Last Updated: May 2026
TL;DR: If your WordPress site has been hacked, act immediately: put the site in lockdown, run a malware scan, reset all credentials, reinstall WordPress 6.7 core files, restore a clean backup if needed, and then harden the site against future attacks. The faster you move through each step, the less damage attackers can do to your SEO rankings, user data, and reputation.
Finding out your WordPress site has been hacked is one of the most stressful experiences a site owner faces. Spam links appear in your footer. Google flags your pages with a “This site may be hacked” warning. Your host suspends your account. Visitors see a defaced homepage. These are all signs that a wordpress hacked recovery process needs to start right now, not tomorrow.
WordPress powers over 43% of all websites on the internet, which makes it the largest single target for automated bots and human attackers. Weak passwords, outdated plugins, nulled themes, and poorly configured file permissions all create entry points. This guide walks you through every recovery step in the correct order so you can get your site clean, back online, and protected in 2026.
How to Tell Your WordPress Site Has Been Hacked
Try SiteForge Free →
Before starting the wordpress hacked recovery process, confirm what you are dealing with. Common signs include:
- Google Search Console sends a “Manual Action” or malware notification.
- Visitors are redirected to spam, gambling, or adult sites.
- Your homepage has been defaced with a different message or image.
- New admin users appear in your WordPress dashboard that you did not create.
- Your host sends a suspension notice citing malicious files.
- Your site loads very slowly or returns 500 errors caused by scripts running in the background.
- Google shows a “This site may be hacked” warning in search results.
- You find unknown files in your
/wp-content/uploads/folder or theme directories.
If you see any of these, treat it as a confirmed compromise and start recovery immediately.
Step 1: Lock Down the Site Immediately
The first priority in any wordpress hacked recovery is stopping further damage. Every minute the site remains accessible to the attacker gives them more time to exfiltrate data, add backdoors, and spread malware across more files.
Put the site in maintenance mode. If you can still access the WordPress admin dashboard, activate a maintenance mode plugin or add a simple redirect in .htaccess to prevent visitors from reaching infected pages.
Change your hosting account password immediately. Log into your hosting control panel and change the account password. This prevents the attacker from using stolen credentials to access cPanel, SFTP, or database tools directly.
Revoke all unknown admin accounts. In your WordPress dashboard under Users, delete any administrator accounts you did not create. If your dashboard is inaccessible, you can do this directly in the database via phpMyAdmin by looking at the wp_users and wp_usermeta tables.
Block suspicious IP addresses. If your access logs show repeated requests from a specific IP range, block those at the server or firewall level.
Step 2: Run a Complete Malware Scan in 2026
Once the site is locked down, you need to find every infected file. Manual scanning is not sufficient for most site owners because malware is often obfuscated and hidden inside legitimate-looking files.
Two well-established tools for WordPress malware scanning are Wordfence Security and Sucuri Security, both available from the WordPress.org plugin directory. Wordfence compares your core files, themes, and plugins against known-good checksums and flags any file that has been modified. Sucuri offers a server-side scanner that checks files the front-end scanner cannot reach.
For a deeper scan, access your server via SFTP and download a full copy of the site. Then run a local scan using a tool such as ClamAV or similar open-source antivirus software that can detect PHP backdoors and injected JavaScript.
Pay particular attention to these locations attackers commonly target:
wp-config.php— check for added code at the top or bottom of the file./wp-content/themes/— especiallyfunctions.phpin every installed theme./wp-content/plugins/— look for PHP files with names that do not match the plugin’s legitimate file list./wp-content/uploads/— PHP files should never appear here; any.phpfile in this directory is malicious..htaccess— check for redirect rules sending visitors to external domains.
Our dedicated guide on WordPress malware removal covers advanced scanning techniques and how to interpret scanner output in detail.
Step 3: Reset All Passwords and Revoke Sessions
After identifying infected files, attackers may still hold valid session tokens or have stored credentials inside configuration files. A complete credential reset is non-negotiable in the wordpress hacked recovery process.
Reset all WordPress user passwords. Go to Users in the WordPress dashboard and force a password reset for every account. For administrator accounts, use a minimum 20-character password generated by a password manager.
Generate a new set of WordPress security keys. In wp-config.php, locate the section with AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and the related salts. Replace all eight values with freshly generated ones from the WordPress secret key generator. This invalidates all existing login cookies and forces every user, including any attacker who has a valid session, to log in again.
Change the database password. In your hosting control panel, change the MySQL database user password. Then update the DB_PASSWORD constant in wp-config.php to match.
Change your SFTP and hosting passwords. Do not reuse any previous credentials. Change your email account password as well, since attackers sometimes pivot to email to trigger password resets on other services.
Step 4: Reinstall WordPress Core Files
Even if your malware scanner removes infected files, core WordPress files may contain remnants or the scanner may have missed something. Reinstalling core gives you a verified clean set of files.
The safest method is to download a fresh copy of WordPress 6.7 from WordPress.org and replace all core files. The directories and files to replace are:
/wp-admin/— delete the entire folder and replace with the fresh copy./wp-includes/— delete the entire folder and replace with the fresh copy.- All
.phpfiles in the root (such asindex.php,wp-login.php,wp-settings.php, etc.).
Do NOT delete or replace wp-config.php (contains your database credentials), .htaccess (you will regenerate this), or anything inside /wp-content/ at this stage. You want to preserve your uploads and any clean plugin or theme files.
Alternatively, if you have access to the WordPress admin dashboard, navigate to Dashboard, then Updates, and click “Re-install version 6.7.” WordPress will download and overwrite all core files automatically without touching your content or configuration.
After reinstalling core, regenerate your .htaccess file by going to Settings, then Permalinks, and clicking Save Changes. This writes a fresh, clean .htaccess based on your permalink structure.
Step 5: Clean or Restore from a Backup
If the malware infection is widespread across plugins and themes, the fastest and most reliable path is to restore from a clean backup taken before the compromise occurred. This is why maintaining regular automated backups is essential.
If you have a clean backup, restore these components:
- The WordPress database (all your posts, pages, settings, and user data).
- Your
/wp-content/themes/directory. - Your
/wp-content/plugins/directory. - Your
/wp-content/uploads/directory — but scan it for PHP files before restoring.
If you do not have a pre-hack backup, you will need to clean files manually. For each plugin and theme, delete the entire directory and reinstall a fresh copy from WordPress.org or the developer’s official source. Never reinstall from the files already on the server, as they may still be infected.
For your database, look for injected content in common locations. The wp_options table often contains injected JavaScript in the active_plugins, siteurl, or home values. The wp_posts table may contain spam links injected into post content. Use phpMyAdmin’s search feature or WP-CLI’s wp db search command to find and replace malicious strings across the entire database.
Step 6: Harden WordPress to Prevent Future Attacks
Cleaning up the hack is only half the job. Without hardening, the same vulnerability will be exploited again, often within hours. These are the most impactful hardening steps you can take immediately after completing the wordpress hacked recovery process.
Update everything. Run updates on WordPress core, all plugins, and all themes. Attackers frequently exploit known vulnerabilities in outdated software. As of mid-2026, WordPress 6.7 is the current stable release and includes several security improvements over earlier versions.
Delete unused plugins and themes. Inactive plugins and themes can still be exploited even if they are deactivated. Delete anything you are not actively using, including the default Twenty Twenty-Three and Twenty Twenty-Four themes if you are not using them. Keeping only Twenty Twenty-Five as a fallback is sufficient.
Limit login attempts. Install a plugin that limits failed login attempts, such as Limit Login Attempts Reloaded. Brute-force attacks account for a significant share of WordPress compromises.
Enable two-factor authentication. Require 2FA for all administrator accounts using a plugin such as WP 2FA. Even if an attacker steals a password, 2FA prevents them from completing the login.
Harden file permissions. Correct file permissions prevent attackers from writing to files they should not be able to modify. Standard permissions are: directories at 755, files at 644, and wp-config.php at 600 or 640.
Protect wp-config.php and disable file editing. Add define( 'DISALLOW_FILE_EDIT', true ); to wp-config.php to disable the built-in theme and plugin editor, which attackers use to inject code if they gain dashboard access.
Install a web application firewall. A WAF filters malicious requests before they reach WordPress. Wordfence’s free tier includes a firewall, or you can use a DNS-level WAF such as Cloudflare.
For a complete checklist of every hardening measure, read our detailed guide on WordPress security best practices. You should also review the broader WordPress hosting options available, as managed WordPress hosting plans from reputable providers include server-level malware scanning, automatic core updates, and isolated environments that significantly reduce attack surface.
Step 7: Request a Google Review and Monitor Going Forward
If Google flagged your site, cleaning the files alone does not automatically lift the warning. You need to request a review through Google Search Console to have Google re-crawl and verify the site is clean.
In Google Search Console, navigate to Security and Manual Actions. If a manual action or security issue is listed, click “Request Review” after completing your cleanup. Google typically responds within a few days. If your hosting provider suspended your account, contact them directly with confirmation that the malware has been removed so they can unsuspend the account and conduct their own scan.
Once the site is back online, set up ongoing monitoring:
- Enable email alerts in Google Search Console for new security issues.
- Schedule weekly automated malware scans with Wordfence or Sucuri.
- Set up automated daily backups stored in an offsite location (such as Amazon S3 or Google Drive) using a plugin such as UpdraftPlus.
- Monitor uptime with a service that alerts you if the site goes offline.
WordPress Hacked Recovery: Quick Reference Table
Use this table to track where you are in the recovery process.
| Step | Action | Time Estimate | Priority |
|---|---|---|---|
| 1 | Lockdown: maintenance mode, change hosting password, remove rogue admins | 15 minutes | Critical |
| 2 | Run full malware scan (Wordfence, Sucuri, or server-side ClamAV) | 30-60 minutes | Critical |
| 3 | Reset all passwords, regenerate security keys, change DB password | 20 minutes | Critical |
| 4 | Reinstall WordPress 6.7 core files | 15 minutes | High |
| 5 | Restore clean backup or manually clean plugins, themes, and database | 1-4 hours | High |
| 6 | Harden site: update software, configure firewall, set file permissions | 1-2 hours | High |
| 7 | Request Google Search Console review, set up ongoing monitoring | 30 minutes | Medium |
Want a Pro WordPress Site in Minutes?
SiteForge builds you a full WordPress site in about 15 minutes — AI handles layout, styling, content, and images. Free to design, only pay when you’re ready to go live. If a hack has left you considering a fresh start, SiteForge can spin up a clean, security-ready WordPress site faster than a manual rebuild ever could.
Frequently Asked Questions About WordPress Hacked Recovery
How do I know if my WordPress site has been hacked?
Common signs include a Google Search Console security warning, visitors being redirected to spam or adult sites, a defaced homepage, unfamiliar admin user accounts, or your hosting provider suspending your account. You can also use a free tool such as the Sucuri SiteCheck scanner to scan your site’s front end for known malware signatures.
Can I recover a hacked WordPress site without a backup?
Yes, recovery without a backup is possible but more time-consuming. You will need to reinstall WordPress core files, reinstall each plugin and theme from scratch using fresh downloads, and manually clean the database by searching for injected code in your posts and options tables. A malware scanner like Wordfence can help identify exactly which files were compromised.
How long does it take for Google to remove the “hacked” warning after cleanup?
After you submit a review request through Google Search Console, Google typically processes it within a few days, though it can occasionally take up to two weeks for complex cases. The warning is removed once Google confirms the malware has been fully eliminated. Ensuring your site stays clean during the review period is essential.
What is the most common way WordPress sites get hacked?
The most common attack vectors in 2026 are outdated plugins and themes with known vulnerabilities, weak or reused administrator passwords targeted by brute-force bots, nulled (pirated) themes and plugins with pre-installed backdoors, and insecure shared hosting environments where one compromised account affects neighboring sites.
Should I contact my hosting provider when my WordPress site is hacked?
Yes. Your hosting provider should be notified immediately. They can assist with isolating your account, reviewing server-level access logs to identify how the attacker entered, and confirming whether other sites on shared hosting have been affected. Many managed WordPress hosting providers also include free malware removal assistance as part of their service plans.
![How to Create a Table in WordPress [No Plugin Required!]](https://codingheros.com/wp-content/webp-express/webp-images/uploads/2024/06/how-to-create-a-table-in-wordpress-no-plugin-required.png.webp)
