Cargando
Elevation Digital
English
Todos los artículos
WordPress Security2026-03-279 min de lectura

How to Fix a Hacked WordPress Site (Step-by-Step)

Your WordPress site has been hacked. Here's exactly what to do — from identifying the infection to cleaning every file, hardening the install, and getting removed from Google's blacklist.

wordpresssecuritymalwarehacked

Your WordPress site is infected. Maybe you're seeing spam redirects, a "Deceptive site ahead" warning in Chrome, or your hosting provider suspended the account. Whatever the symptom, the process is the same: scan, clean, harden, and recover your search presence.

This guide covers every step.

Step 1: Don't panic — and don't delete everything

The first instinct is to wipe the whole server and start over. That's often the wrong move. Unless you have a clean backup from before the infection, nuking everything means losing your content, configuration, and potentially months of SEO equity.

The better path: identify what's infected, remove it surgically, and harden what remains.

Step 2: Take the site offline (temporarily)

If your hosting hasn't suspended the account already, put the site in maintenance mode or block public traffic while you work. A live infected site continues spreading malware to visitors and burning trust with Google.

Options:

  • Enable maintenance mode from your hosting panel
  • Add a password to the directory via .htaccess
  • Ask your host to temporarily restrict public access

Step 3: Scan every file and database table

A full malware scan needs to cover:

  • All WordPress core files (/wp-admin/, /wp-includes/)
  • Your active theme and all installed themes (even inactive ones)
  • Every plugin directory
  • The wp-config.php file
  • The uploads folder (yes, attackers hide PHP files in there)
  • Every row in the wp_options, wp_posts, and wp_users tables

Tools to use:

  • Wordfence — free plugin, scans files against known clean copies
  • Sucuri SiteCheck — remote scanner, good for surface-level detection
  • MalCare — more thorough, good for deep database injection
  • Manual scan — search for known malware strings: eval(base64_decode, gzinflate, str_rot13, <iframe injections, hidden <script> tags

Run at least two tools. Malware often hides from individual scanners by targeting their signatures specifically.

Step 4: Remove infected files

Once you have a list of infected files, clean them. For each:

If it's a core WordPress file (like wp-login.php or files inside /wp-includes/): replace it entirely with a fresh copy from wordpress.org/download. Do not try to edit these — just replace them.

If it's a plugin or theme file: remove the entire plugin or theme, then reinstall from the official WordPress.org repository or your original purchase.

If it's your custom theme: open the file, find the injected code (usually at the top or bottom of the file, or obfuscated with base64 encoding), and remove only that injection. Be careful not to remove legitimate PHP.

For database injections: use phpMyAdmin or WP-CLI to locate and remove injected JavaScript, spam links, or hidden redirects. Common injection targets: wp_options (siteurl, home, widget settings), wp_posts (content and metadata), and wp_users (display names, metadata).

Step 5: Find and close the entry point

Removing malware without closing the entry point means it will come back, often within hours. Common entry points:

Outdated plugins or themes — the #1 cause. An unpatched vulnerability in a popular plugin can be exploited at scale.

Weak or reused passwords — especially the admin account. If the password is in any breach database, attackers have it.

Nulled (pirated) themes and plugins — these almost always contain backdoors intentionally. Remove them entirely.

PHP file upload vulnerabilities — attackers upload a malicious PHP file disguised as an image. Check your upload directory for any .php files.

Compromised hosting credentials — if your FTP or hosting panel password was leaked, attackers had full access. Change everything.

Step 6: Harden the WordPress installation

After cleaning, lock the site down so the next attacker can't get in the same way:

  • Change all passwords: admin account, all editor/author accounts, database password (update wp-config.php), FTP credentials, hosting panel
  • Update everything: WordPress core, all plugins, all themes — no exceptions
  • Remove unused plugins and themes: every inactive plugin is a potential attack surface
  • Restrict login access: limit login attempts, add two-factor authentication, change the login URL from /wp-admin to something non-standard
  • Set correct file permissions: wp-config.php should be 600, directories 755, files 644
  • Disable PHP execution in the uploads folder: add an .htaccess file to /wp-content/uploads/ that denies PHP execution
  • Install a security plugin: Wordfence, Solid Security (formerly iThemes), or Sucuri Firewall for ongoing monitoring

Step 7: Request Google blacklist removal

If Google flagged your site with a "Deceptive site ahead" warning or your Search Console shows a manual action, you need to formally request a review after cleaning.

  1. Open Google Search Console
  2. Go to Security & Manual Actions → Security Issues
  3. Review the listed issues and confirm you've resolved them
  4. Click Request Review and describe what you found and cleaned
  5. Wait 1–3 business days for Google to re-crawl and clear the flag

Other blacklists to check: McAfee SiteAdvisor, Norton Safe Web, Spamhaus. Most clear automatically once the malware is gone, but you can request manual removal if needed.

Step 8: Restore from backup (if available)

If you have a verified clean backup from before the infection date, restoring it is often faster than cleaning manually — especially for heavily infected sites. After restoring:

  • Apply all security hardening steps above (the backup won't have them)
  • Change all passwords
  • Update all plugins and themes
  • Find and close the original entry point (it's still there)

A restored site without hardening gets re-infected quickly.

Step 9: Set up monitoring so it doesn't happen again

Most WordPress hacks are opportunistic. A site that looks like an easy target gets hit again. After cleanup:

  • Enable uptime monitoring (UptimeRobot, Better Uptime)
  • Enable file change monitoring (Wordfence, Solid Security)
  • Set up daily automated backups stored off-site (not just on the same server)
  • Subscribe to vulnerability feeds for your active plugins (WPScan, Patchstack)
  • Review access logs quarterly for suspicious patterns

When to call in a professional

Some infections are deeper than a plugin scan can catch — database-level backdoors, server-level rootkits, or compromise of the hosting environment itself. If:

  • The malware keeps coming back after cleaning
  • Your host says the infection is at the server level
  • You can't access the site at all (full suspension or ransomware)
  • Your Google penalty isn't clearing after a review request

...it's time to get professional help. A skilled developer can do a full forensic review, clean the server environment, and handle the Google reconsideration process with documentation.

Summary

StepAction
1Don't delete everything — scan first
2Take the site offline temporarily
3Scan files and database with multiple tools
4Remove infected files and database entries
5Find and close the entry point
6Harden: passwords, permissions, updates
7Request Google blacklist removal
8Restore from clean backup if available
9Set up monitoring and backups

A hacked WordPress site is fixable. The key is to clean thoroughly, harden properly, and not skip the steps that prevent reinfection.

¿Necesitas ayuda con esto?

Nosotros lo resolvemos por ti — entrega rápida, resultados limpios.

Pedir plan de desarrollo

¿Listo para avanzar rápido?

Podemos definir el alcance en 24 a 48 horas, mapear el sprint y confirmar la ventana de lanzamiento antes de construir.