Best Plugins for Fixing Hacked WordPress Websites

If you purchase through a link on our site, we may earn a commission. Learn more.

Here are a couple of plugins I always rely on for identifying and fixing malware on hacked WordPress websites. Even with these tools, ridding a hacked site of malware and malicious code is not a task for the faint of heart. If you want to leave things in the hands of professionals, I recommend that you trust Sucuri to clean your website and restore it to its former glory.
Table of Contents
WP Engine High Performance Hosting
BionicWP Hosting

Here are a couple of plugins I always rely on for identifying and fixing malware on hacked WordPress websites.

Even with these tools, ridding a hacked site of malware and malicious code is not a task for the faint of heart. If you want to leave things in the hands of professionals, I recommend that you trust Sucuri to clean your website and restore it to its former glory.

fixing-hacked-wp-sites-sucuriSucuri secure your site, so that you don’t have to. Through their professional security analysts, Sucuri offer a number of features to protect your site including malware scanning and detection, malware clean-up, security monitoring, malware prevention and more.


This innovative new plugin, from the makers of the excellent BlogVault service, works in tandem with a remote service that relieves your hosting of the processing burden incurred by continuous security scans. The plugin also hardens your site according to current best practices, reducing the risk of you getting infected in the first place.

The included backup service also conserves your hosting resources by using an ingenious “incremental backup” technology, perfected during their years running BlogVault, which only backs up the bits of your site that have not been backed up already.

Your website is continuously monitored service – so that even the most complex infections are detected quickly, allowing you to carry out a one-click malware removal before Google or other search engines notice the problem and delist your site.  This is the most advanced WordPress security plugin/service so far but we expect the other providers to follow their lead.

MalCare also offers a one-time WordPress Malware Removal Service that will clean your WordPress website in a jiffy.

Download Malcare



Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups.

Wordfence Security is 100% free, however they also offer a Premium API key that gives you access to their premium support ticketing system along with two factor authentication via SMS, country blocking and the ability to schedule scans for specific times.

Download Wordfence Security

Anti-Malware & Brute-Force Security by ELI

fixing-hacked-wp-sites-antimalwareThis anti-malware plugin searches for malware and other virus like threats and security vulnerabilities on your server and it helps you remove them. Among its features you’ll find:

  • Automatic removal of “Known Threats” and “Back-doors”.
  • Automatically block SoakSoak and other malware from exploiting the Revolution Slider Vulnerability.
  • Patch wp-login to block Brute-Force attacks.
  • Download Definition Updates to protect against new threats.
  • Automatically upgrade vulnerable versions of timthumb scripts.
  • Customize Scan Settings.
  • Run a Quick Scan from the admin menu or a Complete Scan from the Settings Page.

Download Anti-Malware & Brute-Force Security by ELI

Backup Buddy


Backup Buddy’s primary strength is that of creating backups and restoring those backups later. However it also has a malware detection feature which is very accurate and is powered by Sucuri’s own scanning feature. I highly recommend that you have a copy of Backup Buddy running on all your websites as I do.

Some of its other features include email notifications, server tools, database scans and even a migrate function for those developers who like to work locally then transfer their site to a live domain.

Download Backup Buddy

In addition to the plugins mentioned above, which can be used on an ongoing basis, or as an antidote to clean hacked sites, I also make use of several other plugins to beef up security on WordPress sites:

Login Lockdown


Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

Download Login Lockdown

Centrora Security


Centrora Security is a new plugin that’s modified from OSE Firewall Security. A WordPress Firewall Security plugin to protect your WordPress sites from attacks and hacking. The built-in malware and security scanner helps you identify any security risks, malicious codes, spam, virus, SQL injection, and security vulnerabilities.

Some of its new features include a database backup function, central security management integration with Centrora Panel, s file upload scanning function and even a Google authenticator (2-step authentication) function. You can find more information on their website.

Download Centrora Security

WP Security Audit Log


Keep an audit log and track of everything that is happening on your WordPress and WordPress multi-site with WP Security Audit Log plugin to ensure user productivity and identify WordPress security issues before they become a security problem.

By using the WP Security Audit Log security plugin it’s very easy to track suspicious user activity before it becomes a problem or a security issue.  This security monitoring and auditing plugin is developed by WordPress Security Consultants and Professionals WP White Security.

Download WP Security Audit Log

If you enjoyed this post, make sure to subscribe to WP Mayor’s RSS feed.

Jean Galea

Jean Galea is an investor, entrepreneur, and blogger. He is the founder of WP Mayor, the plugins WP RSS Aggregator and Spotlight, as well as the podcast. His personal blog can be found at

Discover more from our archives ↓

Popular articles ↓

27 Responses

  1. Como proteger un sitio en wordpress cuando cambia el uft-8 y cambia por otro por ejemplo uft+0 o uft-5

    Y otra pregunta, limpiar de la lista negra de google

  2. how to block google malware block, whether with this plugin can remove our blog from malware detected google

  3. Best way to prevent: change passwords frequently, harden plugins, upgrade your hosting or an easier solution is to use a Malware find, fix & prevent solution. I use and they’ve been rock solid. I run across all my client sites.

  4. Thanks for the post! I use
    I think it’s a great.

    Looking forward to reading more of your posts.

  5. You wouldn’t need to mess with difficult and unreliable recovery if you’d make backups often enough.

    Look up at Web Support Revolution. My backups are created few times a day and all changes are monitored.

    When I had problems with repeatable hacks, it was just few clicks to restore the good version.

    But after I’ve also set their firewall – backups are needed only for cases when I brake something by myself.

  6. Hy guys, i install the ( Anti-Malware & Brute-Force Security by ELI) is the best. My site is clear now. Thanks for this post.


  7. As the owner of a high traffic blog i hate to be busy with these kind of things, although very important. What people seem to forget is that a managed hosting provider can safe you a lot of time. Here is what a hosting provider can do to keep you safe:

  8. It is important that folks realize that hacker payloads will usually contain hidden hacker backdoor files that are not going to be detectable by any of these plugins. So what will happen is the obvious hacked stuff will be found and cleaned by these plugins, but the hack will just happen again since the hidden hacker backdoor files were not detected/found. If you look at the current Wordfence support forum you will see several current threads where this is happening. It is better to know the truth about what you are dealing with to take care of it 100% vs trying band-aids that are not really going to fix the hack problem.

    @Jean – “For extra security…” is quite an understatement for current versions of BPS Pro, but back in 2013 BPS Pro was not nearly as powerful as it is now. 😉 BPS Pro currently has a perfect track record. Yes, that means that no one with BPS Pro installed has had their website hacked.

  9. Great stuff! I get lost and emotional if I get minor issues with my Blog! I can’t imagine what I’d do if something major happened! This information is very useful, Hosting company has suspended my account due to some infected files uploaded by hacker or i don’t know my site name is please share some tips to make strong my site security. I thank you for you time & effort, it’s clearly not one of these 5 minutes posts! Quality! Love it, regards

  10. I downloaded Anti-Malware & Brute-Force Security by ELI on your recommendation, and also based on other reviews that I saw online. I had an extremely invasive php malware infection in ALL of my websites, in wp files, and even throughout theme files. A few other plugins I tried did not work, or messed something up, or were confusing. Eli’s plugin was amazing, and I would highly recommend it. It cleared all of my sites.

  11. Hi Jean,

    Thanks for the info! Our website has some content on viagra, which shows only in meta description in Google Search Results, we have tried Sucuri but the malware still exists. Please let me know what to do.

  12. It seams like the plugins are why I keep getting hacked. A vulnerable plugin let someone into my site in the first place.

  13. What do you think of Limit Login Attempts plugin? I’ve hear Word Fence is very good too.

    1. Both are good plugins, but ones I would keep running all the time rather than install to fix a hacked WordPress site, which was the main topic of this post.

  14. Hi Jean,

    Very Good Info. I was searching for this info since some time. Now I got awesome information from this post. thanks again

  15. Jean great info. I have installed WP File Monitor plugin. Want could this mean, I get a WP file monitor alert that says “ changed: benny/.ftpquota “ should I be concerned?
    Thanks Mayor

    1. No you shouldn’t be concerned about that Jerry. Keep a special eye on theme file changes and also plugin file changes (excluding updates of course).

  16. hi Jean what about better wp security – it also gives overall protection how would you rate it pls?

    1. It’s a very very popular plugin, and it’s a very good idea to keep that installed at all times. I didn’t include it here since the post was more about hack removal. For extra security BulletProof Security Pro adds many other features that are not found in the free version.

  17. Good info Jean as usual may I add.
    Some advice please – do you install them all as they all seem good?

    1. Excellent question Joseph, the ones I always have installed are BackupBuddy (mostly for its backup functionality) and Login Lockdown, I tend to install the others only when I need to clean a hacked site. Since I host with WP Engine, keep everything updated, and use very trusted plugins, I don’t need to overdo it with security plugins.

Share Your Thoughts

Your email address will not be published. Required fields are marked *

Claim Your Free Website Tip 👇

Leave your name, email and website URL below to receive one actionable improvement tip tailored for your website within the next 24 hours.

"They identified areas for improvement that we had not previously considered." - Elliot

By providing your information, you'll also be subscribing to our weekly newsletter packed with exclusive content and insights. You can unsubscribe at any time with just one click.