Waking up to discover that your website has been hacked can feel like a nightmare. One moment everything’s running smoothly, and the next, your homepage is defaced, traffic is dropping, or you’re locked out entirely.
But don’t panic. Whether you’re a business owner, blogger, or developer, there are clear, actionable steps you can take to fix a hacked WordPress website. In this guide, we’ll walk you through how to identify the hack, clean your site, restore it, and most importantly, secure it against future attacks.
Need immediate help? Let WebCraz handle the cleanup while you focus on running your business.
Step 1: Signs Your Website Has Been Hacked
Before anything, let’s confirm whether your site is truly hacked. Here are the most common red flags:
- Homepage defaced or altered
- Sudden drop in traffic (SEO issues)
- Unknown admin users in your dashboard
- Spammy popups or redirects
- Google warning: “This site may be hacked”
- Hosting provider has suspended your account
Some hacks are stealthy, targeting your SEO or inserting hidden backlinks into your site. Always run regular checks even if everything seems fine on the surface.
If any of these sound familiar, proceed immediately to the next step.
Step 2: Take Your Website Offline (If Necessary)
To prevent more damage, either:
- Enable “Maintenance Mode” using a plugin
- Ask your host to temporarily suspend public access
This protects your visitors from malware and gives you a safer space to clean things up.
Also, inform your team or users about the situation. Transparency builds trust.
Step 3: Back Everything Up
Yes, even a hacked site. Create a full backup (files + database) so you have a record before changes. Tools like:
- UpdraftPlus
- All-in-One WP Migration
- BlogVault
…can help. Store this backup off-site (not on your server).
It’s better to have a messy version saved than risk losing your entire site by accident.
Step 4: Scan for Malware and Identify the Problem
Use malware scanners like:
- Sucuri SiteCheck
- Wordfence (plugin)
- MalCare
These tools help identify infected files, unusual login activity, or backdoor scripts hidden in your theme or plugins.
Also check Google Search Console, which might list infected URLs or injected spam.
Document what you find. Knowing the type of hack helps guide your cleanup.
Step 5: Clean Up the Hack (Step-by-Step)
Here’s where the real work begins:
1. Remove Malware-Infected Files
Delete or replace core WordPress files, themes, and plugins. Use fresh copies from WordPress.org when possible.
Compare files to the originals using tools like FileZilla or your host’s File Manager.
2. Reset All Passwords
That includes:
- WordPress users
- cPanel/FTP
- Database
- Hosting account
Use strong, unique passwords for each. Avoid reusing passwords across accounts.
3. Remove Unknown Users
Check the “Users” tab in your WordPress dashboard and delete any suspicious accounts—especially administrators.
Double-check with your team before deleting to avoid removing legitimate users.
4. Check .htaccess & wp-config.php
These are common targets. Look for base64 code or other obfuscated scripts.
You can copy clean versions from a fresh WordPress install if needed.
5. Clean the Database
Use phpMyAdmin or plugins like WP-DBManager to scan for suspicious content, especially in wp_options and wp_posts.
Look for hidden iframes, scripts, or base64-encoded text. Use the search feature to find suspicious keywords like “eval” or “base64_decode”
Step 6: Restore from a Clean Backup (If Available)
If you have a recent backup made before the hack, restoring it might be the fastest fix. Just make sure the backup is clean and not already infected.
If unsure, scan the backup files using a malware detection tool before restoring.
Don’t forget to update everything after restoring, outdated software is often what caused the breach in the first place.
Step 7: Harden Your Website Security
Once your site is clean, take these precautions to prevent future attacks:
- Install a security plugin (Wordfence, Sucuri, iThemes Security)
- Set file permissions correctly (usually 644 for files, 755 for folders)
- Disable file editing in wp-config.php
- Limit login attempts
- Enable two-factor authentication (2FA)
You should also consider:
- Changing the default login URL
- Hiding the WordPress version number
- Disabling XML-RPC if not in use
These small tweaks add up to major protection.
Step 8: Submit to Google for Review
If your site was blacklisted or flagged in search results, go to Google Search Console and request a malware review. This will remove the warning once your site is verified clean.
Be sure to:
- Fix all security issues first
- Submit all affected pages for re-indexing
- Monitor Google Search Console for further alerts
It may take a few days for Google to review, so be patient.
When to Call in the Experts
Fixing a hacked site manually can be time-consuming and risky, especially if you’re not 100% confident in your technical skills.
Common situations when you should consider professional help:
- Repeated reinfections
- Business-critical website downtime
- Custom theme or plugin complexity
- No clean backups available
If you’re overwhelmed or need urgent help, our team at WebCraz offers professional hacked site repair. We clean, secure, and restore WordPress sites daily.
Prevention Tips: Don’t Let It Happen Again
- Keep WordPress, plugins, and themes updated
- Use only trusted plugins/themes
- Install a WAF (Web Application Firewall)
- Schedule regular malware scans
- Take daily or weekly backups
- Audit your user accounts monthly
- Monitor uptime and security using services like UptimeRobot or Jetpack
Create a routine checklist and assign someone on your team to carry out monthly security audits.
Remember: it’s not just about fixing, it’s about protecting long-term.
FAQ – Common Questions About Hacked WordPress Sites
Conclusion: Stay Calm, Stay Proactive
Getting hacked is stressful, but it doesn’t have to be a disaster. By following the right steps and staying vigilant, you can repair your hacked site and strengthen your defenses.
Stay safe out there!
