WordPress Hacked! – What Should I Do?

If you purchase through a link on our site, we may earn a commission. Learn more.

HELP! My WordPress website got hacked! What should I do next? WordPress is the world's leading content management system and this makes it a popular target for both amateur and professional hackers. Unfortunately, every day people go through the shock of discovering that their site has been hacked. After the initial shock, panic usually kicks in.
Table of Contents
WP Engine High Performance Hosting
BionicWP Hosting

HELP! My WordPress website got hacked! What should I do next?

WordPress is the world’s leading content management system and this makes it a popular target for both amateur and professional hackers.

Unfortunately, every day people go through the shock of discovering that their site has been hacked. After the initial shock, panic usually kicks in.

Oh my God, my website has been hacked, what can I do now? What should I do?

The most sensible thing to do is to contact a WordPress security expert who can help you remove the malicious code, secure your website, and have everything back to normal as soon as possible.

I get such requests daily here at WP Mayor, which is why we’ve recently launched our WordPress security services, which include the hack cleanup service as well as the security audit and security lockdown for the good folks who like to play safe.

But what do we do when we perform a hack cleanup? In a nutshell, these are the tasks we undertake:

  1. Clean your website from any infection you might have
  2. Identify from where the malicious hacker managed to intrude WordPress
  3. Ensure that all plugins and themes being used are safe and not hackable
  4. Ensure no file or files expose sensitive information which could be used by hackers

What if you want to fix things yourself rather than hire an expert? Here are some pointers that should help fix the simple hacks.

First Step: Scan your Site

There are a number of plugins which perform scans, but the easiest way to scan your site is to use an online scanner such as the Sucuri Vulnerability scanner. When performing a cleanup on a client site, we also use other more advanced scanners such as WP Scan, but the Sucuri scanner should give you a good indication where the main problem is.

If you’re lucky, the scanner will show which files are infected, in which case the next step will be to remove the malicious code.

Second Step: Remove Malicious Code

Before you start this step, take a backup of your site using a plugin like BackupBuddy (which also has an in-built vulnerability scanner), then download a copy of your whole site.

The most common malicious code injections are either found in plugins or themes, although the WordPress core is also affected sometimes. Once you have all your files on your local computer, open a file which according to the scanner has malicious code. Then highlight the malicious code, and do a search & replace across your whole site (using an editor such as Sublime Text), replacing the malicious code with nothing, thus basically doing a delete of that code.

Manual removal can be daunting for some, especially users who have no knowledge regarding web development. Hence, a security plugin like MalCare, WordFence, etc could solve this issue. Note that if your website is already hacked then you can opt for this excellent WordPress Malware Removal Service by MalCare (one of the best security services out there). It’ll clean your website in a jiffy.

Third Step: Upload the Files Back to Server

Once you’ve removed the malicious code, upload the files back to your server using an FTP program (such as FileZilla). Then run your site through the Sucuri scanner again, and check that your site is clean on all counts. If not, you’ll need to dig deeper or hire someone to help you.

Fourth Step: Change Passwords

Since passwords could have been compromised during the time that the site was hacked, change the following passwords:

  • Database password
  • WP-Admin password

For good measure you might also change the cPanel and FTP passwords.

Those four steps will many times be enough to remove a malicious code injection and remove your site from Google’s blacklist.

Are they enough? I’m afraid not, security hardening involves many steps and an experienced person who can identify how the site got hacked in the first place, as well as what other vulnerabilities exist on the site. Frequently the vulnerabilities will not only be of a technical nature (bad plugins or themes). They will be more obvious things like weak passwords, and these need to be addressed as well. When you hire a security expert, he should be able to guide you and educate you so that you can improve your site’s security from every aspect.

If you want to learn more about the expert security services available at WP Mayor, please take a look at these pages:

  • WordPress Hack Cleanup service
  • WordPress Security Audit
  • WordPress Security Hardening

Do you have any other tips you’d like to share or security questions to ask us? Leave a comment below!

If you enjoyed this post, make sure to subscribe to WP Mayor’s RSS feed.

Jean Galea

Jean Galea is an investor, entrepreneur, and blogger. He is the founder of WP Mayor, the plugins WP RSS Aggregator and Spotlight, as well as the Mastermind.fm podcast. His personal blog can be found at jeangalea.com.

Discover more from our archives ↓

Popular articles ↓

18 Responses

  1. Hi Jean Galea,

    I used Cwatch tool to recover my WordPress website, I strongly recommend you to use this tool, When compared to other tools or service provider it’s very affordable too.

  2. This is definitely becoming a common problem nowadays. So far my sites have been safe but better to be careful than not. This list will serve as a good resource for me and many others. Prevention is key, keeping everything up to date and having a security plugin installed properly is good practice as well.

  3. The number one step to take when building a new WordPress site is without a doubt to update the WordPress secret key. I have never had an issue when this has been setup properly.

    On the flip side, every hacked site doesn’t have the secret key installed.

    It’s a must.

  4. Thanks for a great article with tips I will implement on my WordPress Site.
    One of my sites recently was hacked by the “Turkish Hacker – ET06”. I immediately panicked and began to look at code that may have been placed in some of the core file of WordPress.
    After some investigation, I found the problem was not as bad as I had originally thought.
    I was able to easily remove the problem and my site was up and running again in under 5 minutes.
    I have written an article that explains the steps I took to clean my WordPress site from the Turkish Hackers attach.
    My article is at:

  5. Hey Jean, great post! Please also remember to turn on two-factor authentication (2FA).

    Our solution is Rublon, invisible 2FA. It protects your account from sign ins from unknown devices, even if your password gets stolen:

  6. Hi jean, I would like a website which not only scan your domain but also remove malware and hacked content. Hackerninja.com all is free, please have a look and add your feedback. Best online scanner for WP and joomla.

  7. The Sucuri site doesn’t catch everything. I’ve been working on a tool that does some more elaborate tests to detect malware that tries to hide from regular detection. I have been seeing a lot of WP/Joomla/Drupal sites get hacked so I’ve been building tools to help me investigate them.

    1. That’s true Sean, please share with us any other useful tools that you create or get to know about.

  8. People often forget that they need to replace their WP authentication codes, as that can have a good impact on stopping users that already have access.

    I specialize in helping people with hacked WordPress sites:

    Additionally, I’d highly recommend hardening your WP-includes folder after you’ve replaced the bunk files.

  9. Or instead of performing steps 1 to 3 you use Anti-Malware (Get Off Malicious Scripts) plugin and scan/clean all your infected files without much hassle, at the speed of the light (as I did more then once) 🙂

    Try it – you’ll be amazed what this little piece of security art can do for your hacked/infected sites… oh yes, I didn’t mention it: IT’S FREE! 🙂

    Enjoy it…
    …. and prevention – it’s best protection, always.

      1. No pro.. I have them lot more as I tested (directly or indirectly) 12.000+ plugins from WordPress.org… What to say – when you start browsing it’s like an addiction, you can’t stop so easy… 🙂

  10. Removing Malicious Code in core files very difficult so what I do is replace all the core files with new WordPress files.I just exclude /wp-contents folder.

    1. I agree with that, I should have specified that I was referring to the /wp-contents folder, since you can’t do a straight replace all there.

Share Your Thoughts

Your email address will not be published. Required fields are marked *

Claim Your Free Website Tip 👇

Leave your name, email and website URL below to receive one actionable improvement tip tailored for your website within the next 24 hours.

"They identified areas for improvement that we had not previously considered." - Elliot

By providing your information, you'll also be subscribing to our weekly newsletter packed with exclusive content and insights. You can unsubscribe at any time with just one click.