malicious code or if your site is on a blacklist.

Step 3: Change All Your Credentials

Hackers often get in by stealing passwords. Even if you clean the site, they can get back in if you don’t change your “keys.” You should update the following immediately:

• WordPress Admin Passwords: Change passwords for every user with admin rights.
• FTP/SFTP Accounts: Update these through your hosting panel.
• Database Password: You will need to update this in your wp-config.php file after changing it in your hosting dashboard.
• Hosting Account Password: This is the most important one.

Step 4: Reinstall WordPress Core

Sometimes hackers hide scripts in the main WordPress files. The easiest way to fix this is to replace the core files with fresh ones.

You can do this from the WordPress Dashboard under Updates by clicking Reinstall Now. If you cannot access the dashboard, you can download a fresh version of WordPress from the official website and upload the wp-admin and wp-includes folders via FTP, overwriting the old ones.

Step 5: Clean Your Themes and Plugins

This is where hackers love to hide. Do not try to “clean” a corrupted plugin. Instead:

1. Make a list of your active plugins.
2. Delete the plugin folders entirely.
3. Reinstall them one by one from the official WordPress repository or the original source.
4. Do the same for your themes.

Note: If you have a custom theme, compare your files with a clean backup to find any code that does not belong there.

Step 6: Check for “Backdoors”

A backdoor is a piece of code a hacker leaves behind so they can get back in even after you change your password. They are often hidden in files like wp-config.php or inside the uploads folder.

Look for files that have strange names or files that end in .php inside your image uploads folder. There should almost never be a PHP file in your uploads.

Step 7: Clean Your Database

If you see strange links or weird text on your pages that you didn’t write, the hack might be in your database. You can use a database optimization plugin to scan for suspicious strings or “spam keywords.”

Step 8: Ask Google to Review Your Site

Once the site is clean, you may still see a warning in Google search results. To fix this, you must go to Google Search Console. Navigate to the Security Issues report and click Request a Review. Tell them exactly what you did to fix the site.

How to Prevent This From Happening Again

Fixing a hack is hard work. To make sure it doesn’t happen again, keep your site updated. Updates often contain security patches that close the holes hackers use. Always use strong, unique passwords and consider using a web application firewall to block attacks before they even reach your site.