How To Clean a Hacked WordPress Site

Realizing your WordPress site has been hacked is stressful. Maybe your homepage shows spam, Google is warning visitors, or your host has temporarily disabled your account. The worst thing you can do now is panic and randomly delete files.

In this step-by-step guide, you’ll learn how to safely clean a hacked WordPress site: lock things down, back up evidence, remove malware, restore clean code, and harden security so the attack doesn’t happen again. If you want a big-picture view of how attacks happen and how to prevent them, read this complete WordPress security overview as a companion to this cleanup tutorial.

These steps work whether you use the Classic Editor, Jannah theme, or any other WordPress setup. The key is to move methodically, not quickly: contain the hack, clean systematically, and then strengthen your defenses.

Prerequisites

Before you start cleaning, make sure you have the right access and some uninterrupted time. You’ll be working with your WordPress admin, hosting panel (like cPanel), and possibly WP-CLI or an SFTP client.

You’ll need:

• Login access to your hosting control panel (cPanel, Plesk, or custom panel).
• SFTP/FTP access to your site files.
• Database access (usually via phpMyAdmin or a similar tool).
• Access to your domain DNS (in case you need to temporarily point it away from the hacked site).
• Enough local storage on your computer to download backups.
• Time and patience to follow each step carefully.

Step 1: Put Your Hacked WordPress Site in Safe Mode

Your first priority is to protect visitors and reduce further damage. That means limiting public access to the hacked site while you work, without losing your ability to log in and clean it.

1. Enable maintenance mode from WordPress (if you can log in). Use a trusted maintenance mode or coming soon plugin to show a simple “down for maintenance” message while keeping admin access for yourself.
2. If you can’t log in, restrict access at the server level. In cPanel or your hosting panel, open .htaccess via the File Manager and temporarily restrict access to your own IP, or ask your host to make the site unavailable to the public while you fix it.
3. Temporarily pause any running ads or campaigns. If you drive paid traffic, pause campaigns so you’re not sending visitors to a compromised site.

Step 2: Take a Forensic Backup of the Hacked Site

Before you change anything, create a complete backup of the hacked site. This sounds strange, but that “dirty” backup is invaluable: it lets you compare files, inspect malicious code later, or fully restore if something goes wrong during cleanup.

1. Back up files from your hosting panel. Use your host’s File Manager or SFTP to download the entire WordPress directory (often public_html or a subfolder). Keep the folder structure intact.
2. Export the database. In phpMyAdmin (or similar), choose your WordPress database, click “Export”, and download it as an SQL file.
3. Store backups off-server. Save the zip of your files and the SQL export somewhere safe on your local computer or cloud storage.

If you’ve never created a full backup before, follow this beginner’s guide to WordPress backups and restores in parallel so you understand exactly what you’re saving and how to restore it later.

Step 3: Reset Passwords and Check User Accounts

Many hacks start with stolen credentials. Before you clean files, cut off the attacker’s access by resetting passwords and removing suspicious users. Do this for every system connected to your WordPress site.

1. Change all WordPress user passwords. In the WordPress dashboard, go to Users → All Users. For every real user, generate a strong new password. Remove any accounts you do not recognize, especially admin-level users.
2. Reset hosting, SFTP/FTP, and database passwords. In your hosting panel, change the main account password, all SFTP/FTP accounts, and the MySQL database user password associated with your site.
3. Update wp-config.php if the DB password changed. Open wp-config.php via File Manager or SFTP and update the database password in the DB_PASSWORD constant to match the new value.
4. Regenerate WordPress security keys. Use the WordPress.org secret key generator to create new keys and replace the existing AUTH_KEY, SECURE_AUTH_KEY, and related constants in wp-config.php. This logs out all users and invalidates old sessions.

This step ensures that when you delete malware, the attacker cannot immediately log back in and reinfect your site using old credentials.

Step 4: Scan Your Site for Malware and Suspicious Code

Now that your site is in safe mode and credentials are reset, it’s time to identify what the attacker actually did. The goal is to find injected code, backdoors, and modified files before removing them.

1. Run a malware scan using a security plugin. Install a reputable security plugin (like Wordfence, Sucuri, or similar) and run a full scan of files and database. Follow its report to see which files are flagged as suspicious.
2. Compare core files to the official WordPress download. Download a clean copy of your WordPress version from WordPress.org and compare core folders (wp-admin, wp-includes) to your site. Any extra files or unexpected changes are red flags.
3. Check recently modified files. In SFTP or your hosting File Manager, sort files by “Last Modified” date. Look for PHP files recently changed around the time of the hack, especially in wp-content, theme, and plugin directories.
4. Search for common malicious patterns. On the command line (SSH), you can search for suspicious functions like base64_decode or obfuscated variables:

# Run in your WordPress root directory (SSH terminal)
grep -R "base64_decode" . 

You’ll use all this information in the next steps to determine what must be replaced, cleaned, or deleted.

Step 5: Clean WordPress Core, Themes, and Plugins

The safest way to remove malware from core, theme, and plugin files is not to “edit the bad lines”, but to replace compromised files with clean, original copies. This dramatically reduces the chance of leaving hidden backdoors.

1. Replace WordPress core files. If you have SSH and WP-CLI, run:

# SSH terminal with WP-CLI installed
wp core download --force

2. This overwrites core files with clean versions while preserving wp-content.
3. Reinstall themes from trusted sources. Delete and reinstall your active theme (like Jannah) from its original source (ThemeForest or your theme provider). If you’ve customized the theme directly, consider moving changes into a child theme to avoid edits in core theme files.
4. Remove unused themes and plugins. In Appearance → Themes and Plugins → Installed Plugins, delete anything you don’t actively use. Less code means fewer attack surfaces.
5. Reinstall active plugins. For each plugin you rely on, delete it and reinstall from the official source (WordPress.org or the vendor site). Avoid nulled or pirated plugins entirely — they are a major malware source.

Step 6: Clean the Database and Scheduled Tasks

Many hacks inject spam links, malicious JavaScript, or backdoor code directly into your database. Cleaning files alone may not be enough — the database also needs attention.

1. Search posts and pages for spam content. In WordPress, check recent posts, pages, and custom post types for spammy titles, strange redirects, or injected scripts in the content editor.
2. Scan the database for malicious patterns. In phpMyAdmin, use the “Search” tab across your WordPress database for strings like <iframe, <script, or suspicious domains you saw in the hacked content.
3. Check the wp_options table. Look for unfamiliar options that load remote scripts or code (for example, options with long, random names pointing to strange URLs). Remove or disable anything clearly malicious after confirming it isn’t from a legitimate plugin.
4. Review scheduled tasks (WP-Cron). Some malware installs malicious cron jobs that reinfect your site. With WP-CLI, you can list them:

# SSH terminal with WP-CLI installed
wp cron event list

5. Delete any suspicious events or those associated with removed malicious plugins.

Step 7: Test, Clear Caches, and Bring the Site Back Online

Once you’ve replaced files and cleaned the database, it’s time to verify that your hacked WordPress site is functioning normally and that malware is no longer present.

1. Clear all caches. Purge caches from any caching plugin, your host’s server cache, and your CDN. Old cached pages can display hacked content even after you’ve cleaned the source.
2. Run another full malware scan. Use your security plugin to run a fresh scan. Confirm that previously flagged files are either gone or clean.
3. Test your site in an incognito browser. Visit key pages, forms, and login areas. Make sure there are no redirects to suspicious domains, no pop-ups you didn’t configure, and no strange warnings.
4. Check Google Search Console and browser warnings. If your site was flagged for malware, fix any remaining issues and submit a malware review request from Search Console once you’re confident the site is clean.
5. Disable maintenance mode. When everything looks good, turn off maintenance mode and allow visitors back onto your site.

Step 8: Harden Your WordPress Security for the Future

Cleaning a hacked WordPress site is only half the job. To avoid another incident, you must address the weaknesses that allowed the attack in the first place. This is where ongoing hardening and maintenance matter.

1. Set up a reliable backup strategy. Automate daily or weekly full backups (files + database), store them offsite, and test restores regularly so you’re never cleaning a hack without a safety net.
2. Install and configure a security plugin. Use one of these top-rated WordPress security plugins to add a firewall, login protection, file-change detection, and security alerts.
3. Keep everything updated. Enable automatic updates for minor WordPress releases and critical plugin/theme updates. Log in at least weekly to apply outstanding updates.
4. Harden file editing and permissions. In wp-config.php, disable file editing from the dashboard by adding:

   define( 'DISALLOW_FILE_EDIT', true );

   On the server, ensure typical permissions (folders 755, files 644) so attackers can’t easily write arbitrary files.

5. Secure logins. Enforce strong passwords, limit login attempts, and enable two-factor authentication for admin accounts wherever possible.

For a deeper dive into designing a resilient backup and restore plan across your sites, use the workflow in the WordPress backups and restore strategies guide as your baseline and adapt it to your business.

Regain Control of Your Hacked WordPress Site

A hacked WordPress site feels chaotic, but recovery is absolutely possible when you follow a structured process. You’ve learned how to isolate the hack, preserve evidence, remove malware from files and database, and then harden your site so it’s much more resistant in the future.

From now on, treat security and maintenance as ongoing responsibilities, not one-time tasks. With regular updates, tested backups, and sensible hardening in place, your site will be safer, faster to restore, and better prepared for whatever the internet throws at it.

Further Reading

• How to Secure a WordPress Website
• Beginner WordPress Security Best Practices Guide
• WordPress Disaster Recovery Walkthrough
• Building a Solid WordPress Backup Strategy
• WordPress Maintenance and Backup Plan

Frequently Asked Questions