How to fix a hacked WordPress website

Your WordPress site gets hacked and suddenly everything’s at risk. Business reputation takes a hit, search rankings plummet and you’re staring down potential legal issues that could drag on for months. Most attacks don’t wave red flags though. They work quietly in the background, stealing data and hijacking your server resources while you carry on unaware. When you’re handling WordPress maintenance and security projects or running mission-critical sites, knowing how to respond quickly can save you weeks of problems and serious regulatory trouble.

Getting back on track after a hack isn’t straightforward. You’ll need to dig deep, clean everything properly and lock things down tight. This guide walks you through the whole recovery process, from spotting the problem to making sure it never happens again.

Recognising the Warning Signs

WordPress hacks rarely shout about themselves with flashy defacements. Attackers want to stay hidden so they can keep extracting value from your site. Watch out for these warning signs:

• Redirects to unfamiliar websites, often triggered only on mobile devices or when arriving from search engines
• New administrator accounts with generic usernames like “admin2” or randomised character strings
• Unexplained spikes in server resource usage or outbound traffic, suggesting spam operations or botnet participation
• Google Search Console warnings about malware, phishing attempts or compromised content
• Modified timestamps on core WordPress files, particularly wp-config.php or files within wp-includes
• Suspicious JavaScript injected into theme header or footer files
• Unfamiliar files with random names appearing in uploads directories or plugin folders
• Hosting provider suspension notices or abuse complaints

Smart hackers don’t just flip a switch and break everything. They set up conditional triggers that activate only in specific situations, which means your site might redirect Google visitors to dodgy pages while working perfectly when you check it directly. They’re designed to extract value from your traffic without setting off alarm bells right away. If something feels off, test your site from different devices and browsers to see how it behaves when people arrive from various sources.

WordPress sites can stay compromised for months without anyone noticing. Catching an attack early makes all the difference. The longer it runs, the more damage it does to your search visibility, user confidence and compliance status.

Set up proper monitoring to spot trouble before it spirals. Keep tabs on user accounts, file changes and traffic patterns regularly. This helps you tell the difference between normal website behaviour and something suspicious.

Immediate Response Protocol

Swift action in those first hours makes all the difference. How quickly you respond determines whether you’re looking at a minor cleanup or a complete rebuild and organised moves right now preserve the evidence you’ll need later.

Pull that site offline straight away. A maintenance page or server redirect stops visitors from hitting malicious content whilst blocking any further damage. If you’re running WooCommerce or handling personal data, this also keeps you compliant with UK data protection rules.

Every single password needs changing. WordPress admin accounts, database access, FTP credentials, hosting panels, API keys, the lot. Attackers love creating backdoors through compromised passwords, which means even perfect malware removal won’t help if they can walk back in through the original door.

Before you touch anything else, back up that infected site completely. Yes, it sounds counterintuitive, but this backup preserves forensic evidence and gives you a safety net if cleanup goes sideways. Store it away from your regular backup system.

Get your hosting provider’s security team involved now. These professionals see compromised sites daily, so they can pull server logs, pinpoint when the attack happened and spot the entry route. They’ll also check if other sites on your server got hit. Many managed WordPress hosts will handle the entire cleanup as standard service.

Investigating the Attack Vector

WordPress malware cleanup without proper investigation guarantees reinfection. Attackers will stroll back through that same vulnerability within days of your cleanup.

Attackers target outdated plugins within hours of vulnerability disclosures. Most WordPress compromises happen this way, which means that plugin sitting untouched for six months is a massive security liability. Security researchers find flaws in popular plugins constantly and cybercriminals scan for vulnerable sites faster than you’d think.

Brute force attacks still work embarrassingly well. People stick with “admin” usernames and choose passwords like “password123”. If hackers broke into your site this way, you’ll see repeated failed login attempts in your server logs followed by that one successful entry.

Downloaded that premium theme from a suspicious site for free? This creates risk. Nulled themes often ship with backdoors already built into the code, so you’re installing malware from day one.

Your server logs contain the evidence. Check them for the days before things went sideways. POST requests hitting unusual URLs particularly in plugin folders, traffic spikes to wp-login.php, or requests for files that don’t exist all indicate an attack in progress. Your hosting provider can walk you through the log format if it looks unfamiliar.

Complete Malware Removal

Today’s WordPress malware is sophisticated. It splits code across multiple files so each piece looks innocent, hides in database entries where you won’t think to look, or uses base64 encoding to scramble itself beyond recognition.

Automated scanning beats manual hunting every time. Use established security plugins since each one catches different threats:

• Wordfence compares installed files against WordPress.org repository versions and includes real-time firewall protection
• Sucuri combines remote scanning with optional server-side detection and offers professional cleanup
• MalCare uses cloud-based scanning to reduce server load and provides automated malware removal
• Solid Security focuses on file change detection and forward-thinking hardening measures

Scan everything and go through each warning one by one. False positives happen all the time and your custom code might look suspicious to security tools. Treat anything unexpected as guilty until proven innocent.

PHP files hiding in wp-content/uploads indicate trouble. Upload directories shouldn’t contain executable code, so delete those PHP files straight away.

Download a fresh copy of your WordPress version and compare the wp-includes and wp-admin folders against what you’ve got. Differences mean trouble. Either someone’s been tampering or your updates didn’t finish properly, which means you’ll want to replace those entire directories with clean versions.

Investigate your database for unauthorised administrator accounts using this SQL query:

SELECT ID, user_login, user_email, user_registered 
FROM wp_users 
INNER JOIN wp_usermeta ON wp_users.ID = wp_usermeta.user_id 
WHERE wp_usermeta.meta_key = 'wp_capabilities' 
AND wp_usermeta.meta_value LIKE '%administrator%' 
ORDER BY user_registered DESC;

Any admin accounts you don’t recognise need to go, especially recent ones with suspicious email addresses. Check wp_options for unusual entries whilst you’re at it, particularly anything with serialised data that could be hiding malicious code.

Post-Recovery Hardening

Cleaning out malware is just the start. Most sites get reinfected within weeks because the security holes that let hackers in are still wide open.

Those WordPress security keys need changing right now. Hackers can forge authentication tokens with compromised keys, which means password changes won’t protect you. Head to the WordPress secret key service, get fresh keys and drop them into your wp-config.php file.

Your wp-config.php file needs these hardening tweaks:

// Disable file editing from WordPress admin
define('DISALLOW_FILE_EDIT', true);

// Force SSL for admin area
define('FORCE_SSL_ADMIN', true);

// Limit post revisions to reduce database bloat
define('WP_POST_REVISIONS', 5);

// Enable automatic updates for core, plugins and themes
define('AUTOMATIC_UPDATER_DISABLED', false);
add_filter('auto_update_plugin', '__return_true');
add_filter('auto_update_theme', '__return_true');

Disabling the file editor won’t stop determined attackers from uploading malicious plugins. It does close one common code injection pathway that authenticated attackers love to exploit.

Time to strengthen that .htaccess file with some protective rules:

# Block PHP execution in uploads directory
<Directory /wp-content/uploads/>
 <FilesMatch "\.php$">
 Order Allow,Deny
 Deny from all
 </FilesMatch>
</Directory>

# Protect wp-config.php
<Files wp-config.php>
 Order Allow,Deny
 Deny from all
</Files>

# Disable directory browsing
Options -Indexes

# Block access to sensitive files
<FilesMatch "^(wp-config\.php|readme\.html|license\.txt|php\.ini|\.htaccess)$">
 Order Allow,Deny
 Deny from all
</FilesMatch>

Two-factor authentication on admin accounts isn’t optional anymore. It blocks nearly every brute force attack out there. Even stolen passwords become useless without that second authentication step.

A proper professional WordPress development service makes sense here, covering regular scans, updates and monitoring. The investment costs less than what another hack will do to your business.

UK Data Protection Compliance

Your WordPress site gets hacked and contains personal data. You’re now facing UK GDPR obligations that carry serious penalties if ignored.

The law’s clear on this. Report personal data breaches to the Information Commissioner’s Office within 72 hours if they’re likely to harm individuals’ rights and freedoms. High-risk breaches need direct notification to affected people without delay.

That contact form hack exposing customer details almost certainly hits ICO notification thresholds and WooCommerce breaches with addresses and purchase histories definitely qualify. Even potential access to personal data systems might trigger reporting requirements, whether or not hackers took anything.

Every detail matters when documenting the incident. When did you discover it. Which systems got hit. What data types were involved, what steps did you take to fix things and when did you complete each action. The ICO wants this information, so organised documentation shows you’re handling the incident properly.

Not sure if your breach needs reporting. The ICO’s website has guidance and they run a helpline for reporting queries. It’s better to ask than face penalties later.

Building Long-Term Prevention

Prevention costs a fraction of what you’ll spend cleaning up another hack. Time, money and stress across every dimension you can measure.

Your WordPress site needs the latest versions of everything. Core, themes and plugins. Set up automatic updates where you can. That plugin that hasn’t been touched in over a year needs replacing with something that’s actively maintained.

Each plugin you install gives hackers another way in. Clean house regularly and delete rather than just deactivate anything you’re not using. Same goes for themes. Keep your active one plus a default backup, then bin the rest.

Budget hosting might seem tempting, but it sticks your site next to hundreds of others on one server. When neighbouring sites get hacked, attackers often break into the whole server, which means your site’s at risk too. Managed WordPress hosting costs more but gives you isolation, automatic updates, daily backups and round-the-clock monitoring, eliminating whole categories of threats.

Strong passwords aren’t enough these days. You need to limit login attempts, change that default wp-login.php URL and block IPs that keep failing authentication attempts. Most security plugins sort this out with minimal setup required.

Backups are pointless if you can’t restore from them. Test your backup system regularly and store copies with different providers than your main host. If your server gets completely compromised, you’ve still got clean copies elsewhere.

Set up monitoring everywhere you can. Google Search Console will flag malware, security plugins watch for suspicious file changes and uptime monitors catch unexpected outages. The sooner you spot trouble, the less damage it’ll do.

Professional Security Services

Some situations call for professional help rather than tackling the problem yourself.

Malware keeps coming back after you’ve cleaned it. There’s a backdoor hiding somewhere you haven’t found. Professional security teams have specialised tools that dig deeper than the automated scanners most people rely on and they know the spots where attackers love to plant their persistence mechanisms.

Payment processing sites can’t afford mistakes. Neither can any site that handles sensitive customer data. The stakes are too high for guesswork. A botched cleanup could create new vulnerabilities or compliance problems on top of your existing issues.

Time matters. Your compromised site damages trust and search rankings with every passing day it stays infected, so swift professional resolution delivers real business value if you can’t dedicate the hours needed for proper recovery.

Priority Pixels provides WordPress support that includes security incident response. Our team knows exactly where attackers typically hide their tools and can handle the entire recovery process.

The Information Commissioner’s Office provides detailed guidance on reporting personal data breaches. Worth reviewing whether you’re tackling recovery yourself or bringing in the professionals.