You are not alone in this. WordPress powers over 43% of the web, which makes it a prime target for attackers. This guide will walk you through the entire process, from immediate damage control to long-term fortification. We will get your site back online and make it more secure than it ever was before.

Key Takeaways

  • Act Immediately. The moment you suspect a hack, put your site in maintenance mode and contact your hosting provider. Immediate password changes are critical.
  • Clean and Restore. A thorough cleanup involves scanning all files, inspecting the database, and replacing all core WordPress, plugin, and theme files with fresh copies.
  • Identify the Cause. Hacks are almost always preventable. The most common causes are outdated plugins, weak passwords, nulled (pirated) themes, and insecure hosting.
  • Proactive Security is Non-Negotiable. A long-term security strategy is essential. This includes using a high-quality security plugin, enforcing strong user policies, and “hardening” your WordPress installation.
  • Your Foundation Matters. The most effective security starts at the server level. A secure, managed hosting environment provides the best defense against sophisticated attacks.

First Response: What to Do in the First 15 Minutes

This is the triage phase. These first few steps are crucial for containing the damage and protecting your data.

Step 1: Put Your Site into Maintenance Mode

If you can still access your admin dashboard, use a plugin like WP Maintenance Mode to take your site offline for regular visitors. This prevents them from seeing a defaced site or being exposed to malware.

If you cannot access your admin area, you can do this via FTP. Connect to your site using an FTP client (like FileZilla) and find the .htaccess file in your site’s root directory. Add this code to the very top:

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000

RewriteRule .* [https://www.google.com](https://www.google.com) [R=302,L]

</IfModule>

Be sure to replace 123\.456\.789\.000 with your own IP address (you can find it by searching “what is my IP”). This code redirects all visitors except you to Google.

Step 2: Contact Your Hosting Provider

Open a high-priority support ticket with your hosting company. They can be an invaluable ally. Inform them that your site is compromised.

Ask them for:

  • Confirmation of the hack.
  • Any scan logs or information they have about suspicious files.
  • Assistance in identifying the time of the breach.
  • A clean, recent backup of your site if you have one.

A good host will have protocols for this and can often provide critical information.

Step 3: Change Your Passwords (Immediately)

Assume all your credentials are stolen. Change them all right now, starting with the most critical:

  1. WordPress Admin: If you can, log in and change your admin password. If you can’t, use the “Lost your password?” link. If that fails, you must change it via phpMyAdmin (a database tool in your hosting panel).
  2. Hosting Panel (cPanel/Plesk): Change this password immediately.
  3. FTP/SFTP Accounts: Change all FTP passwords.
  4. Database Password: Change the password for the database your WordPress site uses. You will need to update your wp-config.php file with this new password afterward.

Use a password manager to generate long, complex, and unique passwords for every account.

Part 1: A Step-by-Step Guide to Cleaning Your Hacked WordPress Site

With the immediate triage done, it’s time for a deep clean. Do not skip any of these steps.

Before You Begin: The Importance of Backups

You need two backups before you start.

  1. A “Before” Backup: Take a new backup of the hacked site right now. This sounds counterintuitive, but it’s your “crime scene.” If you make a mistake during the cleanup, you can go back to this version. Label it clearly (e.g., “HACKED_SITE_BACKUP_DATE”).
  2. A “Clean” Backup: Find the last known clean backup of your site from before the hack. Your hosting provider may have this. This clean backup is your safety net and a valuable reference to compare files against.

Step 1: Scan Your Site with a Security Plugin

First, we need to know what we’re dealing with. Install a reputable security plugin to perform a deep scan of your entire WordPress installation.

Recommended Scanning Tools:

  • Wordfence Security: One of the most popular WordPress security plugins. Its scanner compares your core WordPress files, themes, and plugins against the official WordPress repository, looking for changes, new files, and known malware signatures.
  • Sucuri Security: Another industry leader. The Sucuri scanner is excellent at finding malware, malicious code, and blacklist status.

Install one of these plugins from your WordPress dashboard, navigate to its settings, and run a full, high-sensitivity scan. The scanner will produce a report of all suspicious files, code injections, and vulnerabilities. This report is your cleanup checklist.

Step 2: Identify and Remove Malicious Files

The scan will likely find a lot of issues. Now you must go through them manually. Use your FTP client to connect to your server.

Warning: Be very careful. Deleting the wrong file can break your site. This is why you have the “HACKED_SITE_BACKUP_DATE” backup.

Checking Core WordPress Files

Your scanner will probably flag core files. Hackers love to hide code in plain sight. Do not try to edit these files. The safest way to fix them is to replace them entirely.

Inspecting Your wp-content Folder

This is where hackers spend most of their time.

  • /wp-content/plugins/: Check for any plugins you did not install. Look inside the folders of your legitimate plugins for strange PHP files (e.g., x.php, new.php, admin.php in a weird place).
  • /wp-content/themes/: Same as plugins. Hackers often add malicious code to your active theme’s functions.php file or header.php file. Compare these files to the ones in your clean backup.
  • /wp-content/uploads/: This folder should only contain media files (images, PDFs, videos). Hackers love to hide PHP “backdoor” scripts here. Look for any file ending in .php. Delete them on sight. Hackers sometimes disguise them (e.g., image.jpg.php).

Looking for Backdoors

Hackers leave backdoors so they can regain access after you clean the site. Common places to look:

  • Root Directory: Look for any suspicious PHP files in the same place you find wp-config.php.
  • wp-config.php: This is your site’s most sensitive file. Open it and read it carefully. Hackers sometimes add malicious code to the very top or bottom. It should look like a standard config file. Be suspicious of any long, unreadable strings of text.
  • .htaccess: Hackers modify this file to redirect your visitors to spam sites or to block you from your own admin area. Compare it to a default WordPress .htaccess file.

What to look for: Be on the lookout for these PHP functions, which are commonly used in malware:

  • eval()
  • base64_decode()
  • gzinflate()
  • str_rot13()
  • assert()

These functions can be used for legitimate reasons, but 99% of the time in a hack, they are part of a malicious script designed to execute hidden, obfuscated code.

Step 3: Clean Your WordPress Database

Hackers also attack your database. They can add new admin users, inject spam links into your posts, or store malicious data.

Access your database using the phpMyAdmin tool in your hosting cPanel.

Looking for Spammy Links and Content

Go through your wp_posts table (the prefix wp_ might be different for you). Look for new posts you didn’t create. Check your existing posts for spammy links or <script> tags that were injected into your content. You can run SQL queries to find this, for example:

SELECT * FROM wp_posts WHERE post_content LIKE ‘%<script>%’;

This query will find all posts that contain a <script> tag. Review them carefully before deleting.

Checking the wp_users Table

This is critical. Go to the wp_users table. Look for any user accounts you do not recognize, especially any with administrator privileges. Delete them immediately. Check your own user account to ensure the email address and password hash look correct.

Step 4: Reinstall a Fresh Copy of WordPress Core

Even after scanning, the safest way to ensure your core files are clean is to replace them.

  1. Go to WordPress.org and download a fresh, clean copy of the latest version.
  2. Unzip the file on your computer.
  3. Via FTP, delete your site’s wp-admin and wp-includes folders.
  4. Upload the new wp-admin and wp-includes folders from the fresh copy you just downloaded.
  5. Upload the individual files from the root of the fresh copy (like index.php, wp-login.php, etc.) to your server, overwriting the old ones.
  6. DO NOT delete or overwrite your wp-content folder.
  7. DO NOT delete or overwrite your wp-config.php file (unless you are 100% sure it’s clean and you have a backup).

Step 5: Reinstall All Plugins and Themes from Scratch

This is tedious but necessary.

  1. Make a list of all the plugins you use.
  2. Via FTP, delete all of your plugin folders from /wp-content/plugins/.
  3. Log in to your WordPress admin dashboard (which should be clean now).
  4. Go to Plugins > Add New and reinstall fresh, clean copies of every plugin from the official WordPress repository. For premium plugins, download fresh copies from the developer’s website. You can download a safe, free copy of Elementor here.
  5. Do the same for your theme. Delete your theme folder from /wp-content/themes/ and reinstall a fresh copy. Using a lightweight, well-maintained, and secure theme like Hello Theme is a great choice.

Step 6: Change All Passwords and Secret Keys (Again)

Now that the files and database are clean, the hacker’s backdoors are gone.

  1. Change your WordPress Admin password one more time.
  2. Change your FTP and hosting passwords one more time.
  3. Force all users on your site to reset their passwords.

Generating New WordPress Salt Keys

Your wp-config.php file contains security keys (or “salts”) that encrypt your login information. You must replace these.

  1. Go to the official WordPress salt key generator.
  2. This will give you a block of text.
  3. Open your wp-config.php file.
  4. Find the existing section for “Authentication Unique Keys and Salts.”
  5. Delete the old keys and paste the new ones in their place.
  6. Save the file. This will log everyone out of your site and invalidate any “remember me” cookies, fully securing your user sessions.

Step 7: Resubmit Your Site to Google (Removing Blacklists)

If your site was flagged by Google or other search engines for malware, you’ll see a red “Deceptive site ahead” warning.

Once your site is 100% clean, you need to ask for a review.

  1. Log in to your Google Search Console account.
  2. Navigate to the “Security & Manual Actions” tab.
  3. You will see the issues Google found.
  4. Click the button that says “Request Review.”
  5. In the form, briefly explain what you did to clean the site (e.g., “We found and removed malware from our files, cleaned the database, and reinstalled all WordPress core, plugin, and theme files.”).

It may take a day or two, but Google will review your site, see that it’s clean, and remove the warning.

Part 2: The Post-Mortem: How Did Your WordPress Site Get Hacked?

Cleaning the site is only half the battle. If you don’t plug the hole, the hackers will come right back. You need to understand how they got in.

Common Vulnerabilities Hackers Exploit

Outdated Software (Core, Plugins, Themes)

This is the number one cause of WordPress hacks. Developers release updates to patch security holes. If you are running an old version of a plugin, you are a sitting duck.

Weak Passwords and Brute Force Attacks

Hackers use automated scripts to try thousands of password combinations per second (a “brute force” attack). If your password is “password123” or “mysitename,” you will be hacked.

Nulled (Pirated) Plugins and Themes

If you downloaded a “free” copy of a premium plugin or theme from a shady website, it almost certainly came with malware. This is a common way hackers get initial access. You saved $50 on a plugin but will spend hundreds or thousands cleaning up the mess.

Poor Hosting Security

A cheap, shared hosting plan can be a huge liability. If another site on the same server gets hacked, the infection can sometimes spread to your site. This is called “cross-site contamination.” A good host isolates accounts from each other to prevent this.

Insecure File Permissions

Your server has rules about who can read, write, and execute files. If your file permissions are too loose (e.g., set to 777), you are allowing anyone to write new, malicious files to your server.

Unsecured wp-config.php File

Your wp-config.php file contains your database username and password. If an attacker can access this file, it’s game over.

Part 3: Fortifying Your Site: A Proactive WordPress Security Strategy

Now we rebuild. We will make your site so secure that hackers will give up and move on to an easier target.

The Foundation: Secure WordPress Hosting

Your website’s security starts with your host. You can have all the security plugins in the world, but they can’t fix a fundamentally insecure server.

What to Look for in a Secure Host

  • Web Application Firewall (WAF): A WAF filters out malicious traffic before it even reaches your WordPress site.
  • Malware Scanning: The host should perform its own regular, server-level malware scans.
  • Automatic Daily Backups: You need reliable, daily backups that are stored off-site and can be restored with one click.
  • Account Isolation: This is critical on shared hosting. It ensures a hacked site on your server cannot infect yours.
  • Latest Technology: Your host should support the latest versions of PHP and MySQL, which receive regular security patches.

How a Managed Platform Simplifies Security

This is where an integrated, managed platform becomes a powerful security asset. Solutions like Elementor Hosting are built and optimized specifically to run WordPress and the Elementor platform. This means the security is not an afterthought; it’s part of the core architecture.

This approach provides a managed WAF, built-in DDoS protection, and automatic daily backups, all under one roof. Because the builder and the hosting are managed by one team, the entire stack is monitored and optimized for performance and security. This eliminates the guesswork and provides a single, expert point of support if you ever face an issue.

For a deeper look at how a managed hosting environment works, this video provides a great overview: https://www.youtube.com/watch?v=gvuy5vSKJMg 

Essential Security Plugin Configuration

Your security plugin (like Wordfence or Sucuri) is your 24/7 on-site security guard. Now you need to configure it properly.

  • Enable the Web Application Firewall (WAF): This is the most important feature. It will block brute force attacks, SQL injections, and other common exploits.
  • Enable Login Security:
    • Limit Login Attempts: Lock out any IP address that fails to log in 3-5 times in a row.
    • Enforce Strong Passwords: Force all users (especially administrators and editors) to use complex passwords.
    • Enable Two-Factor Authentication (2FA): This is one of the single best things you can do. It requires a password and a second code (usually from your phone) to log in.
  • Schedule Regular Malware Scans: Set your plugin to scan your site at least once a week.

User and Access Management Best Practices

The Principle of Least Privilege

Do not give anyone more access than they absolutely need.

  • Administrator: Only 1-2 trusted people. This role has full control.
  • Editor: Can publish and manage posts, including other users’ posts.
  • Author: Can publish and manage their own posts.
  • Contributor: Can write and manage their own posts but cannot publish them.
  • Subscriber: Can only read posts and manage their profile.

If you hire a blogger, make them a Contributor, not an Administrator.

Enforcing Strong Passwords

We’ve said it before, but it’s worth repeating. A strong password policy is not optional. Use a password manager like 1Password or Bitwarden.

Implementing Two-Factor Authentication (2FA)

This is a non-negotiable for all admin accounts. The Wordfence and Sucuri plugins both offer 2FA features. It’s free and takes five minutes to set up.

The “Hardening” Checklist: Technical Security Measures

“Hardening” WordPress involves a few technical tweaks that make it much tougher for attackers to find and exploit vulnerabilities.

Keep Everything Updated (The #1 Rule)

Your dashboard will tell you when WordPress core, your plugins, and your themes have updates. Do not ignore them. Enable automatic updates for minor releases and security patches if possible.

Disable File Editing in the Dashboard

By default, you can edit your theme and plugin files from the WordPress admin area (Appearance > Theme File Editor). If a hacker gets into your admin account, this gives them a wide-open door to add malware.

Disable this by adding the following line to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true );

Change Your Database Prefix

By default, WordPress database tables start with wp_ (e.g., wp_users). Hackers know this and use it to run automated “SQL injection” attacks. If you change this prefix to something random (e.g., wp_a83hZ_), you make their job much harder. A plugin like WP-Optimize or iThemes Security can do this for you.

Secure Your wp-config.php and .htaccess Files

These two files are highly sensitive. You can “harden” them by adding snippets to your .htaccess file (which is in your root directory).

Add this to protect your wp-config.php file:

<files wp-config.php>

order allow,deny

deny from all

</files>

Add this to protect .htaccess itself:

<files .htaccess>

order allow,deny

deny from all

</files>

Disable XML-RPC (if not needed)

XML-RPC is a feature that allows remote connections to your site (e.g., from the old WordPress mobile app). It’s also a common target for brute force attacks. If you don’t use it, disable it. Your security plugin can do this with a single click.

The Role of a Modern Website Builder in Security

The tools you use to build your site have a direct impact on its security. A site cobbled together with 20 different plugins from 20 different authors, some of whom may have abandoned their projects, is a security nightmare.

Using a single, professional tool like Elementor for your design and functionality means you are relying on one team of professional developers who actively maintain and patch their code. As web creation expert Itamar Haim often states, “Your website’s security is only as strong as its weakest link. Using a unified, well-maintained platform drastically reduces your attack surface compared to piecing together dozens of disparate plugins.”

Furthermore, professional-grade tools come with security features built-in. For example, the Elementor Pro Form Builder includes spam-fighting tools like reCAPTCHA and Honeypot fields. These simple features are a frontline defense that blocks floods of spam bots, which are often the first sign of a more coordinated attack.

Don’t Forget Physical and Operational Security

Your website isn’t an island. Your personal security habits matter.

  • Secure Your Local Computer: Run antivirus software on your computer. A keylogger on your PC can steal your FTP and admin passwords, bypassing all your website’s security.
  • Use a Password Manager: Do not save your passwords in your browser or a text file. Use a dedicated, encrypted password manager.
  • Be Wary of Public Wi-Fi: Never log in to your WordPress admin or FTP from an unsecured public Wi-Fi network (like at a coffee shop).

Conclusion: Moving from Panic to Prevention

Experiencing a hack is a painful lesson, but it’s one you only need to learn once. By following the cleanup steps in this guide, you can successfully restore your site. More importantly, by implementing a layered, proactive security strategy—starting with secure hosting, configured plugins, and smart user policies—you can move from a state of panic to one of prevention.

A secure website is not a one-time fix. It’s an ongoing process of vigilance. Keep your software updated, your passwords strong, and your backups regular. Your website is a valuable asset. It’s time to protect it like one.

Frequently Asked Questions (FAQs) About Hacked WordPress Sites

1. How do I know if my WordPress site is hacked? Common signs include: your homepage is defaced, you are redirected to spam sites, you see new and strange admin users, your site is flagged by Google with a “deceptive site” warning, you see spammy pop-ups, or your hosting company sends you a malware notification.

2. Can I just restore a clean backup and be done? Restoring a backup is a good start, but it’s not enough. If you don’t find and fix the vulnerability (like an outdated plugin) that the hacker used to get in, they will simply hack your site again, often within hours.

3. Will my hosting provider clean my site for me? It depends on your host. Cheap shared hosting plans usually offer very little help. Managed WordPress hosts (like Elementor Hosting) or high-quality security-focused hosts often provide active malware scanning and may offer cleanup services. You should always contact them first.

4. I’m locked out of my WordPress admin. What do I do? First, try the “Lost your password?” link. If that doesn’t work, you have two options:

  1. Via FTP: You can temporarily disable your security plugin by renaming its folder in /wp-content/plugins/. This might remove a firewall rule that’s blocking you.
  2. Via phpMyAdmin: You can go into the wp_users table in your database, find your username, and manually change the password. You’ll need to use the “MD5” function when entering the new password.

5. Why are hackers targeting my small blog? I have no traffic. Hackers rarely target you specifically. They use automated bots to scan millions of websites for common vulnerabilities. Your site is just a number. They want to use your server’s resources to send spam emails, host malware, or redirect your (future) visitors to their own malicious sites.

6. What is a “backdoor” in WordPress? A backdoor is a piece of code a hacker leaves behind that gives them hidden access to your site. Even after you change your passwords and clean up, they can use this backdoor to get right back in. They are often disguised as normal-looking files in your uploads, plugins, or themes folders. This is why you must reinstall all your plugins and themes from scratch.

7. Is a security plugin enough to protect my site? A security plugin is essential, but it’s not a complete solution. It’s one layer of a multi-layer strategy. A secure host (with a WAF), strong passwords, 2FA, regular updates, and smart user policies are all equally important.

8. What’s the difference between a WAF and a malware scanner? A malware scanner (like Wordfence Scan) scans the files already on your server to find existing infections. A Web Application Firewall (WAF) is a shield that stands in front of your site, blocking malicious traffic (like bots and hackers) before they can even reach your files. You need both.

9. My site is clean, but Google still shows a warning. How do I fix it? Once you are 100% sure the site is clean, you must request a review in Google Search Console. Log in, go to the “Security & Manual Actions” tab, and submit a review request. It typically takes 24-72 hours for Google to recrawl your site and remove the warning.

10. What is the single most important thing I can do to prevent being hacked? Update everything. Always. Keep WordPress core, all your plugins, and all your themes updated. The vast majority of hacks exploit known vulnerabilities in outdated software. This one simple habit is your single best defense.