How to Fix a Hacked WordPress Site: Complete Recovery Guide

Updated: March 03, 2026 · 15 min read · Category: Web Security

WordPress powers over 43% of the entire internet—and that massive market share makes it the #1 target for automated botnets and cybercriminals. If Google is showing a red "Deceptive site ahead" warning, your hosting provider suspended your account, or visitors are being redirected to scam pages, you need to fix hacked wordpress site infections immediately. Every hour of delay means more visitors exposed to malware, more SEO damage, and a deeper foothold for the attacker.

This comprehensive guide walks you through the precise, technical steps required to identify the intrusion type, completely eradicate all malware from your server, and harden your WordPress installation so it never happens again.

[ AdSense Banner (728x90) ]

Identifying the Type of Hack

Before you begin cleaning, you must understand what type of compromise you're dealing with. Different hack types require different remediation strategies. Here are the most common indicators that you need to fix hacked wordpress site infrastructure:

Malicious Redirects

Visitors attempting to view your site are instantly redirected to phishing sites, adult content, fake tech support scams, or cryptocurrency fraud pages. The redirect code is typically injected into .htaccess, wp-config.php, or your active theme's header.php and functions.php files.

Japanese/Pharma SEO Spam

Hackers inject thousands of hidden pages containing keywords for pharmaceuticals, counterfeit goods, or gambling, exploiting your domain authority to boost their own search rankings. You'll notice hundreds or thousands of unexpected URLs appearing in Google Search Console. This is one of the most damaging hacks because Google may deindex your entire site.

Web Phishing Hosting

Attackers create hidden directories on your server and upload clone pages of bank login screens (Chase, PayPal, Netflix). They send mass email campaigns directing victims to web phishing URLs hosted on your domain. This will get your domain blacklisted by Google Safe Browsing, email providers, and antivirus software—potentially permanently damaging your domain reputation.

Backdoor Shells

PHP backdoors (like C99, WSO, or FilesMan) give attackers persistent remote access to execute arbitrary code on your server. Even after cleaning malware, a single remaining backdoor allows complete re-infection within minutes.

Cryptomining Scripts

JavaScript cryptocurrency miners injected into your pages use your visitors' CPU power to mine cryptocurrency for the attacker. Signs include dramatically slowed page performance and increased bounce rates.

Emergency First Steps

  1. Put the site in maintenance mode: Prevent further visitor exposure immediately
  2. Backup the infected state: Take a complete backup (files + database) of the current infected server. While counterintuitive, you may need this if you accidentally delete critical data during cleaning
  3. Contact your hosting provider: They may have additional forensic logs and can isolate your account to prevent impact on shared hosting neighbors
[ AdSense Banner (728x90) ]

Step-by-Step Recovery Process

Step 1: Complete Password Reset

Assume every credential is compromised. Reset all of the following:

  • cPanel / hosting control panel password
  • FTP / SFTP passwords
  • WordPress database password (in wp-config.php)
  • WordPress admin accounts (force reset for ALL administrators)
  • SSH keys (regenerate if used for deployment)
Ghost Admin Check: Log into phpMyAdmin and inspect the wp_users table. Hackers frequently create hidden administrator accounts with randomized usernames. Delete any user accounts you don't personally recognize. Also check wp_usermeta for any records with wp_user_level = 10 or wp_capabilities containing "administrator."

Step 2: Replace Core WordPress Files

Malware commonly modifies core files in wp-includes and wp-admin directories. Manually inspecting thousands of files is impractical—replace them entirely:

  1. Download a fresh copy of your exact WordPress version from wordpress.org
  2. Delete the entire wp-includes and wp-admin directories from your server
  3. Upload the clean wp-includes and wp-admin directories
  4. Replace root files (wp-login.php, wp-cron.php, index.php)
  5. Do NOT overwrite wp-config.php or the wp-content folder

Step 3: Clean the wp-content Directory

This is where the majority of malware resides:

Plugins

Do not just update plugins—delete the entire plugin folder and download fresh copies from the official WordPress repository or the developer. Pay special attention to premium plugins with expired licenses—these are prime targets because they can't receive security patches.

Themes

Delete every theme except your active one and a default WordPress theme. If the active theme was modified, carefully inspect functions.php, header.php, and footer.php for obfuscated code— commonly starting with eval(base64_decode(...)) or @include statements pointing to suspicious files.

Uploads Folder

Search the wp-content/uploads directory for any files with executable extensions: .php, .php5, .phtml, .js, or .ico. Hackers upload PHP backdoors disguised as image files (e.g., thumb_cache.php or social-icon.php). These must be deleted. Legitimate uploads should only contain image, video, and document files.

Step 4: Inspect wp-config.php

Open wp-config.php and check for any code that doesn't belong. Specifically look for: @include statements, eval() functions, base64-encoded strings, and any URLs referencing external servers. Compare your file against a clean wp-config-sample.php from the official WordPress download, adding back only your legitimate database credentials and authentication keys.

Step 5: Clean .htaccess

The .htaccess file is a favorite target for redirect hacks. Delete it and let WordPress regenerate it by visiting Settings → Permalinks and clicking "Save Changes." Check for additional .htaccess files hidden in subdirectories—attackers sometimes place malicious redirect rules in wp-content/.htaccess or wp-includes/.htaccess.

Database Cleaning

Malware doesn't just live in files—it can be injected into your WordPress database. Using phpMyAdmin or a database management tool:

  1. Search the wp_options table for suspicious entries in siteurl and home fields—hackers change these to redirect your entire site
  2. Check wp_posts for injected JavaScript or iframe tags in post content. Search for <script>, <iframe>, and eval( across all post content
  3. Review cron jobs in wp_options under the cron option name. Attackers schedule recurring tasks to re-download malware even after you clean the files

Post-Recovery Security Hardening

Install a Web Application Firewall (WAF)

A cloud-based WAF (Cloudflare, Sucuri, or Wordfence) filters out malicious traffic, SQL injection attempts, and brute-force attacks before they reach your server. This is the single most impactful security improvement you can make.

Disable File Editing

Add to wp-config.php: 

define( 'DISALLOW_FILE_EDIT', true );

This prevents anyone—including administrators—from editing PHP files through the WordPress dashboard, eliminating a common backdoor injection vector.

Limit Login Attempts

Brute-forcing wp-login.php is the most common automated attack vector. Install a security plugin (Wordfence, Solid Security, or Limit Login Attempts Reloaded) to automatically block IP addresses after 3-5 failed login attempts.

Change the WordPress Database Prefix

The default wp_ table prefix makes SQL injection attacks trivially simple since attackers know the exact table names. Change it to a random string during a clean installation, or use a plugin to migrate existing tables.

Implement Automatic Updates

Add to wp-config.php: 

define( 'WP_AUTO_UPDATE_CORE', true );

Configure automatic updates for plugins and themes in the WordPress dashboard. The majority of WordPress hacks exploit known vulnerabilities in outdated software.

Regular Backups

Configure daily automated backups stored off-server (Amazon S3, Google Drive, or your hosting provider's backup solution). In a worst-case scenario, a clean backup can restore your site in minutes rather than hours.

[ AdSense Banner (728x90) ]

Getting Removed from Google's Blacklist

If Google flagged your site with a "Deceptive site ahead" warning, you must request a review after cleaning:

  1. Verify ownership in Google Search Console
  2. Navigate to Security & Manual Actions → Security Issues
  3. Review each flagged issue and confirm you've resolved it
  4. Click "Request a Review" and provide a detailed description of the remediation steps you took
  5. Google typically processes review requests within 24-72 hours

Also check: Bing Webmaster Tools, Norton Safe Web, McAfee SiteAdvisor, and PhishTank—your domain may be blacklisted across multiple databases.

Frequently Asked Questions

How do I know if my WordPress site has been hacked?

Common signs include: Google showing "Deceptive site ahead" warnings, visitors being redirected to spam or scam sites, unexpected pages appearing in Google Search Console (especially in Japanese or pharmaceutical keywords), hosting provider suspension notices, unknown admin users appearing in your dashboard, and dramatically slowed site performance.

How do WordPress sites get hacked?

The top three vectors are: outdated plugins with known vulnerabilities (accounts for ~50% of hacks), brute-force attacks on wp-login.php with weak passwords, and compromised or nulled premium themes/plugins downloaded from unofficial sources. Less common but devastating vectors include SQL injection, cross-site scripting (XSS), and server-level compromises on shared hosting.

Should I reinstall WordPress from scratch?

For severe infections, a clean reinstall is often faster and more reliable than manual cleaning. Export your database, install fresh WordPress, re-upload only media files (after scanning them), and reinstall plugins from official sources. This eliminates any hidden backdoors in core files, themes, or plugin directories.

How long does it take to fix a hacked WordPress site?

Manual cleanup typically takes 2-6 hours depending on the severity. A clean reinstall can be completed in 1-2 hours. Google blacklist removal takes an additional 24-72 hours after submitting a review request. Professional WordPress security services (Sucuri, Wordfence) typically complete cleanups within 4-12 hours.

How can I prevent my WordPress site from being hacked again?

Essential prevention: install a Web Application Firewall (WAF), enable automatic WordPress and plugin updates, use strong unique passwords with 2FA for all admin accounts, limit login attempts, disable file editing from the dashboard, remove unused themes and plugins, and maintain automated daily backups stored off-server.

Conclusion

Learning to fix hacked wordpress site infections requires a methodical, zero-trust approach. Replace core files entirely, audit every theme and plugin, clean the database, and implement comprehensive security hardening before going back online. The most critical lesson: prevention is always cheaper than recovery. A WAF, automatic updates, strong passwords, and regular backups will protect your WordPress site from the vast majority of automated attacks.

Related reading: AWS Cloud Security Hacks · SolarWinds Hack Case Study · Password Security Best Practices · What to Do If You're Hacked