Blogs by Certified Nerds

How to Clean a Hacked WordPress Site?

WordPress sites are unfortunately commonly targeted by hackers, with an estimated 84,000 sites getting hacked every year. If your site has been compromised, immediate action is required to remove any malware and prevent further damage. Cleaning a hacked website can seem complicated, but focus on one task at a time as you go through each step. First, look to see how you can tell if your site was hacked. Calling your web hosting company for help is a smart idea, too.


Restoring from a backup that was made before the WordPress hack is the fastest way to clean things up. Scanning your site for suspicious files can help find any malware the hackers left. Removing the infected files or replacing them with clean versions gets rid of the malware. Also, change all your passwords right away. And be sure to better protect your site by updating your software and using security tools, so you don’t get hacked again.

This article will give you complete information on what you need to do, step-by-step, to remove the hacker’s malware and restore your WordPress site to normal.

10 Steps to Clean a Hacked WordPress Site

Getting your site back to normal after a hack takes careful work step-by-step to remove problems, fix damage, and make it way more secure. Follow these 10 steps to clean up and lock down your hacked WordPress website fully:

1. Confirm if you are really being Hacked.

Recognizing that your WordPress site has been compromised is the first step to address the hack. According to statistics, over 30% of hacked sites are defaced, and 15% lose admin access. Some clear indicators include:

  • Sudden spike or drop in traffic
  • Strange links/code appearing in the site content
  • Defaced homepages with offensive imagery
  • Loss of admin access to the backend and functionality
  • Spam user account creation privileges
  • Addition of suspicious files on your server
  • Browser warnings about malware on accessing the site

In 2022, hacked WordPress sites saw a 350% yearly increase in suspicious PHP files associated with backdoors. Being able to promptly identify the attack vectors based on these visual red flags and metrics lets you quickly investigate the hack’s extent and initiate remediation.

2. Backup your Site Immediately

Before attempting any major hack clean-up efforts, having a complete offline backup of your WordPress hacked site is essential. According to a survey, over 75% of sites without reliable backups prior to remediation struggle to fully restore functionality post-attack. Having a full backup of your entire site from before it got hacked lets you restore things to normal if you mess up at all while cleaning out the infection.


Doing regular automatic backups using a good, reliable plugin like UpdraftPlus is best. This safeguards both your site’s data and structure, enabling a quick restoration before the attack if needed. Investing in comprehensive WP backups reduces clean-up complexity and allows site owners to rectify hacks confidently, avoiding irreversible damage.

A laptop showing backup of data

Letting your web host know right away when your site gets hacked is important, too. According to statistics, over 60% of WordPress sites on shared hosting servers were able to be restored from clean backups that the web hosts had, which canceled out the hack attack. Your web host might have a good backup copy of your site from before the hackers broke in.


If they do, they can use it to fix your site quickly back to normal. Also, your web host has tech experts who can dig through your site’s files to spot anything weird the hackers tried to sneak in. They can use code tools to find hacker malware hiding on your site, too.


Getting your web host involved is smart as it can speed up the investigation to understand what the hackers did. Since they manage the servers, they may know about hack methods and remove bad scripts faster, especially if your site shares a server where others could be at risk, too.

Web hosting providers

4. Restore Your Site From a Clean Backup

Restoring your WordPress site from an uncorrupted full backup taken before the hack offers the quickest path to regain functionality, per security experts. Statistics show that sites without reliable backups take 70% longer to clean after attacks. Ensure any backup service offers version histories so you can specifically target and restore from an unaffected restore point prior to the attack.


This returns your site to its pre-hacked state while only requiring you to redo valid activity post that date, minimizing losses. Investing in a secure and reputable WordPress backup solution can thus greatly accelerate recovery when WordPress hacked disasters hit.

5. Scan Your Site to Identify Infected Files

Using a good WordPress security plugin like Wordfence to scan everything is important. You can correctly see all files either changed by hackers or added by them sneakily. According to statistics, 85% of sites that get hacked have secret backdoors, so hackers can get back in whenever they want.


Scans will check edited files, weird new PHP scripts, hidden link redirects, malware in your themes/plugins, and more that don’t belong there. The scan report spells out exactly which files and stuff have been messed with, so you know what needs deleting or fixing to clean up the hack attack completely.


This saves you from wasting tons of time trying manually to spot where those jerks modified your site when malware can hide almost anywhere.

Website Vulnerability scan is happening on computer

6. Clean Infected WordPress Core Files

Statistics confirm that over 63% of compromised sites contain corrupted WordPress core file manipulation, giving attackers heightened administrator-level privileges. Rather than attempting targeted infection removal alone, download a fresh copy of WordPress platform software securely from WordPress.org to fully reinstate uncorrupted versions of all underlying framework code bases.


Completely switching out the covertly modified core drivers of your website for this verified clean open-source package eliminates residual vulnerabilities introduced internally during the breach to restore security integrity.


Rebuilding your foundation from this uncompromised baseline denies hackers lingering access while still preserving your site’s database, content, and design work by separating environment components.

7. Remove Malicious Code from Themes and Plugins

If scanner results show your themes or plugins now contain harmful hacker code edits or backdoors, replace those files completely with original, untampered versions you can re-download from the official resource libraries. Statistics indicate plugin vulnerabilities account for nearly 85% of WordPress hacks.
Retrieve clean copies of compromised plugins and themes from connected developer repositories or catalogs like WordPress.org if still supported or available there. Reinstalling intact versions overwrites and banishes any malware inserts from vital site add-ons impacted by an attack.

8. Reset All Passwords

Once a hack occurs, assuming site access credentials are likely compromised is strongly advised. 70% of hacked WordPress sites have their admin accounts and passwords stolen. Rapidly manually reset all related passwords–including your WordPress administrator, web host account, FTP details, etc. -to deny continued intruder access.
Better still, it requires enhanced login security by enabling two-factor authorization needing multiple credential types. Adding SMS or app verification barriers protects against credential reuse attacks in the future.

9. Tighten Site Security

Harden your WordPress site against repeat future exploits by addressing unpatched flaws and allowing initial hacks per experts. Studies find outdated plugins powering over 90% of vulnerable sites. Follow WordPress security guidelines to limit risks, plus install specialized scanning/firewall plugins like Wordfence, offering real-time attack detection.
Enforcing automatic software updates and security patches system-wide reduces the opportunity for new vulnerabilities to emerge over time left unaddressed.

ways to tighten website security

10. Request Removal from Blacklists

Finally, confirm whether your site is flagged on domain blacklists with warnings at Google Safe Browsing or McAfee SiteAdvisor post-hack. Over 80% of compromised sites end up listed for a period. Submit reconsideration requests per their published processes to remove blocks/cautions after eliminating identified threats, as blacklist badges can still deter visitors despite cleaning efforts. This fully clears your reputation.

Final Words

Learning how to thoroughly inspect your site, identify and remove all injected malware, restore original files, and harden site security is important to recover from a hacked WordPress site. Staying vigilant about attacks, keeping regular backups, and keeping your software updated are ways to minimize risk. With this guide, you can take the required systematic measures to return your hacked WordPress site to health.

If you have further questions, contact us and get your queries solved by our certified experts!

Related Posts

What is Business Continuity and Disaster Recovery (BCDR)

You are running a successful business, and everything is going smoothly, but suddenly, disaster strikes. It could be a natural calamity like a flood or an earthquake or maybe a cyber attack that...

What is the Cyber Kill Chain? Stages of Cyber Kill Chain

As cyber-attacks keep growing and getting more advanced, businesses need to take active steps to protect their digital resources. The Cyber Kill Chain is a helpful tool that has come up in...

Cyber Threat Detection Tactics

Threat detection involves the various techniques, tools, and methods used to recognize and investigate potential risks or harmful activities within a digital environment, like a computer network. This...

What is Ransomware? How Does It Work

Ransomware is a computer virus that can take over your files and lock you out of your computer. Once the ransomware enters your system, it scrambles your files using a secret code only the attackers...
Scroll to Top

Are You Interested In Our Cyber Security Services or Training?

Submit Your Queries and we'll get back to you