WordPress Hacked? How to Detect, Clean Up and Prevent It Happening Again

Your WordPress site works fine on Monday. By Tuesday, visitors are getting browser warnings, your Google traffic has collapsed, or you notice admin accounts you've never seen before. It happens fast, and the first reaction is usually panic.

The good news: recovery is absolutely possible if you act quickly and work through it methodically. This guide covers every stage, from spotting the warning signs of a hacked WordPress site, through containment and cleanup, to the hardening steps that make reinfection far less likely. Whether you're doing this yourself or handing it to someone else, the same process applies.

Key Takeaways

• Most WordPress hacks are quiet. Redirects, hidden links and fake admin accounts are more common than a defaced homepage.
• Act fast. The longer malware sits, the more SEO damage accumulates and the harder the cleanup becomes.
• Cleaning files isn't enough. The database is a common hiding place for injected scripts and spam links.
• Outdated plugins are the most common entry point, not WordPress core itself.
• Hardening after cleanup (strong passwords, 2FA, correct file permissions) is what prevents the next attack.

How to Tell if Your WordPress Site Has Been Hacked

Catching a compromise early makes the difference between a quick cleanup and a full site rebuild. Most attacks don't announce themselves with a defaced homepage. They sit quietly in the background, redirecting traffic, using your server to send spam, or siphoning ad revenue from your visitors.

Unexpected Redirects and Pop ups

You visit your homepage and land on a completely different site, often one selling fake goods or worse. The tricky part: these redirects frequently only fire for visitors who aren't logged in, so you won't see them from your own admin session. Open your site in an incognito window from a different device. If you end up on a strange URL, especially pharmaceutical spam or adult sites, that's a clear sign your WordPress site has been hacked.

Pop-ups you didn't install work the same way. Attackers inject JavaScript into your pages to serve ads and earn money from your visitors without your knowledge.

Google Safe Browsing Warnings

When Google flags your site, search results display messages like "This site may be hacked" or "This site may harm your computer." Chrome and other browsers may block visitors entirely with a full-page interstitial warning. Check Google Search Console. Security issue alerts there mean Google has found malware or suspicious behaviour on your site.

When this happens, search traffic can disappear overnight, and getting removed from blacklists takes time even after you've cleaned everything up. The sooner you act, the less damage your SEO will take.

Suspicious Admin Accounts

Go to your WordPress dashboard and navigate to Users > All Users. Look for accounts you didn't create, particularly any with Administrator rights. Hackers create backdoor admin accounts so they can return even after you've changed your passwords. These fake accounts often use generic usernames like "admin2", "support", or random character strings. Delete anything unfamiliar, but remember: removing the accounts alone isn't enough. The underlying malware still needs to go.

Modified Content

Attackers may rewrite pages or inject hidden links into your posts that send visitors to dangerous sites. These changes often go unnoticed because they look like legitimate content at first glance. Check the bottom of older posts, where hidden affiliate links or redirect scripts are commonly planted. Use the post revision history (click the post, then scroll down to "Revisions") to see exactly what changed and when.

PHP Files in Your Uploads Folder

In a normal WordPress setup, the wp-content/uploads/ directory should contain images and media files only. If you find .php files in there, treat them as suspicious. This is a classic sign of a file upload exploit.

---

Immediate Containment: What to Do First

Once you're confident your site has been compromised, these steps limit the damage while you prepare for a full cleanup.

1. Enable Maintenance Mode

Put your site into maintenance mode immediately. This stops visitors from being exposed to redirects or malware and protects your SEO from further damage. A plugin like WP Maintenance Mode works, or your hosting provider may be able to redirect traffic while you work.

2. Change Every Password

Change passwords for all of the following without delay:

• All WordPress admin accounts
• Your hosting control panel (cPanel, Plesk, or similar)
• FTP and SFTP accounts
• Your database user
• Email accounts tied to your domain

Use a password manager like 1Password or Bitwarden to generate strong, unique passwords of at least 16 characters, mixing letters, numbers and symbols. Attackers who gain one set of credentials will try them everywhere else.

3. Remove Unauthorised Admin Users

Log into your dashboard, go to Users, and delete any account you didn't create, especially those with Administrator rights. This cuts off backdoor access while you work through the cleanup.

4. Deactivate All Plugins and Themes

Disable every plugin. Then go to Appearance > Themes and switch to a default WordPress theme such as Twenty Twenty-Four. This isolates potential vulnerabilities while you investigate which extensions were compromised. Re-enable them one at a time during cleanup to track down the source.

5. Document Before You Touch Anything

Take screenshots of errors, defacements and anything unusual. Note when you first noticed the problem. If you have a security plugin installed, export the activity logs. Even if files are infected, download a full backup via FTP and export your database via phpMyAdmin, storing both somewhere separate. Don't restore from them, but they may help you understand the attack vector.

---

Why WordPress Sites Get Hacked: The Most Common Attack Types

Most hacks aren't sophisticated. They're automated bots scanning millions of sites for known weaknesses.

Brute Force Login Attacks

Bots hammer wp-login.php with thousands of username and password combinations. They target common usernames like "admin" and use credential lists leaked from other breaches. Reused and default passwords are what make these attacks succeed.

Outdated Plugins and Themes

Most WordPress security vulnerabilities live in plugins, not in WordPress core. When a developer patches a security hole and releases an update, that announcement tells attackers exactly what to look for on every site that hasn't updated yet. Abandoned plugins (those with no updates in over two years) are especially risky. Nulled or pirated premium plugins are even worse. They often come with backdoors deliberately baked in.

SQL Injection

Poorly coded plugins can fail to sanitise database queries. Attackers inject malicious SQL through form fields, URL parameters or search boxes. A successful injection can extract your entire database, create new admin users, or modify site content. WordPress core uses prepared statements to prevent this, but third-party plugins don't always follow the same standards.

Cross-Site Scripting (XSS)

XSS attacks inject JavaScript into your site through comment forms, user profiles, or any field that displays user input without proper filtering. That script then runs in your visitors' browsers, potentially stealing session cookies or redirecting them to phishing pages. Stored XSS is particularly dangerous because the malicious script is saved in your database and affects everyone who views that content. According to Wordfence's WordPress Annual Security Report, XSS was the most common type of vulnerability in 2024, making up approximately half of all WordPress vulnerabilities that were disclosed publicly.

File Upload Exploits

When upload forms don't properly validate file types, attackers can upload PHP backdoors disguised as images. A file named photo.jpg.php can slip past basic checks. Once uploaded to a public directory, the attacker requests it directly and it executes on your server, giving them full control.

---

Step-by-Step: How to Clean a Hacked WordPress Site

Manual cleanup takes technical confidence, but it's the most thorough approach. Work through these steps in order.

Scan and Identify Infected Files

If your dashboard is still accessible, install Wordfence Security (the free version works for this). Run a full scan. Wordfence compares your files against clean versions from the WordPress repository and flags anything that doesn't match. Also run Sucuri's free SiteCheck tool or VirusTotal for a second opinion.

Look specifically for:

• Base64-encoded strings
• eval() function calls
• gzinflate(), base64_decode, or unusual include statements
• Suspiciously named files in core directories

Remove Malicious Users, Backdoors and Files

Connect via SFTP using a client like FileZilla. Navigate to wp-content/uploads/ and search for .php files. Download a copy for review if you want, then delete them. They should not be there.

Next, replace WordPress core files entirely:

1. Delete the /wp-admin/ and /wp-includes/ directories completely.
2. Download a fresh copy of WordPress from WordPress.org.
3. Upload the clean /wp-admin/ and /wp-includes/ folders.
4. Overwrite the root core files (for example, wp-login.php, wp-load.php, wp-settings.php).
5. Do not overwrite wp-config.php or anything inside wp-content/.

Then open wp-config.php and .htaccess and carefully review them for anything unusual. Remove any obfuscated code or unexpected eval, gzinflate, base64_decode or suspicious include statements that have no business being in a config file.

A legitimate .htaccess for a WordPress site should look something like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

If your .htaccess contains anything else you don't recognise, especially obfuscated code blocks or unexpected redirect rules, remove those additions and keep only the standard WordPress block above.

Update Everything

Once you've replaced compromised files, update WordPress core, all plugins and all themes to the latest versions immediately. Go to Dashboard > Updates. If WordPress offers a newer version, install it. You can also click "Re-install Now" on the current version to refresh core files with clean copies without affecting your content or database.

Remove any plugins you no longer need. Fewer plugins means fewer attack surfaces. Delete inactive themes too. Even a disabled theme can be exploited if it contains vulnerabilities.

Clean the Database

Malware doesn't always live in files. Attackers frequently inject spam links, malicious scripts or hidden code directly into the database, meaning your site can stay compromised even after the filesystem is clean.

Open phpMyAdmin (or your host's database tool) and export a full backup before touching anything. Then check these areas:

Table	What to look for
wp_users	Admin accounts you didn't create
wp_options	Verify siteurl, home and admin email are correct; look for injected scripts
wp_posts	Spam links, hidden <script> tags, iframes or unexpected HTML
wp_comments	Injected links or scripts in comment content

Remove suspicious entries carefully, then re-scan your site to confirm nothing is reappearing. If the database is heavily infected or you're not sure what's legitimate, restoring from a known-clean backup taken before the hack is the safest option.

---

When to Hire a Professional

DIY cleanup works if you're technically confident. But there are situations where professional WordPress malware removal is the right call:

• You've cleaned the site yourself but the infection keeps returning
• Your hosting account has been suspended due to malicious activity
• The site is still flagged as unsafe after cleanup
• You don't have the time or confidence to handle it safely
• You're concerned about persistent backdoors you might have missed

Reputable services typically include file and database cleanup (combining automated scanning with manual review), blacklist removal support with Google and other security services, root cause investigation, and security hardening recommendations. Many offer cleanup warranties of 15 to 30 days, meaning they'll re-clean at no extra cost if the site is reinfected within that period.

One-time cleanups generally cost anywhere from $59 to $400 or more per site, depending on the severity of the infection and what's included. Monthly security subscriptions can start at $10 to $20 a month and typically include ongoing monitoring, firewall protection and malware cleanup. For sites handling transactions or sensitive data, a subscription model focused on prevention and early detection often makes more sense than a one-time fix.

Always check exactly what's included before paying. Some services charge separately for blacklist removal, faster turnaround, or hardening work. Read reviews carefully and watch for recurring complaints about hidden fees or incomplete cleanups.

If you'd rather hand the whole thing off, our website maintenance service covers ongoing security monitoring, malware cleanup and WordPress updates, so problems get caught and dealt with before they escalate.

---

After Cleanup: Hardening Your WordPress Site

Cleaning up solves the immediate problem. Hardening is what stops the next one.

Strengthen Login Security

If you still have a user account with the username "admin", replace it. Create a new administrator account with a different username, log in with it, then delete the old one and reassign its content to the new account.

Enable two-factor authentication (2FA) for all admin accounts via a security plugin. Enable login rate limiting to slow down brute force attacks, with limits set sensibly so legitimate users aren't locked out.

If you don't use XML-RPC (for example, you don't use the WordPress mobile app or Jetpack features that require it), disable it. You can do this via your security plugin or at the server level.

You can also add this to your .htaccess to block direct access to xmlrpc.php if you don't need it:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

Lock Down File Permissions

Use restrictive file permissions to limit what an attacker can modify:

Item	Recommended Permission
Directories	755
Files	644
wp-config.php	600 to 640 (as strict as your host allows)

Never set permissions to 777. Use your host's file manager or an SFTP client to apply changes carefully.

Disable the built-in WordPress file editor by adding this line to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

This removes the Theme Editor and Plugin Editor from wp-admin, limiting the damage an attacker can do even if they gain access to an admin account.

Establish a Maintenance Routine

WordPress security is ongoing, not a one-off job. A simple schedule:

• Weekly: update plugins and themes, review admin users, run a security scan
• Monthly: verify backups and test restores, review security logs, check Search Console for warnings
• Quarterly: audit and remove unused plugins, review file permissions and key settings

If you're running a higher-risk site or handling sensitive data, an isolated hosting environment (such as a VPS) gives you stronger resource isolation and more control for server-level hardening, including SSH key authentication, custom firewall rules and tools like fail2ban. Combined with good WordPress hygiene, this creates a practical defence in depth.

---

Getting Blacklist Removal After a Hack

Even after a thorough cleanup, your site may remain flagged by Google Safe Browsing or other security services until you actively request a review. In Google Search Console, go to Security Issues, confirm the issues are resolved, and submit a review request. The same applies to other blacklists such as McAfee SiteAdvisor or Sucuri's blacklist. It can take a few days to a couple of weeks for each service to recheck your site and lift the warning. Don't skip this step, because the warning itself continues to damage traffic and conversions even when the malware is gone.

---

If you've been through a hack and want someone to take ongoing security off your plate, take a look at our website maintenance plans. We handle updates, monitoring and security so you can focus on running your business.