How to Recover a Hacked WordPress Site Step by Step

The email always lands at the wrong time. "Your site is showing Viagra ads to Google." Or worse, the host has suspended the account because malware was detected. Panic is unhelpful. There's a clear process for this.

Here's how we work through it.

Step 1 — Take the site offline (sort of)

Don't just delete things in a panic. First, put the site into a maintenance state so visitors aren't being served whatever the attacker injected. A simple maintenance.html page at the root with an .htaccess rule will do.

Then take a full backup of the current, compromised state. Yes, the broken one. You need it for forensics and as a worst-case fallback.

Step 2 — Change everything

Before you start cleaning, rotate every credential the attacker could have touched:

• WordPress admin password (and any other user accounts)
• Database password (update wp-config.php)
• FTP/SFTP passwords
• cPanel / hosting account password
• Any API keys (Stripe, Mailchimp, etc.) used by plugins

Skip this step and you'll clean the site, only to watch it get re-infected within hours through the same back door.

Step 3 — Identify the type of compromise

Most WordPress hacks fall into one of a few buckets:

• SEO spam / pharma hack: hidden links and pages injected to manipulate search results.
• Defacement: the homepage shows the attacker's message. Loud but usually easy to fix.
• Malicious redirects: visitors get bounced to scam sites — especially from mobile or specific countries.
• Backdoors / web shells: the attacker dropped PHP files giving them ongoing access.
• Credit card skimmers: common on compromised WooCommerce sites — they exfiltrate card data at checkout.

Knowing the type tells you where to look first.

Step 4 — Scan for malicious files

Two free scanners that find most things:

• Wordfence Free — runs from inside WordPress, scans files against a known-good database.
• MalCare / Sucuri SiteCheck — external scanners that catch what Wordfence misses.

At the file level, look for:

• Files in wp-content/uploads with PHP extensions. Uploads should be images, never executable code.
• Files with names like wp-cache.php, license.php, style.php living in odd folders.
• Recent file modifications: find . -mtime -7 -type f in SSH shows everything changed in the last week.
• Heavy use of eval(), base64_decode(), or gzinflate() — common in obfuscated malware.

Step 5 — Restore from a clean backup (if possible)

If you have a backup from before the compromise, restoring it is faster than cleaning. The catch: you need to be certain that backup is clean. Some attackers sit dormant for weeks before triggering. Scan the backup before restoring.

Step 6 — Replace WordPress core, themes and plugins

If you don't have a clean backup, the safe path is to wipe and reinstall:

• Replace WordPress core files with a fresh download from wordpress.org.
• Reinstall every plugin and theme from the official repository — don't trust the ones on the server.
• Leave the wp-content/uploads folder alone (after scanning), since it holds your real images.
• Leave the database, but scan posts for injected scripts.

Step 7 — Check the database

Malware often hides in:

• The wp_options table — look for unusual entries with autoload set.
• The wp_users table — check for admin users you didn't create.
• Post content — search for <script, <iframe, or unfamiliar URLs.

Step 8 — Get unflagged

If Google has marked your site as deceptive, request a review through Google Search Console after you've confirmed it's clean. Same for any antivirus blocklists. This can take 24–72 hours.

Step 9 — Harden so it doesn't happen again

Read our WordPress hardening guide. The short version: unique passwords, 2FA, automatic updates, a firewall and tested backups.

The longest part of cleaning a hacked site isn't fixing it — it's making sure you found every backdoor. One missed file and you're back where you started in a week.

If this feels like too much, our team does malware cleanup for clients on a per-site basis. We've handled everything from $5-hosting hobby blogs to WooCommerce stores doing thousands of orders a day. Get in touch through chat or support if you need help.