How to Fix a Hacked WordPress Site

If your WordPress site has been hacked, defaced, or is sending spam, don't panic. This is fixable. Ultra Web Hosting includes Imunify360 malware scanning on all accounts, which may have already caught and quarantined the malicious files. This guide walks you through the full cleanup process step by step. If you'd rather have our team handle it, we offer consultation services for exactly this.

02. Immediate Steps (Do These First)

Before you start cleaning, do these three things to stop the bleeding:

1. Change your WordPress admin password immediately through cPanel's phpMyAdmin if you can't log in normally (see section 04).
2. Change your cPanel and FTP passwords from your Ultra client area.
3. Check Imunify360 in cPanel for any files it has already detected and quarantined (see section 03).

03. Check Imunify360 for Detected Threats

Your Ultra hosting account runs Imunify360, which scans for malware automatically. It may have already found and quarantined the infected files.

1. Log into cPanel
2. Click the Imunify360 icon (under the Security section)
3. Check the Malware Scanner tab for detected files
4. Review the list. Imunify shows the file path, threat type, and detection date.
5. Click Clean All to let Imunify attempt automatic cleanup, or review each file individually

Imunify's automated cleanup works well for common infections like injected base64 code and known malware signatures. For more sophisticated backdoors, you may need to clean manually (covered in sections 06 and 07).

04. Change Every Password

Assume all credentials are compromised. Change everything:

• WordPress admin password - through WP Admin > Users, or through phpMyAdmin if locked out
• cPanel password - through your Ultra client area > Services > Manage
• FTP passwords - through cPanel > FTP Accounts
• Database password - through cPanel > MySQL Databases. After changing it, update wp-config.php with the new password
• Email account passwords - through cPanel > Email Accounts

Resetting WordPress password via phpMyAdmin (if locked out)

1. Open phpMyAdmin from cPanel
2. Select your WordPress database
3. Click on the wp_users table (your prefix may be different)
4. Click Edit on the admin user row
5. In the user_pass field, select MD5 from the function dropdown
6. Type your new password in the value field and click Go

05. Finding the Malware

If Imunify didn't catch everything, you'll need to look manually. Here are the most common hiding spots:

Check for PHP files in the uploads directory

There should be no PHP files in wp-content/uploads/. Any PHP file here is almost certainly malware. In cPanel's File Manager, browse to wp-content/uploads/ and search for *.php.

Check for recently modified files

Via SSH or Terminal in cPanel, run:

# Find PHP files modified in the last 7 days
find ~/public_html -name "*.php" -mtime -7 -ls

# Find files with suspicious names
find ~/public_html -name "*.php" | grep -E "(eval|base64|shell|backdoor|tmp)"

Check for unknown files in theme and plugin directories

Hackers often drop backdoor files with random names inside theme directories like wp-content/themes/yourtheme/. Look for files that don't match the theme's normal structure. Names like class-db.php, admin-ajax-handler.php, or random strings like xkw8r.php are red flags.

06. Cleaning Infected Files

Reinstall WordPress Core

The safest way to clean core files is to replace them entirely. In WP Admin, go to Dashboard > Updates and click Reinstall Now. This replaces all core files without touching your content, themes, or plugins.

Alternatively, via SSH:

wp core download --force --skip-content

Reinstall plugins and themes

Delete and reinstall every plugin and theme from the official WordPress repository or the vendor's site. Don't just "update" them, since an update won't remove files that the attacker added to the plugin's directory.

Delete anything you don't recognize

If you find PHP files that aren't part of WordPress core, your theme, or your plugins, delete them. When in doubt, compare against a fresh copy of the plugin or theme from the vendor.

07. Hunting for Backdoors

Backdoors are what let hackers back in after you've cleaned the obvious malware. They're designed to survive a cleanup. Common patterns to search for:

# Search for common backdoor signatures
grep -r "eval(base64_decode" ~/public_html --include="*.php"
grep -r "eval(\$_" ~/public_html --include="*.php"
grep -r "system(\$_" ~/public_html --include="*.php"
grep -r "preg_replace.*\/e" ~/public_html --include="*.php"
grep -r "assert(" ~/public_html --include="*.php"
grep -r "str_rot13" ~/public_html --include="*.php"

Also check for files with misleading names placed in directories where they don't belong, like wp-includes/SimplePie/Decode/editCourseGrades.php or wp-content/themes/yourtheme/fonts/admin.php. Legitimate WordPress files don't have names like that.

08. Check Your Database

Some infections inject malicious content into your database rather than files. Open phpMyAdmin and check:

• wp_users - Look for admin accounts you didn't create. Delete any unknown administrators.
• wp_options - Search for siteurl and home values. If these have been changed to a different domain, that's why your site is redirecting. Fix them to your correct domain URL.
• wp_posts - Search for <script or eval( in post content. Injected JavaScript in posts is a common spam technique.

09. Update WordPress, Plugins, and Themes

After cleaning, update everything to the latest versions. Most hacks exploit known vulnerabilities in outdated software. If the vulnerability that let them in still exists, they'll be back.

• Update WordPress core to the latest version
• Update every plugin to the latest version
• Update your theme to the latest version
• Delete any plugins and themes you're not actively using
• Make sure you're running PHP 8.2 or 8.3 (older PHP versions have known security issues)

10. Regenerate Security Keys

WordPress uses security keys (AUTH_KEY, SECURE_AUTH_KEY, etc.) to encrypt login cookies. After a hack, you should regenerate these to force all existing sessions to log out, including any sessions the attacker may still have.

1. Visit api.wordpress.org/secret-key/1.1/salt/ to generate fresh keys
2. Open your wp-config.php file
3. Replace all 8 existing key/salt lines with the new ones
4. Save the file

This immediately invalidates all logged-in sessions. Everyone (including you) will need to log in again with their new passwords.

11. Harden Your Site to Prevent Reinfection

Once the site is clean, lock it down so this doesn't happen again:

1. Install BBQ Firewall - lightweight, zero-config request filtering that blocks common attack patterns at the application level.
2. Set file permissions to 755 for directories, 644 for files, and 600 for wp-config.php.
3. Add security .htaccess rules - block PHP execution in uploads, disable directory browsing, protect sensitive files. See our WordPress Security guide for the full ruleset.
4. Enable two-factor authentication on all admin accounts.
5. Set up automated backups with UpdraftPlus to an off-server location so you have a clean restore point if something happens again.

12. Dealing With Google Blacklisting

If Google has flagged your site with a "This site may be hacked" warning, you need to request a review after cleaning:

1. Log into Google Search Console (add your site if you haven't already)
2. Check the Security Issues section for details on what Google found
3. After cleaning the site, click Request a Review
4. Describe what you did to fix the issue
5. Google typically reviews within 1-3 business days

Until the warning is removed, your site will show a red warning page in Chrome and your search rankings will be suppressed. This makes quick cleanup critical.

13. When to Restore From Backup Instead

Sometimes restoring from a clean backup is faster than manually hunting through infected files, especially if the infection is widespread. This makes sense when:

• You have a recent backup from before the infection
• The infection has touched dozens or hundreds of files
• You're not comfortable with SSH and file-level investigation
• The database has been heavily modified

You can restore from a cPanel backup (if you have one), from an UpdraftPlus backup, or ask our support team to check if server-level backups are available. After restoring, immediately update everything and change all passwords so the same vulnerability doesn't get exploited again.

For details on backup options, see our guide: How to Back Up Your Website.

Quick Recap: Emergency Cleanup Order

1. Change all passwords immediately - WordPress, cPanel, FTP, database, email
2. Check Imunify360 in cPanel for auto-detected threats and clean them
3. Reinstall WordPress core and delete/reinstall plugins and themes
4. Search for backdoors - check uploads for PHP files, scan for eval/base64 patterns, check cron jobs
5. Update everything, regenerate security keys, and harden - then install BBQ Firewall and set up backups to prevent it from happening again

Last updated March 2026 · Browse all WordPress articles