Discovering your WordPress site has been hacked is one of the worst feelings as a website owner. But don't panic โ most hacks can be cleaned if you act quickly and methodically.
๐จ Hacked right now? Every hour your site is infected damages your SEO. WhatsApp us for emergency cleanup โ we respond in 15 minutes.
Step 1: Put the Site in Maintenance Mode
Before doing anything, take your site offline with a maintenance page. This prevents visitors from seeing hacked content and stops the malware from spreading to your visitors. If you can access wp-admin, enable a maintenance plugin. If not, add this to your .htaccess:
Step 2: Change All Passwords Immediately
Before cleaning, change every password โ because any cleaned files can be reinfected if the attacker still has valid credentials:
- WordPress admin password (all admin users)
- Hosting/cPanel account password
- FTP/SFTP password
- MySQL database password (and update wp-config.php)
- Email accounts associated with the site
Step 3: Remove Unknown Admin Users
Hackers create admin accounts to maintain access even after file cleanup. Go to Users โ All Users in WordPress and delete any accounts you don't recognise. If you're locked out, access the database via phpMyAdmin and check the wp_users table directly.
Step 4: Scan All Files for Malware
Install the Wordfence plugin (free version is sufficient) and run a full scan. It will identify:
- Modified core WordPress files
- Malicious code in themes and plugins
- Backdoor files planted by hackers
- Suspicious PHP files in the uploads folder
Also check your /wp-content/uploads/ folder via FTP โ it should only contain media files. Any .php files there are malicious and should be deleted immediately.
Step 5: Clean Infected Files
For WordPress core files: re-upload fresh copies from wordpress.org, overwriting your existing files. For plugins and themes: deactivate, delete and reinstall from the official repository.
For custom theme files with injected code โ the injection usually looks like this:
Search all PHP files for eval(base64_decode and eval(gzinflate โ these are almost always malicious. Remove the lines containing them.
Step 6: Check .htaccess
Open your root .htaccess file. It should look like a standard WordPress .htaccess. If you see large blocks of encoded text, RewriteRules pointing to external sites, or PHP eval statements โ delete the whole file and replace with this clean version:
Step 7: Clean the Database
Malware often injects code into the WordPress database โ particularly in post content, widget data and options. In phpMyAdmin, run this SQL search to find injected spam links:
Review the results and manually clean any infected entries.
Step 8: Request Google Blacklist Removal
Once your site is clean, go to Google Search Console โ Security Issues. Review the malware warnings and click "Request Review". Be specific about what you found and fixed. Google typically reviews within 1โ3 days.
Also submit removal requests to:
- McAfee SiteAdvisor: siteadvisor.com/sitereport.html
- Norton Safe Web: safeweb.norton.com
- Sucuri SiteCheck: sitecheck.sucuri.net
Step 9: Harden Security to Prevent Re-infection
- Install a security plugin (Wordfence or Sucuri) with a firewall
- Enable two-factor authentication on all admin accounts
- Set correct file permissions (folders: 755, files: 644)
- Disable XML-RPC if you don't need it
- Change the default /wp-admin URL with a plugin like WPS Hide Login
- Keep WordPress, themes and plugins updated
Don't Want to Do This Yourself?
We handle the entire cleanup from start to finish โ including Google blacklist removal and security hardening. From $99.
Get Professional Cleanup โ