LiveChat
Support
Blog
Affiliates
Recovering a Hacked WordPress Website
If your WordPress site has been hacked, defaced, is sending spam, or is redirecting visitors to suspicious pages, follow these steps to clean it up and prevent it from happening again.
Step 1: Do Not Panic, But Act Quickly
A hacked site needs immediate attention to prevent further damage, but rushing through fixes without a plan can make things worse. Start by taking note of what symptoms you are seeing (redirects, defaced pages, spam emails, suspicious files, Google warnings).
Step 2: Change All Passwords Immediately
- cPanel password (through your client area)
- WordPress admin password (through phpMyAdmin if you cannot log in)
- Database password (cPanel > MySQL Databases)
- FTP account passwords
- Email account passwords
Step 3: Scan for Malware
Our servers run Imunify360 which automatically scans for malware. Check your cPanel for any Imunify360 notifications. You can also install the Wordfence plugin and run a full scan. Wordfence will identify infected files, backdoors, and suspicious code.
Step 4: Restore From a Clean Backup
If you have a recent backup from before the hack occurred, restoring it is often the fastest and most thorough way to clean up. After restoring, immediately update WordPress core, all themes, and all plugins before the vulnerability gets exploited again.
Step 5: Manual Cleanup (If No Backup)
- Replace WordPress core files: Download a fresh copy of WordPress from wordpress.org and upload it over your existing installation, replacing the wp-admin and wp-includes directories entirely. Do not replace wp-content (that contains your themes and uploads).
- Check wp-content: Look through your themes and plugins for unfamiliar files or recently modified PHP files. Remove any plugins or themes you do not recognize.
- Check wp-config.php: Compare it against a clean wp-config-sample.php. Look for any injected code, especially eval() or base64_decode() calls.
- Check .htaccess: Hackers frequently inject redirect rules into .htaccess. Replace it with a clean WordPress default.
- Check the database: In phpMyAdmin, look at the wp_users table for unknown admin accounts. Check wp_options for suspicious siteurl or home values.
Step 6: Harden Your Site
- Update WordPress, all themes, and all plugins to the latest versions
- Delete any themes and plugins you are not actively using
- Install a security plugin like Wordfence or Sucuri
- Use strong, unique passwords for every account
- Enable two-factor authentication on your WordPress admin
- Set file permissions to 644 for files and 755 for directories
- Disable file editing in WordPress by adding
define('DISALLOW_FILE_EDIT', true);to wp-config.php
Need Help?
Open a support ticket and our security team can help identify the infection, clean malicious files, and advise on hardening your site. Include any details about what you are seeing (error messages, redirects, spam reports) so we can get started right away.
