How to Fix a Hacked WordPress Site: Step-by-Step Guide – WPXIT
Wordpress Security

How to Fix a Hacked WordPress Site: Step-by-Step Guide

By 3 min read

Discovering your WordPress site has been hacked is a stressful experience. Your site might be redirecting visitors to spam sites, showing strange content, or your hosting provider may have suspended your account. Whatever the symptoms, here is exactly what to do.

Step 1: Do Not Panic — But Act Fast

The longer a hacked site stays infected, the more damage it causes. Google may blacklist your site, your hosting may suspend your account, and the malware may spread to more files. Act quickly but methodically.

Step 2: Take Your Site Offline (Temporarily)

Put your site in maintenance mode or ask your hosting provider to take it offline. This prevents visitors from being exposed to malware and stops the site from being used to attack others.

Step 3: Change All Passwords Immediately

Before you do anything else, change:

  • WordPress admin password (all admin accounts)
  • FTP/SFTP password
  • Database password (and update wp-config.php)
  • Hosting control panel password
  • Email account passwords

Use strong, unique passwords for each. A password manager helps.

Step 4: Restore From a Clean Backup (If You Have One)

If you have a recent backup from before the hack, restoring it is the fastest fix. Make sure the backup is actually clean — if the hack happened weeks ago, your backup may also be infected.

This is why regular offsite backups are essential. If you do not have backups, skip to Step 5.

Step 5: Scan for Malware

Use a malware scanner to identify infected files. Options include:

  • Wordfence — free plugin with a good scanner
  • Sucuri SiteCheck — free online scanner
  • MalCare — paid but thorough

The scanner will identify infected files. Do not just delete them — you need to understand what was changed and why.

Step 6: Clean the Infected Files

For each infected file, you have two options:

  1. Replace with a clean version — for WordPress core files, download a fresh copy of WordPress and replace the infected files
  2. Manually remove the malicious code — for theme and plugin files, find and remove the injected code

Common places malware hides: wp-config.php, .htaccess, functions.php, and any PHP files in the uploads folder.

Step 7: Check for Backdoors

Hackers often leave backdoors — hidden files or code that let them regain access even after you clean the site. Search for:

  • PHP files in the uploads folder (there should be none)
  • Obfuscated code (base64_decode, eval, gzinflate)
  • Unknown admin users in WordPress
  • Unknown cron jobs

Step 8: Harden Security

After cleaning, close the vulnerabilities that allowed the hack:

  • Update WordPress core, all themes, and all plugins
  • Delete unused themes and plugins
  • Set correct file permissions (644 for files, 755 for directories)
  • Install a firewall (Cloudflare or Wordfence)
  • Enable two-factor authentication for admin accounts
  • Limit login attempts

Step 9: Request Google Review

If Google has blacklisted your site (showing a “This site may be hacked” warning), you need to request a review after cleaning. Go to Google Search Console, find the Security Issues report, and request a review. This typically takes 24-72 hours.

When to Call a Professional

If the infection is severe, you cannot find all the malware, or your site keeps getting re-infected, it is time to call a professional. We offer WordPress malware removal with a 24-hour turnaround and a 90-day clean guarantee.

Senior WordPress developer with 9+ years of experience building fast, secure, and maintainable WordPress sites.

Get a Free Website Audit

We'll review your speed, security, SEO, and code quality — no strings attached.

Request Free Audit

We respond within 24 hours. No commitment required.