find-web-designer

How to Clean a Hacked WordPress Site

Learn what to do after you discover your WordPress site has been hacked and how to remove the malware from it.

How to clean a hacked WordPress site

It is every website owner's worst nightmare to realize that their website has been hacked. Hacked sites can wreak havoc for small business owners and cause a lot of damage. It is a serious matter that must be tackled as soon as the hack has been discovered. The first thing to do at this moment, is take a deep breath – and know that your online business will be up and running clean once again. Listed below is my step-by-step guide for anyone with a hacked WordPress website who is wondering what to do next.

My WordPress Site is Hacked – What to Do?

The first step is to hire a professional WordPress security service to clean your site. The top three in the industry are Sucuri, WP Security Lock, and Hack Repair. This is what they do every day and are trained to get your website back up and running. As with anything, please do your research on the company you choose. Some malware removal companies only run a script to remove a certain type of code and not actually inspect the files to make sure the malicious code is gone. For any malware removal company, there is a limited guarantee on malware removal. They can guarantee that the infection is removed at the time they say the site is clean, but cannot guarantee that the site will not get infected again.

Can I Clean the Site Myself?

Yes, you can always clean the website yourself if you feel comfortable reading the code. Remember though to keep a backup of your website prior to you deleting anything. That way nothing will be permanently lost. If at any time you feel as though this is much worse than you anticipated, you can always call in the professionals to help you as well. Here's what to do:

Step 1. Change ALL of Your Passwords

Change your passwords immediately! This means your cPanel password, all WordPress admin logins, your FTP password, database password, and even your web hosting account's password. Never use the same password for any of these. The quicker you can block out the hackers, the simpler the clean will be.

Step 2. Scan Your Computer

Viruses can come from anywhere including your own computer. Make sure your computer isnt infected.

Step 3. Run a Scan on Your Website

Great website scanners are Sucuri and Virus Total. This will tell you what type of infection you have and if your website has been put on any blacklists.

Step 4. Make Backups

As mentioned above, make a backup of your database and files. Download these to your computer so that you can always reference your original files.

Step 5. Log into Your File Manager

Go into your file manager via cPanel. You may also use your favorite FTP manager like FileZilla for Windows or ForkLift for Mac.

Step 6. Get New files

Get fresh, new copies of the core, plugins, and any themes that are installed on your website.

Step 7. Remove the Malware

  1. Once you are in your public_html directory, delete out all files and directories except the wp-content, the .htaccess file and the wp-config.php file.
  2. Check the wp-config.php and the .htaccess files for any malware. If it starts out with a (base64) or a long string of random text that cannot be read, delete that code. You can use the wp-config-sample.php to compare with your wp-content.php file. The only thing that should be different is the database login information. Your .htaccess file can have more added code in it due to legitimate plugins, but all that is needed to be in that file while we clean is the WordPress code, which you can compare with the codex.
  3. Go into your wp-content directory and depending on your plugins and themes, delete everything except plugins, themes, uploads, and the index.php file.
  4. Go into your plugins and themes directories and delete all of the plugins and themes listed there. You can later reinstall fresh copies of those. If you don't have a fresh copy, you'll have to manually inspect each file for malware.
  5. Check every file in your uploads to verify no malware is there.
  6. Inspect the index.php file that lives in each directory inside the wp-content directory. There will be one in wp-content, plugins, themes, and uploads.

Step 8. Installing the New Files

Install your clean files of the WordPress core, themes, and plugins in their correct directories. When using the file manager from cPanel, you may upload the zips and then extract them. If using a FTP manager, you must extract the zips on your machine first, and then upload them.

Step 9. Testing

Test your site. Go to your site and click on a few pages to make sure the site is working correctly. Login it to your dashboard and verify that all themes and plugins are back. I'd recommend installing WordFence and do a scan of your site. I do this as a precautionary measure to make sure all malware has been removed.

Step 10. Change Your Passwords Again

Now that you're confident your site is clean, change all your passwords one more time!

What Can I Do After to Make Sure This Never Happens Again?

Now that your website is clean, the main thing is to be as proactive with your website as possible. This means hardening your site to keep out future hackers. We just posted some great tips on how to harden your website. You can also read about the best WordPress Security Plugins. These tips involve no coding and can be done on any WordPress site.

Also, do your research on your plugins and themes. If they are no longer being updated or have support, look for something comparable. Keep only the themes and plugins on your website that you are using. Only keep your current theme and the most recent WordPress default theme and delete out the rest. If a plugin is installed but not activated, remove it until you need to use it again. If it is on the WordPress Plugin Repository, you can make a list of your favorite plugins to use at a later time. You will be required to make a WordPress.org account.

Last but definitely not least is to update. Always keep your core, plugins, and themes up to date. All version releases can be classified into three separate sections; feature update, code update, or security update. Most releases are security updates due to the fact that vulnerabilities are found every day. Due to the evolution of code, that means today's newest features are tomorrow's vulnerabilities.

If at any time, you feel overwhelmed with WordPress security, talk to the professionals. They are always willing to help you keep your online business safe.

About the author


  • Michele Butcher
  • Michele is a seasoned guru in WordPress Security. She is founder of 13Core and cantspeakgeek.com. She is also a speaker and contributor for WPSecurityLock. Furthermore, Michele is also the lead organizer of the Southern Illinois WordPress Meetup and teaches WordPress classes for John A Logan College.
Please help us stay funded. Purchase a product through our site and we may receive a commission for the referral! Learn more.