hacked WordPress
Act quickly: contain the incident before cleaning
When you suspect a compromise, the goal is not first to delete files at random, but to limit the damage: prevent the attacker from staying logged in, reduce spread (spam, redirects, malware) and preserve minimal evidence to understand the vulnerability. Start by switching the site to maintenance mode (or, failing that, restrict access via a server password/HTTP Auth) to prevent visitors from being exposed to malicious content and for Google not to detect infected pages.
Then, immediately change critical passwords: WordPress administrator accounts, FTP/SFTP, database, hosting provider, emails linked to the domain. Do it from a clean machine (not the potentially infected computer) and favor unique and long passwords. If you use API keys (emailing services, payment gateway, CDN), regenerate them as well: a compromised site can exfiltrate tokens and use them later, even after a cleanup.
Before any heavy modifications, make a complete cold backup: files + database, as it is at the time of the incident. It can be useful to analyze the attack, find the entry point, or prove what was modified. Keep this archive off the server (encrypted local storage or secure cloud space).
Diagnose: spot symptoms and scope the attack
A compromised site does not always show itself with a defaced homepage. Common symptoms are more subtle: redirects to shady sites, pop-ups, injected spam pages, creation of unknown administrator users, sudden increase in server resources, mass email sending, or warnings in Google Search Console. In the back office, check the list of accounts (administrators in particular), recently installed plugins/themes, and settings changes (site URL, admin email, payment keys).
On the server, inspect file modification dates, the presence of abnormal PHP files in uploads (where there should be no executable code), and suspicious scheduled tasks. On WordPress, monitor recurring events (WP-Cron) that relaunch the infection after deletion: some malware reinstalls itself via a scheduled task, a backdoor, or a nulled plugin.
If you’re looking for a detailed repair-oriented checklist, you can compare your observations with this external guide: repair a hacked site: steps and best practices. The idea is to confirm the scope: only WordPress, or the entire hosting (other sites on the same account), or even the domain’s email.
Secure access: accounts, sessions and permissions
Before deleting anything, lock down access. Log out all active sessions by resetting admin account passwords and changing WordPress security keys (AUTH_KEY, SECURE_AUTH_KEY, etc.) in wp-config.php. This invalidates cookies and forces re-login.
Then, apply the principle of least privilege: delete unknown accounts, downgrade unnecessary admin accounts, and limit FTP/SFTP access to only the people who need it. On the permissions side, avoid overly permissive rights (e.g., 777). In general, 644 for files and 755 for folders are enough; wp-config.php often deserves stricter handling depending on the hosting.
Discover our offers for WordPress website maintenance
To reduce the risk of a brute-force attack as early as the recovery phase, apply a limitation on logins and attempts. An internal tutorial can guide you step by step without relying on a miracle plugin: set up login attempt limiting.
Cleaning files: start again from a clean WordPress core
The most reliable method is to start again from the official sources rather than trying to identify each malicious file by hand. Download a clean copy of WordPress (same version or latest stable version), then completely replace the folders wp-admin and wp-includes. Keep only wp-content (to audit) and your wp-config.php (to check). This eliminates a large portion of injections into the core.
In wp-content, caution is paramount: this is where themes, plugins and uploads reside, and it’s often where backdoors hide. Delete all plugins you don’t use. For those that remain, reinstall them from an official source (WordPress directory or a recognized publisher) by overwriting the existing files. Same for the active theme: if you use a premium theme, re-download the original archive from your publisher account.
Inspect particularly :
– The folder uploads : presence of .php, .phtml, .phar, or files with random names.
– Recently modified files: functions.php, header.php, wp-config.php, .htaccess (or the Nginx config).
– Obfuscated strings: base64_decode, eval, gzinflate, str_rot13, preg_replace with \/e, long unreadable lines.
If you want to cross-check your procedure with another disinfection approach (focused on hosting + WordPress), this external guide can serve as a point of comparison: clean and secure an infected site.
Cleaning the database: remove spam, injections and backdoors
An incomplete cleanup often fails because of the database. Hackers inject links into content, scripts into widgets, or payloads into options. Start by checking the users table: unknown accounts, weird emails, suspicious admin roles. Then inspect:
– wp_options : values containing JavaScript, iframes, spam links, or abnormal serialized data.
– Widgets (options theme_mods \/ widget_*): some malware hides there.
– Posts/pages: hidden link injections (display:none) or conditional redirects.
Avoid global replacements without a backup: a bad query can break serialization. Use a WordPress-compatible tool (WP-CLI search-replace with caution) or export to analyze. If your site has connection errors during the operation (which happens when changing DB credentials), refer to this internal guide to properly fix the configuration: fix the database connection error.
Check entry points: vulnerable plugin, compromised theme, leaked credentials
Cleaning without fixing the original vulnerability is like mopping up without turning off the tap. After a compromise, look for the most likely entry point:
– Outdated or abandoned plugin (known vulnerability, no updates).
– Theme downloaded from an untrusted source, or nulled (often riddled with backdoors).
– Compromised FTP/SFTP credentials (password reuse, infected workstation).
– Exposed WordPress admin access (weak password, no 2FA, brute force).
– Poor server configuration (permissions too broad, PHP execution in uploads, etc.).
The theme question is critical: some pirated premium themes contain invisible injections. To make a durable choice (and understand the risks), you can consult this internal comparison: choose between a custom theme and a premium theme.
Harden WordPress: updates, 2FA, server rules, and security hygiene
Once the site is stabilized and clean, harden it. Update WordPress, themes, and plugins, then permanently remove anything that isn’t essential. Enable two-factor authentication (2FA) for all admin and editor accounts. Limit access to /wp-admin (IP whitelist if possible, or at least protection via HTTP Auth).
On the server side, strengthen the rules:
– Disable PHP execution in wp-content/uploads (.htaccess rule or Nginx equivalent).
– Enforce HTTPS, HSTS if relevant.
– Add security headers (Content-Security-Policy depending on the context, X-Frame-Options, etc.).
– Set up a WAF (web application firewall) if your traffic justifies it.
Also consider shutting down unnecessary attack surfaces: XML-RPC if not used, inactive accounts, exposed endpoints. Finally, enable logging (logs) and monitor: lack of visibility is an advantage for the attacker.
Control reinfection: scans, logs, and monitoring
After cleanup, check that the site is not getting reinfected. Signs of reinfection include: return of deleted files, appearance of new admins, suspicious cron tasks, or reappearing redirects. Run scans on the server side and the application side, but keep in mind that a scan does not replace a manual review: some malware is designed to evade signatures.
Discover our offers for WordPress website maintenance
Analyze access logs (HTTP) and error logs: look for requests to recently created files, abnormal POST calls, or URL scans typical of an exploit. Identify the IP, the user-agent, the date/time, and connect it with the modified files. This phase helps you understand how and to close the door.
For another structured approach (including checks and hardening), this external guide is useful: cleanup and security hardening guide after an intrusion.
Restoring trust: Search Console, blacklist, and communication
If Google or a browser antivirus has flagged your site, you must address the reputation aspect. Once the cleanup is complete, request a review in Google Search Console if a security action has been applied. Also check that the spam pages have been removed and that they return appropriate HTTP codes (410 for permanent removal, 301 for legitimate replacement). Check the sitemap, indexed URLs, and the absence of hidden redirects.
If your site collects data (forms, accounts, payments), assess the GDPR impact: depending on the case, a notification may be necessary. Inform your users factually: what happened, what was done, and what they need to do (password change, vigilance about emails, etc.).
In some cases, the infection includes a browser-side virus or scripts that inject conditionally. To understand common cleanup and bringing-back-online scenarios, you can read this external case study: cleanup and disinfection after infection.
Prevent rather than endure: maintenance, testing, and release discipline
Most WordPress compromises exploit known vulnerabilities in unmaintained components. Prevention relies on a routine: controlled updates, verified backups, monitoring, and quality control before deployment. The key point is to avoid blind updates in production: test first on a staging environment, validate compatibility, then deploy.
To make your process more reliable, this internal guide explains how to avoid a new plugin becoming a risk: test a plugin before installation in production.
Finally, don’t forget the SEO impact: an unstable, infected, slow, or redirected site quickly loses visibility, sometimes durably. This internal resource details the concrete consequences: the effects of a lack of maintenance on SEO.
When to call in a professional: save time and avoid overlooking a backdoor
Some infections are simple, others are not: polymorphic malware, compromised server access, daily reinfection, or data leakage. If you’re short on time, if the site is critical (e-commerce, lead generation, booking), or if you’re not sure of the root cause, a specialized intervention can prevent days of trial and error. A competent provider should offer: identification of the entry point, removal of backdoors, hardening, and concrete recommendations to prevent recurrence.
As an example, here is an external page describing a rapid disinfection intervention: emergency cleanup intervention. Regardless of the provider, require a clear list of the actions performed and the preventive measures put in place.
Summary action plan (operational checklist)
1) Put the site into maintenance mode and back up the current state (files + DB) off-server.
2) Change all passwords (WP, FTP/SFTP, DB, host, emails) and regenerate keys/tokens.
3) Replace the WordPress core with a clean version, reinstall plugins/themes from reliable sources.
4) Audit wp-content (uploads, mu-plugins, cache), delete any suspicious executable file.
5) Clean the database (users, options, content), remove injections and unknown accounts.
6) Identify and fix the original vulnerability (vulnerability, credentials, server config).
7) Harden: 2FA, attempt limiting, access restrictions, anti-execution rules in uploads, WAF if useful.
8) Check for reinfection via scans + logs, then handle reputation (Search Console, indexing).
9) Set up a maintenance routine: tested updates, verified backups, monitoring.
Set up ongoing maintenance to prevent recurrence
After an incident, the best security is consistency: planned updates, monitoring, tested backups, and integrity checks. If you want to outsource this workload and stabilize your site in the long term, you can view our maintenance offers.
