10 Steps to Recover a Hacked WordPress Website (Complete Guide)

Discovering your WordPress site has been hacked is every website owner’s nightmare. One minute, your site is running smoothly, displaying your content to the world. The next, you’re staring at a “deceptive site ahead” warning, or worse, a defaced homepage that looks completely unrecognizable. The panic is instant, but you are not alone in this situation.

The threat is real and growing. According to recent Sucuri research, WordPress sites account for over 90% of all hacked CMS platforms, with an average of 13,000 WordPress sites getting hacked every single day. Even more alarming is that Google blacklists approximately 10,000 websites daily for malware. Perhaps the scariest statistic is that 50% of hacked site owners don’t even know their WordPress site has been compromised until it’s too late.

But here’s the good news – recovering your hacked WordPress website isn’t impossible. With the right approach and systematic steps, you can clean up your site, restore your data, remove malware, and implement bulletproof security measures to prevent being hacked again. Whether you’re locked out of your WordPress admin, facing a “deceptive site ahead” warning, or dealing with infected WordPress files, this comprehensive guide will walk you through exactly how to fix a hacked WordPress site and secure your site for the future.

In this tutorial, you’ll learn the 10 essential steps to recover your site, protect your website from future attacks, and get your site back online safely. Let’s dive in and take back control of your WordPress website.

How to Know If Your WordPress Site Has Been Hacked (Warning Signs)

Before diving into the fix, you need to confirm the diagnosis. Hackers don’t always leave a calling card on the homepage. Sometimes, they prefer to remain hidden to use your server resources or steal data quietly.

Common Signs Your WordPress Site Gets Hacked

If you notice any of the following anomalies, it is highly likely your security has been breached:

• Unexpected redirects to suspicious websites: If visiting your URL sends you to a gambling, pharmaceutical, or adult site, you have a redirect infection.
• “Deceptive site ahead” browser warnings: Google and browsers like Chrome display a bright red warning screen to protect users when they detect malicious code on your site.
• Can’t access your site or WordPress admin dashboard: If your password no longer works, or the login page itself is broken, hackers may have deleted your account or changed your credentials.
• Unfamiliar admin accounts in your user list: Seeing users like “admin123” or “system_user” that you didn’t create is a clear sign of a backdoor entry.
• Slow site performance and unusual traffic spikes: Hackers often use infected sites for DDoS attacks or spam email relaying, which eats up your server resources.
• Spam content appearing on your WordPress site: Look for links injected into your footer, new pages you didn’t create, or ads for illegal products.
• Google Search Console security warnings: This is often the most reliable alert. Google will send a message if their crawlers detect hacked content.

Tools to Scan Your Site for Malware

If you suspect a hack but aren’t sure, don’t guess. Use tools to confirm the infection:

• Using online malware scanners: Tools like SiteCheck by Sucuri allow you to enter your URL and scan for visible malware.
• WordPress security plugins for detection: Plugins like Wordfence or MalCare can scan your internal files, which external scanners can’t see.
• Server-level scanning tools: Many hosting providers offer built-in virus scanners in cPanel.
• Google Search Console alerts: Check the “Security Issues” tab in your dashboard for specific flags from Google.

Step 1 – Stay Calm and Take Your Site Offline (Immediate Response)

Panic leads to mistakes. Take a deep breath. The first technical step is to stop the bleeding by isolating your site.

Why You Should Take Your Site Offline Temporarily

Taking your site offline serves several critical purposes. First, it prevents further damage to your WordPress installation. If the hacker is still active, this cuts off their public access. Second, it protects your visitors from malware; you do not want your customers getting infected just by visiting your homepage. Finally, it helps preserve evidence for investigation and stops the hacker from overwriting your recovery efforts.

How to Put Your Site in Maintenance Mode

You can achieve this in a few ways:

• Using maintenance mode plugins: If you still have admin access, install a “Coming Soon” or “Maintenance Mode” plugin immediately.
• Via hosting control panel: Many managed WordPress hosts have a “Maintenance Mode” toggle in their dashboard.
• Through .htaccess file: For advanced users, you can restrict access to everyone but your IP address by editing the .htaccess file on your server.
• Notifying site owners and stakeholders: If you manage this site for a client, let them know immediately that the site is undergoing emergency maintenance.

Step 2 – Reset All Passwords and Secure Access Points

Assume every door to your website is unlocked. You need to change the locks immediately.

Critical Passwords to Change Immediately

Do not just change your personal login. You must reset:

• WordPress admin password for all accounts: Every user with administrator privileges needs a reset.
• WordPress database credentials: This is found in your wp-config.php file and your hosting panel.
• FTP/SFTP passwords: Hackers often steal these to upload files directly to your server.
• Hosting control panel access: Secure your cPanel or hosting dashboard.
• Email accounts associated with your site: If a hacker has access to your email, they can simply request a password reset again.

Remove Suspicious User Accounts

Log into your database or WordPress dashboard and audit the “Users” list. Look for any accounts you don’t recognize. Hackers often create “ghost” admin accounts to regain access later. Delete these rogue administrator profiles immediately. Once the list is clean, implement two-factor authentication (2FA) to ensure that even if a password is stolen, the account remains secure.

Step 3 – Create a Complete Backup (Even If Infected)

This sounds counter-intuitive. Why backup a broken site? Because the cleanup process involves deleting files. If you accidentally delete a critical system file or vital content, you need a way to go back.

Why Backup Your Hacked WordPress Site

An infected backup serves as a “crime scene” snapshot. It preserves data for forensic analysis if you need to hire a pro later. It creates a restoration point if your cleanup attempts break the site further. Most importantly, it protects your essential content (posts, pages, media) and databases, which can be cleaned and migrated to a fresh installation if necessary.

How to Back Up an Infected WordPress Site Safely

• Using WordPress backup plugin options: If you can access the dashboard, run a full backup using a plugin like UpdraftPlus.
• Manual backup via cPanel/hosting panel: Use the “Backup Wizard” or File Manager to zip your public_html folder.
• Downloading WordPress files via FTP: Connect via FileZilla and download your entire site directory to a local folder labelled “HACKED_SITE”.
• Exporting the WordPress database: Go to phpMyAdmin and export your database as a .sql file.
• Storing backups securely offline: Do not leave this backup on the server. Store it on your local computer or an external hard drive.

Step 4 – Identify the Security Vulnerability and Entry Point

To prevent this from happening again, you need to know how they got in.

Common Ways Hackers Get Access to Your Site

In most cases, hackers aren’t “cracking code” like in the movies; they are walking through open doors. The most common entry points include:

• Outdated WordPress core, themes, and plugins: Software vulnerabilities are the #1 cause of infections.
• Weak passwords: “Password123” is an invitation for intruders.
• Vulnerable WordPress plugins from untrusted sources: Nulled (pirated) premium plugins often contain pre-loaded malware.
• Compromised hosting environment: If your host isn’t secure, your site isn’t secure.
• Malware injections through file upload forms: Unsecured forms allow hackers to upload executable scripts.

Investigating Your WordPress Site Is Hacked

Start by checking WordPress files modification dates. If a core system file was modified yesterday, but you haven’t updated the site in months, that’s a red flag. Review server access logs to spot IP addresses accessing admin pages at odd hours. Identify suspicious WordPress plugins you didn’t install. Finally, use WordPress security plugins to scan core WordPress files integrity – they compare your files against the official WordPress repository to detect changes.

Step 5 – Scan and Remove Malware From Your WordPress Site

Now it is time to scrub the infection.

Best WordPress Security Plugins for Malware Removal

Automated tools are your best friend here. Top-tier plugins include Wordfence Security, Sucuri Security, MalCare, iThemes Security, and All-In-One WP Security. These tools have massive databases of known malware signatures and can identify malicious code that looks innocent to the human eye.

Manual Malware Removal Process

If you are technical, you can perform a manual cleanup. This involves scanning your site thoroughly and identifying infected WordPress files. You will need to check the wp-content/uploads folder for PHP files (which shouldn’t be there). You must also clean malicious code from the WordPress database, which often hides in the wp_options or wp_posts tables. Be sure to remove backdoors and hidden admin accounts, and verify the core WordPress files integrity by comparing checksums.

Clean Up Your Site Systematically

• Checking .htaccess and wp-config.php files: These are high-value targets. Ensure no strange redirects or code snippets have been added.
• Inspecting WordPress theme files: Check header.php and footer.php specifically, as these are common spots for spam links.
• Reviewing all WordPress plugin code: Look for folders that don’t belong.
• Cleaning the WordPress uploads directory: Hackers love hiding scripts here because it is a writeable directory.
• Removing malicious database entries: Use a plugin to search for common malicious strings like eval or base64_decode.

Step 6 – Reinstall WordPress Core and Update Everything

Sometimes, the infection is too deep in the system files. The safest bet is to replace the engine entirely.

How to Reinstall WordPress Without Losing Data

You can reinstall a fresh version of WordPress without losing your content. Using the WordPress dashboard, go to Updates and click “Re-install Now.” For a cleaner wipe, perform a manual reinstall via FTP. Delete wp-admin and wp-includes folders, then upload fresh copies from a new WordPress download. Crucially, preserve your wp-content directory (where your images and themes live) and your wp-config.php file.

Update All Components to Latest Versions

Once the core is fresh, update everything else. Update WordPress to the absolute latest version. Update all WordPress plugins and your themes. Check the WordPress repository to ensure the plugins you are using haven’t been removed due to security issues. If you find old WordPress versions or unused plugins, delete them immediately.

Step 7 – Restore Your Site From Clean Backup (If Available)

If you were diligent with backups before the hack, your life just got much easier.

When to Restore Your Site vs. Manual Cleanup

If you have a backup from three days ago, and the hack happened yesterday, restoring is faster and safer than cleaning. However, you must ensure the backup predates the hack. If your site was infected weeks ago but only showed symptoms today, your backups might also be infected.

Steps to Recover Your WordPress Site From Backup

Identify a clean, pre-hack backup. Delete the current infected files on your server. Restore WordPress files from your backup and import the clean WordPress database. Once restored, test the site functionality immediately. Verify the site is clean post-restoration by running a security scan instantly.

Step 8 – Implement Comprehensive WordPress Security Measures

You’ve kicked them out. Now, lock the door and bolt it shut.

Essential WordPress Security Plugins to Install

Install a Web Application Firewall (WAF) immediately. Plugins like Wordfence or Sucuri act as a shield, blocking malicious traffic before it reaches your server. Set up malware scanning and monitoring, login security to limit brute force attacks, file integrity monitoring to alert you of file changes, and security audit logging to track user activity.

Harden Your WordPress Installation

Take these extra steps to harden your defense:

• Securing wp-config.php file: Move it one directory up from public access if possible.
• Protecting your WordPress admin directory: Password protect the /wp-admin/ folder via cPanel.
• Disabling file editing: Add define(‘DISALLOW_FILE_EDIT’, true); to your wp-config.php file to stop hackers from editing themes/plugins from the dashboard.
• Limiting login attempts: Prevent bots from guessing your password.
• Changing WordPress database prefix: Change the default wp_ to something unique.
• Hiding WordPress version information: Don’t broadcast which version you are running.

Server-Level Security Best Practices

Ensure you have SSL/HTTPS certificates enabled. Configure proper file permissions (755 for folders, 644 for files). Consider moving to managed WordPress hosting, which often includes server-level firewalls and regular security audits handled by experts.

Step 9 – Submit for Security Review and Remove Warnings

Your site is clean, but Google might still be blocking it.

Request Removal from Google Blacklist

Log into Google Search Console. Navigate to the “Security & Manual Actions” section. If you have fixed the issues, click “Request Review.” Describe the steps you took (removed malware, updated plugins, changed passwords). This process can take a few days, but it will remove the “deceptive site ahead” warning.

Checking Other Security Blacklists

Google isn’t the only sheriff in town. Check your URL against Norton Safe Web, McAfee SiteAdvisor, Yandex Safe Browsing, and Microsoft SmartScreen to ensure you are cleared across the web.

Step 10 – Monitor and Maintain Your WordPress Site Security

Security is a process, not a one-time fix.

Ongoing WordPress Security Maintenance

Set a schedule. Perform regular WordPress core, plugin, and theme updates. Schedule automated malware scans to run daily. Monitor WordPress admin account activity and review security logs weekly. Ensure you have automated backup schedules running to an off-site location (like Dropbox or Google Drive).

Prevent Your WordPress Site From Getting Hacked Again

The best defense is a good offense. Use strong, unique passwords for every admin account. Enable two-factor authentication – this blocks almost all brute-force attacks. Limit user permissions; not everyone needs to be an Administrator. Keep your plugin count low and only use reputable WordPress plugins from the official repository. Finally, educate all site owners on security best practices.

What to Do If You Can’t Access Your Site or Fix It Yourself

Sometimes, the infection is too complex, or the technical requirements are too high.

When to Hire Professional Hacked Site Repair Services

If you face complex infections that return after cleanup, you need a pro. Other reasons include repeated hacking attempts, loss of critical business data, or simply a lack of technical expertise. If your site generates revenue, the cost of downtime often outweighs the cost of a professional service.

Choosing the Best WordPress Security Service Provider

Look for professionals with verified reviews and specialized experience in WordPress. Ask about their “post-hack” support – do they just clean it, or do they secure it? Ask about expected timelines for hacked site repair and ensure clarity on cost considerations.

How to Protect Your WordPress Site Long-Term (Prevention Strategy)

WordPress Security Checklist for Site Owners

1. Regular updating schedule.
2. Quality hosting environment (managed WordPress recommended).
3. Strong authentication policies (2FA).
4. Regular backups with a reliable WordPress backup plugin.
5. Security monitoring and alerts.
6. Minimal plugin usage from trusted sources.

Best WordPress Security Practices for 2026

As threats evolve, so must your strategy. Adopt a zero-trust security model – verify every user, every time. Implement a Content Security Policy (CSP) to prevent cross-site scripting. Use WordPress security plugins effectively, conduct regular penetration testing, and provide security training for all users with WordPress admin access.

Get Professional WordPress Security Protection

Don’t Let Hackers Win – Secure Your WordPress Website Today

Has your WordPress site been hacked? Can’t access your site or struggling to clean up the infection yourself? Get Shielded Agency specializes in comprehensive WordPress security services, from emergency hacked site repair to proactive protection strategies. We help you reclaim your digital property and keep it safe.

How do I know if my WordPress site has been hacked?

Common signs include unexpected redirects, “deceptive site ahead” warnings, inability to access your site, unknown admin accounts, slow performance, spam content appearing on pages, and Google Search Console security warnings. Use security plugins to scan your site for hidden malware.

What should I do immediately when I discover my WordPress site is hacked?

Stay calm. Take your site offline immediately to prevent further damage and protect visitors. Reset all passwords (WordPress admin, database, FTP, hosting), backup your site (even if it is infected) for evidence, and begin scanning to identify the entry point.

Can I fix a hacked WordPress site myself, or do I need professional help?

Simple hacks can often be fixed using security plugins and following systematic cleanup steps like the ones in this guide. However, complex infections, repeated attacks, or critical business sites may require professional hacked site repair services for thorough malware removal and security hardening.

How do hackers get access to WordPress sites?

Common entry points include outdated WordPress core/plugins/themes, weak passwords, vulnerable plugins downloaded from untrusted sources (nulled plugins), compromised hosting environments, and brute force attacks on WordPress admin login pages.

Will reinstalling WordPress remove all malware and fix my hacked website?

Reinstalling core WordPress files helps ensure system integrity, but it doesn’t guarantee complete malware removal. Hackers often infect specific plugins, themes, the uploads directory, and the WordPress database. A comprehensive cleanup of all components is necessary.

How do I remove my website from Google’s blacklist after being hacked?

First, clean up your site completely and scan it to ensure it is malware-free. Then, submit a reconsideration request through Google Search Console. You will need to provide evidence of the cleanup and security improvements to remove warnings faster.

What are the best WordPress security plugins to protect my website?

Top WordPress security plugins include Wordfence, Sucuri Security, iThemes Security, MalCare, and All-In-One WP Security. Look for plugins that offer firewall protection (WAF), malware scanning, login security, and file integrity monitoring.

How often should I backup my WordPress site to prevent data loss?

For active WordPress sites, daily automated backups are recommended. Less active sites can use weekly backups. Always use reliable WordPress backup plugins and store backups offsite (cloud storage or local drive) to ensure you can restore your site after any incident.

Can outdated WordPress plugins really cause my site to get hacked?

Yes, outdated WordPress plugins are among the top causes of WordPress sites getting hacked. Hackers actively exploit known vulnerabilities in old software versions. Always update plugins immediately and remove unused plugins to secure your site.

How can I prevent my WordPress site from being hacked again in the future?

Implement strong passwords, enable two-factor authentication (2FA), keep WordPress core and plugins updated, use reputable WordPress security plugins, maintain regular backups, choose quality managed WordPress hosting, limit admin accounts, and conduct security audits regularly.