How to Fix a Hacked WordPress Site (Step by Step)

← Back to all WordPress fixes

Introduction

Few things rattle a site owner like realizing their WordPress site has been hacked — strange redirects, spam pages you never created, a warning in Google search results, or being locked out of your own dashboard. The good news is that most WordPress hacks follow predictable patterns and can be cleaned up methodically. This guide walks you through spotting the signs, removing the infection, and — the fastest route of all — restoring a clean copy of your site.

Signs Your WordPress Site Is Hacked

  • Your site redirects visitors to a spammy or unfamiliar website.
  • You see pages, posts, or pop-ups you didn’t create — often pharmaceutical or gambling spam.
  • Google shows a “This site may be hacked” or “Deceptive site ahead” warning.
  • There are unknown administrator accounts in Users.
  • Your site is suddenly slow, throwing errors, or your host suspended it for malware.
  • Files have recently changed modification dates you can’t explain.

Step 1: Stay Calm and Limit the Damage

Before cleaning anything, contain the situation:

  • Put the site in maintenance mode (or take it offline temporarily) so visitors aren’t exposed to malware while you work.
  • Change all passwords — hosting/cPanel, WordPress admin, database, and FTP/SFTP.
  • Notify your host. Many hosts have security teams that can confirm the infection and sometimes help clean it.

Step 2: The Fastest Fix — Restore a Clean Backup

If you have a backup from before the site was compromised, restoring it is by far the quickest and most reliable way to remove a hack — it replaces every infected file and database entry in one move, with no hunting for hidden malware. Restore a known-clean backup, then immediately update everything and change your passwords (Step 4) so the same hole can’t be used again.

If the hack locked you out of wp-admin, you can still restore: Nota Backup & Restore’s Emergency Recovery works independently of the dashboard. This is exactly why keeping regular, off-site backups matters most — a recent clean copy turns a hack from a multi-day nightmare into a quick rollback.

Step 3: If You Don’t Have a Clean Backup — Clean Manually

Without a pre-hack backup, you’ll need to remove the infection by hand:

  1. Scan the site. Use a reputable security plugin (such as Wordfence or Sucuri) or your host’s malware scanner to locate infected files and injected code.
  2. Reinstall WordPress core. Replace the wp-admin and wp-includes folders, plus the root core files, with fresh copies from WordPress.org — this wipes any tampered core files.
  3. Reinstall plugins and themes from scratch. Delete them and reinstall clean copies from official sources. Remove anything you don’t actively use, especially nulled or pirated plugins — a common infection source.
  4. Check for backdoors. Hackers often leave hidden files to regain access. Look for suspicious files in wp-content/uploads (which shouldn’t contain PHP files) and unfamiliar code at the top of wp-config.php or .htaccess.
  5. Clean the database. Remove spam content and check the wp_users and wp_options tables for injected entries.

Step 4: Lock It Down After Cleaning

  • Update everything — WordPress core, all plugins, and themes. Outdated software is the #1 way sites get hacked.
  • Delete unknown admin users and reset passwords for all remaining accounts.
  • Replace your security keys. Generate new salts and update them in wp-config.php to force every existing session to log out, including the attacker’s.
  • Remove unused plugins and themes entirely — every one is a potential entry point.

Step 5: Ask Google to Review Your Site

If Google flagged your site, clean it first, then request a review in Google Search Console under Security Issues. Once Google confirms the site is clean, the warning is removed from search results — usually within a day or two.

How to Prevent the Next Hack

  • Keep regular, off-site backups. A clean recent copy is your ultimate undo button — see how to back up to Google Drive.
  • Update promptly, and back up before every update so patching is never risky.
  • Use strong, unique passwords and limit the number of admin accounts.
  • Avoid nulled plugins and themes — they’re a leading malware source.
  • Test changes on staging before they touch your live site.

Frequently Asked Questions

Should I delete my whole site and start over?
Rarely necessary. Restoring a clean backup — or reinstalling core, plugins, and themes — removes the infection while keeping your content. Starting from zero is a last resort.

How do I know which backup is clean?
Choose a backup from before the first signs of compromise appeared. If you keep several days of backups, you can work backwards until you find one that’s clean.

Will restoring a backup remove the hack completely?
Yes — if the backup predates the infection, it replaces all the compromised files and data. Just update and change passwords afterward so the original vulnerability is closed.

My host removed the malware but it came back — why?
The attacker likely left a backdoor, or the original vulnerability is still open. Reinstall core and plugins fresh, replace your security keys, and update everything — or restore a clean backup and patch immediately.

Conclusion

A hacked WordPress site is alarming, but it’s recoverable. Contain the damage, then either restore a clean backup — the fastest, most thorough fix — or methodically remove the infection and harden the site afterward. And the single best protection against the next attack is the same thing that makes recovery painless: a recent, clean, off-site backup waiting for the moment you need it.

A clean backup is the fastest way back from a hack

With automatic, off-site backups from Nota Backup & Restore, recovering from a hack is a single restore — even when you’re locked out of wp-admin. Start your 14-day free trial — no credit card required.