There was a problem loading the comments.

How to Clean a Hacked WordPress Site and Harden It

Support Portal  »  Knowledgebase  »  Viewing Article

  Print

Quick answer: Recover a hacked WordPress site by taking it offline, restoring a clean backup if you have one, updating core, themes, and all plugins, removing unknown code and files, resetting every password and the security salts, then hardening with 2FA, a firewall, and automatic updates so it does not recur.

A hacked WordPress site needs two things in the right order: clean it, then harden it so it does not happen again. Skipping the hardening step is why many sites get reinfected within days. Here is a practical recovery path.

1. Take the site offline and back up the evidence

Put the site into maintenance mode so visitors are not served malicious content, then take a full backup of files and database as they are. You need this snapshot to investigate, even though it contains the infection.

2. Restore from a known-clean backup if you have one

The fastest reliable recovery is restoring a backup from before the compromise, then immediately applying the hardening steps below. If you have no clean backup, continue with manual cleaning.

3. Update everything and remove unknown code

Update WordPress core, all themes, and all plugins to current versions - outdated software is the usual entry point. Delete any plugin or theme you do not recognize or use. Look for recently modified PHP files and for suspicious files in wp-content/uploads (which should never contain PHP). A malware scanner plugin helps locate injected code.

4. Reset all credentials

Change every password: WordPress admin users, database, hosting control panel, and FTP/SSH. Remove any admin account you did not create. Rotate WordPress security keys by generating fresh values for the salts in wp-config.php, which forces all sessions to log out.

5. Harden so it does not recur

Keep automatic updates on, enforce strong passwords with two-factor authentication for admins, limit login attempts, and remove file-editing in the dashboard by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php. A web application firewall in front of the site blocks the majority of automated attacks.

6. Ask for reindexing if you were flagged

If search engines or browsers flagged the site, request a review once it is verified clean so the warnings are removed.

Frequently asked questions

Should I clean or restore?
Restoring a known-clean backup then hardening is fastest and most reliable; clean manually only if no clean backup exists.

How do I stop reinfection?
Update everything, reset all credentials, and add a web application firewall, 2FA, and login-attempt limits.

Our managed WordPress hosting includes preemptive security with a web application firewall and anti-malware scanning, plus regular backups, so most infections are blocked outright and clean restore points are always available.


Share via
Did you find this article useful?  

Related Articles

Tags

© Softsys Hosting