Get Marketing Insights First
Subscribe to receive actionable strategies, growth tips, and industry insights delivered straight to your inbox.

How to Fix a Hacked WordPress Site: Complete Recovery Guide (2026)

Your WordPress site got hacked? Follow this step-by-step recovery guide to remove malware, clean infected files, fix database injections, remove Google blacklist warnings, and harden your site against future attacks.

Featured image for WordPress hack recovery guide

Is Your WordPress Site Hacked? Here’s How to Tell

A hacked WordPress site can devastate your business overnight. Search engines blacklist it, hosting providers suspend it, and visitors see scary warnings instead of your products. If you’re reading this, you may already be in crisis mode — but don’t panic. This guide walks you through a complete WordPress hack recovery process, step by step.

WordPress hacked site recovery guide 2026
A systematic approach to WordPress hack recovery can save your site and your rankings.

Common Signs Your WordPress Site Has Been Hacked

Before jumping into recovery, confirm the compromise. Look for these red flags:

  • Google Search Console warnings — Malware or deceptive content alerts
  • Hosting suspension — Your host detected malicious files
  • Redirects — Visitors are sent to spam or phishing pages
  • Unknown admin users — New accounts you did not create
  • Defaced homepage — Hackers replaced your content with their own
  • Spike in server resource usage — Often caused by spam scripts

Step 1: Put Your Site Into Maintenance Mode

Your first priority is damage control. Enable maintenance mode immediately to stop visitors from landing on malicious content. Use a plugin like WP Maintenance Mode or add a simple maintenance.php drop-in to your wp-content folder.

This also prevents the hacker’s scripts from infecting more users while you clean up.

Step 2: Change All Passwords and Revoke Access

Reset every credential connected to your site without exception:

  • WordPress admin password (all admin accounts)
  • Database password (update wp-config.php too)
  • FTP/SFTP credentials
  • Hosting control panel password
  • Email accounts linked to WordPress

Also delete any unknown admin accounts you find under Users › All Users. Hackers frequently create backdoor admin accounts to maintain access after cleanup.

Step 3: Back Up What You Have (Even the Infected Version)

Counter-intuitive? Yes. Essential? Absolutely. A backup of the infected site lets you compare files, recover legitimate content, and audit the attack after the fact. Use your hosting control panel or run a full backup via UpdraftPlus before touching anything.

Step 4: Scan for Malware and Identify Infected Files

Use a dedicated WordPress malware scanner to find infected files. The best tools for this are:

  • Wordfence Security — Deep file scanner with malware signature database
  • MalCare — Cloud-based scanner that doesn’t overload your server
  • Sucuri SiteCheck — Free external scanner for visible malware
  • NinjaScanner — Lightweight option with hash comparison

Pay special attention to these commonly infected locations:

  • wp-config.php — Often modified to include remote code
  • wp-content/uploads/ — Executable PHP files hidden among images
  • .htaccess — Frequently used for malicious redirects
  • Theme and plugin files — Especially nulled or outdated ones

Step 5: Clean Infected Files Manually

Once you have a list of infected files, it’s time to clean them. For WordPress core files, the safest approach is a clean reinstall: download a fresh copy of WordPress from WordPress.org and replace all core files except wp-config.php and the wp-content folder.

For theme and plugin files, compare against the original source code from WordPress.org. Delete and reinstall plugins entirely rather than trying to clean them line by line.

Pro tip: Never use nulled (pirated) plugins or themes. They are the #1 source of WordPress infections and are deliberately injected with backdoors by their distributors.

Step 6: Remove Malicious Database Entries

Hackers don’t just touch files — they inject malicious content into your database too. Common injections include:

  • Hidden spam links in post content
  • Malicious JavaScript in widget settings or theme options
  • Rogue admin users in the wp_users table
  • Backdoor URLs stored in wp_options

Use phpMyAdmin or WP-CLI to search your database for suspicious strings like eval(base64_decode, <iframe, and unauthorized domain names.

Step 7: Update Everything — WordPress, Plugins, Themes

An outdated plugin or theme is almost certainly how the attacker got in. After cleaning, update WordPress core, every active plugin, and your active theme to their latest versions. Delete any plugins you no longer use — inactive plugins still represent attack surface.

Step 8: Harden Your WordPress Security

Cleaning is only half the job. Hardening prevents re-infection:

  • Install a Web Application Firewall (WAF) — Cloudflare or Wordfence
  • Enable two-factor authentication on all admin accounts
  • Disable XML-RPC if you don’t use it
  • Limit login attempts with a plugin like Limit Login Attempts Reloaded
  • Move wp-login.php to a custom URL
  • Set correct file permissions (755 for directories, 644 for files)
  • Add security headers via your .htaccess or Cloudflare

Step 9: Request Google Review and Remove Blacklist

If Google blacklisted your site, you need to formally request a review once your site is clean:

  1. Verify your site in Google Search Console
  2. Go to Security Issues and review the flagged content
  3. Confirm all issues are resolved
  4. Click Request Review and describe what you cleaned

Google typically processes malware review requests within 1–3 days. Your rankings may take weeks to fully recover, but the blacklist warning will be lifted once the review passes.

Step 10: Set Up Ongoing Monitoring

A hacked WordPress site is a wake-up call to implement proper monitoring:

  • Daily malware scans — Wordfence or MalCare on autopilot
  • Uptime monitoring — UptimeRobot or Pingdom for instant alerts
  • Automated backups — UpdraftPlus to remote storage (Google Drive, S3)
  • Activity logs — WP Activity Log to track all admin actions

When to Call a Professional WordPress Security Expert

Some hacks are too complex to fix without expert help. Reach out to a professional if:

  • You cannot identify the malware or entry point
  • The site re-infects within days of cleaning
  • Your hosting account has been fully compromised
  • You’re dealing with SEO spam injection across thousands of pages
  • You have no usable clean backup to restore from

At DyingWP, we specialize in emergency WordPress hack recovery. We identify the infection vector, clean every file and database table, harden the site against re-infection, and handle Google’s blacklist removal process on your behalf. Contact us for an urgent assessment.

Conclusion: Act Fast, Then Act Smart

WordPress hack recovery is a race against time, but it’s also a process that demands careful, systematic work. Rushing through cleanup without addressing the root cause leads to re-infection. Follow every step in this guide, and your site will come back cleaner and more secure than before the attack.

Bookmark this page and share it with anyone running a WordPress site — the best time to learn this process is before you need it.

相关文章
Important updates waiting for you!
Consectetur eget cras neque augue malesuada urna urna hendrerit tellus.