Skip to content

How To Fix A Hacked WordPress Website Step By Step Guide

WordPress powers over 40% of the web, is a common target for hackers. Whether you’re managing a blog, e-commerce store, or corporate website, a hacked WordPress site can disrupt operations, damage your reputation, and, worst of all, lead to loss of sensitive user data. Recognizing the symptoms of a hack early on and knowing how to address it can save you time, money, and a lot of stress. This step-by-step guide will help you fix a hacked WordPress website

Step 1: Confirm Your WordPress Site Has Been Hacked

1.1 Recognizing Common Symptoms of a Hacked Site

Before diving into fixing your WordPress website, it’s important to confirm that a hack has indeed occurred. Here are common signs that your site may be compromised:

  • Unexpected Redirects or Pop-Ups: Your site may redirect visitors to unrelated or suspicious pages, or display unwanted pop-up ads. Hackers often use these methods to generate clicks on malicious sites.
  • Strange Content or Suspicious Links: New, unexpected content or links that you didn’t add might appear on your site, especially on high-traffic pages.
  • Reduced Website Performance: If your website has suddenly become slow or unresponsive, this could indicate that it’s been compromised. Hackers may use your site to run scripts, which can drain resources and slow down page loading times.
  • Google Warning Messages: Sometimes, Google will mark hacked sites with warnings, such as “This site may be hacked.” If you see this alert on your site in search results, it’s a sign that something is amiss.
  • Unknown Admin Accounts: In many cases, hackers create new user accounts with administrative privileges. If you notice any unknown users in the “Administrator” role, it’s crucial to investigate further.

Using free tools like Sucuri SiteCheck or VirusTotal can help identify malware on your site. Simply enter your website’s URL, and these scanners will alert you to any potential malware, viruses, or blacklisting issues that might confirm your suspicions of a hack.

1.2 Back Up Your Website

It’s essential to back up your website before taking any further action. Backups allow you to save a snapshot of your current site state. If any issues arise during the cleanup, you can restore the backup and try again. Use plugins like UpdraftPlus or BackupBuddy to create a full backup of your WordPress database and files.

Step 2: Put Your Website in Maintenance Mode

If your site is actively redirecting or hosting malware, it’s a good idea to put it in maintenance mode to protect visitors. This prevents users from visiting your site and potentially downloading malware. A simple solution is to use the WP Maintenance Mode plugin, which allows you to temporarily disable access while you work on restoring your site.

Step 3: Reset Passwords and Review User Accounts

3.1. Change All Passwords

Your WordPress website likely has multiple points of entry that require secure passwords, including your admin account, database, hosting account, FTP, and email. If a hacker has accessed any of these accounts, they could repeatedly compromise your site, even after you’ve removed malware.

  1. WordPress Admin Password: Go to Users > All Users, locate your admin account, and click Edit. Update your password to a strong, unique password.
  2. Hosting Account Password: Log in to your hosting provider’s dashboard (such as SiteGround, Bluehost, or WP Engine) and reset your password.
  3. Database Password: Within your hosting account, find the MySQL Databases section and update your database password. You’ll also need to update the password in the wp-config.php file for your site to connect to the database.
  4. FTP/SFTP Password: Log in to your hosting account, find your FTP/SFTP settings, and change your password to prevent unauthorized file access.

Use a Password Manager: Tools like LastPass or 1Password allow you to securely store and manage strong passwords without having to remember each one.

3.2. Review and Remove Suspicious User Accounts

Check for any unauthorized admin accounts in Users > All Users. If you see unfamiliar accounts with administrative privileges, delete them immediately. Be cautious not to delete legitimate user accounts—only remove accounts that seem suspicious or unfamiliar.

Step 4: Scan and Remove Malware from Your Site

To ensure you effectively remove all malicious code from your site, a complete scan is necessary. WordPress plugins and tools can help identify malware within files, themes, and plugins.

4.1. Use Security Plugins to Scan for Malware

Top Malware Scanners:

  1. Wordfence Security: This plugin provides robust malware scanning and real-time firewall protection. It can detect malicious code hidden in themes, plugins, and core files. After installing and activating the plugin, run a full scan to identify threats.
  2. Sucuri Security: Another trusted plugin, Sucuri scans for malware and monitors your site’s integrity. It offers helpful features like file integrity checks and blacklist monitoring.
  3. MalCare Security: Known for accurate scanning without slowing down your site, MalCare can automatically detect and remove malware from your files and database.

4.2. Manually Remove Infected Files

Once the scan is complete, you may receive a list of infected files. Review these files carefully. If you’re confident that a file is infected, delete it. For critical files like wp-config.php, manually remove any suspicious code instead of deleting the file outright, as this can affect your site’s functionality.

Step 5: Reinstall Core WordPress Files, Plugins, and Themes

Malicious code can sometimes attach itself to core WordPress files, plugins, and themes. Reinstalling these components ensures that any altered files are restored to their original, secure state.

5.1. Reinstall Core WordPress Files

Go to Dashboard > Updates in your WordPress admin panel and click Reinstall Now. This will replace all core files, removing any modifications a hacker may have made. Alternatively, you can manually upload clean files by downloading a fresh copy of WordPress from wordpress.org.

5.2. Reinstall Plugins and Themes

Deactivate and delete all installed plugins and themes (even those not active) to eliminate any hidden malware. Reinstall only the plugins and themes you need from trusted sources. Make sure to download these directly from the official WordPress repository or reputable providers to avoid downloading pre-infected versions.

Tip: Avoid using pirated plugins and themes, as these are often compromised. Always download from reliable sources.

Step 6: Check .htaccess and wp-config.php for Backdoors

Backdoors are hidden entries that allow hackers to access your site even after cleaning it. These often hide in the .htaccess or wp-config.php files, as these are crucial for WordPress site functionality.

6.1. Examine the .htaccess File

Open the .htaccess file in your WordPress root directory. Look for any unfamiliar entries, such as redirects or code injections that seem out of place. A clean .htaccess file for WordPress should primarily contain permalink settings. If unsure, reset permalinks under Settings > Permalinks to create a fresh .htaccess file.

6.2. Review the wp-config.php File

Open wp-config.php and examine it closely for any lines of code that don’t belong. Backdoors are often inserted near the bottom of the file, hidden among legitimate code. Delete any suspicious code, but be careful not to remove crucial settings, like database credentials or site configuration data.

Step 7: Install a Security Plugin for Continuous Protection

Once your site is clean, it’s essential to protect it from future attacks. Security plugins can monitor activity, scan for malware, and prevent unauthorized access.

Recommended Security Plugins:

  1. Sucuri Security: Sucuri offers robust features like firewall protection, blacklist monitoring, and security alerts.
  2. iThemes Security: This plugin provides two-factor authentication, file change detection, and brute force protection.
  3. All In One WP Security: Known for its user-friendly interface, this plugin includes firewall settings, login security, and file protection options.

Enable Firewall Protection: Many security plugins include a firewall feature. A firewall prevents malicious IP addresses from accessing your site, reducing the risk of attacks.

Step 8: Update WordPress Core, Plugins, and Themes Regularly

Hackers often exploit outdated software to gain access to websites. Keeping everything up-to-date is one of the simplest yet most effective ways to secure your WordPress site.

  1. Update WordPress Core: WordPress frequently releases security patches and updates to address known vulnerabilities. Make sure your core files are always up-to-date by enabling auto-updates.
  2. Update Plugins and Themes: Check for updates regularly in Dashboard > Updates. Many plugins and themes release updates specifically to address security vulnerabilities.
  3. PHP Version: Using the latest PHP version can also improve site security and performance. Most hosting providers offer a simple option to update PHP within your control panel.

Step 9: Implement Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds a second layer of protection to your login process. Even if a hacker manages to steal your password, they would still need access to your 2FA method, making unauthorized logins significantly harder.

How to Set Up 2FA:

  1. Install a security plugin that supports 2FA, such as Wordfence or iThemes Security.
  2. Enable 2FA for your admin account and any other users with elevated permissions.

Step 10: Schedule Regular Backups (Continued)

Creating regular backups is one of the best long-term strategies to protect your website against data loss. When a backup is scheduled consistently, you have a reliable restore point in case of a hack, server failure, or accidental changes. Most WordPress backup plugins offer flexible scheduling options and storage solutions.

10.1 How Often to Back Up Your Website

How frequently you back up depends on how often your content or data changes. For instance:

  • High-traffic sites with frequent posts or e-commerce transactions should ideally back up daily, if not in real-time.
  • Low-traffic blogs or portfolios might only need weekly backups.

10.2 Recommended Backup Plugins and Storage Options

  1. UpdraftPlus: This plugin provides automated backups and has options to store backups in the cloud, including Dropbox, Google Drive, and Amazon S3.
  2. BlogVault: Known for its reliability, BlogVault provides daily automated backups and stores them off-site, allowing you to restore your site in one click.
  3. Jetpack Backup: Jetpack’s backup feature (formerly VaultPress) offers real-time and daily backup options, automatically saving changes and storing them in a secure cloud environment.

These plugins typically offer settings for incremental backups, which capture only recent changes instead of re-backing up your entire site each time. For added security, keep multiple copies of backups in different locations, like on an external hard drive or secure cloud storage.

Step 11: Strengthen WordPress Security with Additional Measures

Even with the above steps, a few more measures can greatly improve the overall security of your WordPress site. These methods are often overlooked but can significantly decrease your site’s vulnerability to attacks.

11.1 Change Default Login URL

By default, WordPress login pages are accessible at yoursite.com/wp-admin or yoursite.com/wp-login.php. Changing your login URL reduces the risk of brute-force attacks by hiding your admin login page from bots scanning default URLs.

  • WPS Hide Login: This simple plugin allows you to easily change your login URL. For example, instead of /wp-login.php, you can make it /my-secret-login.

11.2 Disable File Editing in the Dashboard

Hackers often exploit file editing capabilities within WordPress to alter theme or plugin files, embedding malicious code. Disabling the file editor removes this capability.

To disable file editing:

  1. Access your wp-config.php file through FTP or your hosting file manager.
  2. Add the following line:
    php
    define('DISALLOW_FILE_EDIT', true);

With file editing disabled, even if a hacker gains access to your dashboard, they won’t be able to modify theme or plugin files directly.

11.3 Limit Login Attempts

By default, WordPress allows unlimited login attempts, which makes it vulnerable to brute-force attacks. Limiting login attempts adds an extra layer of security.

  • Limit Login Attempts Reloaded: This plugin automatically locks out users (including potential hackers) after a specified number of failed login attempts. Adjust the settings to allow only a few retries to make brute-force attempts more difficult.

11.4 Enable HTTP Security Headers

HTTP security headers add another layer of security by instructing browsers on how to handle your website’s data. These can prevent XSS attacks, code injections, and other common exploits.

Common security headers include:

  • Content Security Policy (CSP): Restricts the types of content browsers should load, which can prevent malicious scripts.
  • X-Frame-Options: Prevents your website from being loaded in an iframe by external sites, which can prevent clickjacking attacks.

Your hosting provider or security plugins like HTTP Headers can help you add these headers to your site.

11.5 Use a Web Application Firewall (WAF)

A Web Application Firewall (WAF) monitors incoming traffic and blocks malicious requests before they reach your website.

  • Sucuri Firewall: Sucuri’s firewall service protects your site from SQL injections, XSS attacks, and other common threats.
  • Cloudflare: Cloudflare offers a free WAF as part of its services, which also includes content delivery network (CDN) features to improve your site’s speed and reliability.

Step 12: Monitor Your Site for Ongoing Security

Proactively monitoring your website for suspicious activity can help you detect potential security issues before they escalate into major problems.

12.1 Set Up Activity Logs

Activity logs provide a record of all changes made on your website, from login attempts to file modifications. This allows you to trace back any unauthorized activity.

  • WP Security Audit Log: This plugin records detailed logs of user activity, so you can monitor for unauthorized changes and investigate potential breaches.

12.2 Set Up Alerts for Suspicious Activity

Many security plugins, including Wordfence and Sucuri, offer email notifications for suspicious login attempts or file changes. Enable these alerts to receive real-time updates if suspicious activity occurs.

12.3 Google Search Console

Adding your website to Google Search Console provides valuable insights into your site’s health. Google will notify you if it detects malware or other issues that might affect your site’s SEO and user experience.

Step 13: Keep Software and Plugins Updated

Updates aren’t just about new features—they’re about security, too. Outdated plugins, themes, and WordPress versions are common entry points for hackers.

  1. Set Up Automatic Updates: If manually updating plugins and themes isn’t practical for you, consider enabling automatic updates. WordPress allows you to turn on auto-updates for plugins individually in Dashboard > Plugins.
  2. Use a Staging Site for Testing Updates: Before updating themes or plugins, use a staging environment to ensure compatibility and avoid any site breakage. Many hosting providers, like SiteGround and WP Engine, offer one-click staging environments.

Step 14: Educate and Train Your Team

If you manage a team that works on your WordPress site, training them in basic security practices is crucial. Even if only a few people have admin access, they should all be aware of the following:

  1. Secure Passwords: Make sure everyone uses strong, unique passwords and understands the importance of password security.
  2. Recognizing Phishing Attempts: Educate your team on how to identify phishing emails and other social engineering attacks.
  3. Regular Security Checks: Encourage everyone to perform regular scans and security audits on the site.

Consider providing guidelines for your team or setting up scheduled reminders to check for updates, review security settings, and monitor activity logs.

Additional Resources and Useful Links

Here are some helpful resources for WordPress security and recovery:

  1. Sucuri Security Blog: Sucuri offers insights into the latest WordPress vulnerabilities and security best practices.
  2. WordPress Codex: The official WordPress Codex has comprehensive guides on securing your site, including best practices and recommended plugins.
  3. Wordfence Learning Center: This is a valuable resource to learn about different types of WordPress attacks, best practices, and security tips.
  4. OWASP: The Open Web Application Security Project is a great resource to understand common web vulnerabilities and how to prevent them.

Final Checklist and Ongoing Security

After going through each step in this guide on how to fix a hacked WordPress website, your site should now be clean and significantly more secure. As a final wrap-up, here’s a checklist to ensure you’ve covered all the essentials:

  • Backed up your website before making changes.
  • Changed all passwords for the site, database, hosting, and FTP.
  • Scanned and removed malware from core files, plugins, and themes.
  • Reinstalled WordPress core files to ensure no hidden malware remains.
  • Set up a security plugin with real-time monitoring and alerts.
  • Implemented additional security measures, such as limiting login attempts and enabling a firewall.
  • Scheduled regular backups to always have a clean restore point.
  • Enabled two-factor authentication for added security.
  • Trained your team on security best practices.

Maintaining WordPress security is an ongoing process. Make it a habit to monitor your site, update regularly, and review security settings periodically. While there’s no guaranteed way to prevent all hacks, following these best practices can significantly reduce your site’s risk and provide peace of mind.

By following these steps and staying proactive, you’ll be well-prepared to manage any future threats and keep your WordPress site secure.