Restoring a Hacked WordPress Website: A Step-by-Step Guide to Recovery

In an era where online presence is paramount, a hacked WordPress website can be a nightmare for website owners and administrators.

Hacks can lead to compromised data, damaged reputation, and significant financial losses. However, the road to recovery is not as daunting as it may seem. With the right knowledge and systematic approach, you can restore your hacked website to its former glory and bolster its security to prevent future breaches.

This step-by-step guide will walk you through the process of reclaiming your website from the clutches of hackers. It covers everything from identifying signs of a hack to cleaning up your site and implementing essential security measures. By the end of this comprehensive journey, you’ll not only have a restored website but also the knowledge to fortify it against potential threats.

Let’s begin the journey toward recovery and resilience for your WordPress site.

Signs that Your WordPress Website May Have Been Hacked

Signs of a Hacked WordPress Website
Hacks aren’t always immediately obvious, so recognizing the signs is essential. Common indicators of a hacked website include:

Changes to Content: Unauthorized changes to your site’s content or the appearance of unfamiliar posts, pages, or links.
Unusual User Accounts: Mysterious user accounts with admin privileges, potentially created by hackers.
Spammy Content: Injection of spam links, ads, or unrelated content.
Site Redirection: Visitors being redirected to other websites or spammy landing pages.
Performance Issues: A noticeable drop in your site’s performance or loading speed.
Suspicious Traffic: Unusual spikes in traffic, often from suspicious or foreign sources.
Search Engine Blacklist: Being flagged by search engines as unsafe or blacklisted.

How a WordPress Site Gets Hacked

WordPress Site
Understanding how your WordPress site can get hacked is crucial for preventing future breaches. The most common ways a WordPress site gets hacked include:

1. Insecure Login Credentials
Weak, easily guessable, or shared login credentials make your site susceptible to brute force attacks. Hackers use automated tools to try different username and password combinations until they gain access.

2. Outdated Software
Using outdated versions of WordPress, themes, or plugins exposes your site to known vulnerabilities. Hackers often target these security holes to infiltrate your website.

3. Poor Website Code
Website code riddled with security flaws or poorly coded plugins and themes can create entry points for hackers. They exploit these vulnerabilities to gain unauthorized access to your site.

Reasons Why a WordPress Site Gets Hacked

A hacked WordPress site can be due to a variety of reasons, ranging from financial gain to simply causing disruption. Common motives include:

SEO Spam: Hackers use your site to promote unrelated content to boost their own search engine rankings.
Data Theft: Stealing user information, such as email addresses or credit card details.
Distributed Denial of Service (DDoS): Overloading your site with traffic to make it unavailable.
Defacement: Changing your site’s appearance or content to display a message or images.
Malware Distribution: Injecting malicious software into your site for spreading viruses.
Extortion: Demanding a ransom for restoring your site.
Phishing: Setting up fake login pages to steal users’ login credentials.

11 Solutions to Fix a Hacked WordPress Website

Fix a Hacked WordPress Website

1. Put WordPress in Maintenance Mode

When your WordPress website is compromised or hacked, it’s essential to address the issue promptly. However, making changes to your site, especially if it’s a live website, can be disruptive to your visitors. To minimize this disruption, you can put your WordPress site into maintenance mode. Here’s why this step is important and how to do it:

Preventing Visitor Disruption: Maintenance mode ensures that your visitors don’t encounter the hacked or compromised content while you’re working on resolving the issue. It offers a more professional and reassuring message, letting visitors know that the problem is being addressed.
How to Put Your Site in Maintenance Mode:

Use Maintenance Mode Plugins: There are various WordPress plugins designed specifically for putting your site into maintenance mode. Examples include “WP Maintenance Mode” and “Coming Soon Page & Maintenance Mode by SeedProd.” These plugins allow you to set up a temporary “Under Maintenance” page that your visitors will see.

Visitor-Friendly: It’s a user-friendly approach that keeps visitors informed and minimizes any confusion or alarm caused by a hacked site.
Professional Image: By displaying a maintenance page, your site maintains a professional image, showing that you’re actively working to address the issue.

2. Reset WordPress Password

When your WordPress website has been compromised, the first line of defense is to change your WordPress admin password. It’s essential to create a robust, unique password to prevent unauthorized access to your site. This step is critical in regaining control of your website and preventing further damage. Here’s why it’s necessary and how to do it:

Immediate Security Enhancement: Changing your password is an immediate step to enhance the security of your site. When your site is hacked, it’s possible that the attackers gained access to your admin account, which puts your entire site at risk.
How to Reset Your Password:
Access Your Login Page: Go to your WordPress login page. Typically, it’s located at “”

Click on ‘Lost your password?’: Below the login form, there’s often a “Lost your password?” or “Forgot your password?” link. Click on it.

Enter Your Username or Email: On the password reset page, you’ll be asked to enter either your username or the email associated with your admin account. This initiates the password reset process.

Check Your Email: You’ll receive an email with instructions on how to reset your password. Click on the provided link.

Set a Strong Password: You’ll be redirected to a page where you can set a new password. Create a robust password that includes a combination of letters, numbers, and special characters. Ensure that it’s unique and hard to guess.

Update Other User Passwords: It’s also crucial to check and update the passwords of all other user accounts on your site. If you’re unsure about the security of any account, changing its password is a prudent step.

Immediate Security Boost: Changing your password is a swift way to regain control and secure your site.
Preventing Unauthorized Access: By setting a strong, unique password, you prevent hackers from re-entering your site using the same credentials.

3. Update WordPress

When your WordPress website has been hacked, one of the most critical steps in the recovery and security process is to update your WordPress core, themes, and plugins. Here’s why this is essential and how to do it:

Why Updating is Crucial:
Fixing Vulnerabilities: Outdated software is a common entry point for hackers. Developers regularly release updates to patch known vulnerabilities. By updating your WordPress core, themes, and plugins, you fix these security holes and make it more challenging for attackers to exploit them.

How to Update WordPress:
Update WordPress Core:

  • Access your WordPress dashboard.
  • If there’s a new version of WordPress available, you’ll see a notification at the top of your dashboard.
  • Click on the notification to access the “Updates” page.
  • You’ll see an option to update WordPress. Click the “Update Now” button.
  • WordPress will automatically download and install the latest version.

Update Themes:

  • Navigate to the “Appearance” menu and click on “Themes.”
  • If any of your installed themes have updates available, you’ll see a notification.
  • Click on the theme with available updates.
  • In the theme details, click the “Update Now” button.
  • WordPress will update the theme to the latest version.

Update Plugins:

  • Go to the “Plugins” section in your dashboard.
  • For plugins with available updates, you’ll see a notification on the “Plugins” page.
  • Click the “Update Now” link next to each plugin with an available update.
  • WordPress will handle the update process for each plugin.

Additional Tips:

Regularly Update: Make updating your WordPress website a regular practice. New vulnerabilities are continuously discovered, so keeping your site up to date is an ongoing effort.
Backup First: Before performing updates, it’s wise to back up your site. This way, if anything goes wrong during the update, you can restore your website to a previous, working state.

4. Deactivate Plugins and Themes

When dealing with a hacked website, it’s essential to deactivate all your plugins and themes temporarily. This serves to halt any potentially malicious scripts from running on your site. Here’s why this action is necessary and how to do it correctly:

Why Deactivation is Crucial:

Preventing Malicious Scripts: Hackers often exploit vulnerabilities in plugins and themes. By deactivating them, you can halt any harmful scripts that may be injected by the attackers, preventing further damage to your site.
How to Deactivate Plugins and Themes:

Access Your WordPress Dashboard:
Log in to your WordPress admin dashboard.

Deactivate Plugins:

  • Go to the “Plugins” section in your dashboard.
  • You’ll see a list of installed plugins.
  • Select all plugins by ticking the checkbox at the top.
  • From the “Bulk Actions” dropdown, choose “Deactivate.”
  • Click the “Apply” button.
  • This will deactivate all your plugins.

Deactivate Themes:

  • Head to the “Appearance” menu and click on “Themes.”
  • Activate a default WordPress theme (e.g., Twenty Twenty-One) by clicking the “Activate” button.
  • Once the default theme is active, you can safely deactivate your other themes.

What to Do After Deactivation:

Reactive Trusted and Updated Plugins: After deactivating all plugins, only reactivate the ones that you trust and that are up to date. Start with essential plugins for your site’s functionality.

Investigate and Update: The plugins and themes that you deactivated should be thoroughly investigated. Check for updates or patches from their developers to fix any known vulnerabilities. Update them before reactivating.

Scan for Malware: Run a security scan with a reputable WordPress security plugin like Wordfence, Sucuri, or MalCare. These tools can help you identify and remove any malicious code that may have been introduced during the hacking incident.

Deactivating plugins and themes is a crucial step to prevent further damage to your site after a hack. It buys you time to investigate, clean, and secure your website before bringing it back to normal operation.

5. Reinstall WordPress

When the security of your WordPress website has been severely compromised, and you’re finding it challenging to identify and eliminate all the malicious elements, a complete reinstallation of WordPress can be a powerful solution. Here’s what this step involves:

Why Reinstalling WordPress is Necessary:
Starting Fresh: Reinstalling WordPress means wiping the slate clean. It allows you to get rid of any potentially hidden or deeply embedded malware or backdoors that are hard to detect and remove.

How to Reinstall WordPress:

Backup Your Content:
Before proceeding, it’s crucial to create backups of your website’s content, including posts, pages, media, and any other essential data. You can do this by using a backup plugin or manually exporting content.

Access Your Hosting Control Panel:
Log in to your hosting control panel (e.g., cPanel, Plesk, or your hosting provider’s custom panel).

Create a Database Backup:

  • Inside your control panel, navigate to the database section (usually, it’s labeled as MySQL Databases or Database Wizard).
  • Select your website’s database and create a backup. This step ensures that you retain your website’s content and settings.

Delete WordPress Files:

  • Access your site’s root directory via FTP or your hosting’s file manager.
  • Delete all files and folders related to your current WordPress installation, excluding any backups you’ve made.

Download the Latest WordPress Version:
Visit the official WordPress website ( and download the latest version of WordPress.

Upload and Install WordPress:

  • Return to your hosting control panel and set up a new database. Note down the database name, username, and password.
  • Upload the downloaded WordPress files to your site’s root directory.
  • Access your website via a web browser, and you’ll be guided through the installation process. Provide the database information you noted earlier.

Restore Your Content:
After the reinstallation, you can import your previously backed up content into the fresh WordPress installation. This process will vary based on the size and complexity of your website but typically involves using the WordPress Importer tool.

Reconfigure and Secure:

  • Once your content is restored, make sure to reconfigure your WordPress settings, themes, and plugins.
  • Update all themes and plugins to their latest versions.
  • Implement strong security measures, such as using a reputable security plugin and employing secure login practices.
  • Regularly back up your site to avoid future data loss.

A Last Resort:
Reinstalling WordPress should be considered a last resort when dealing with a severely hacked website. It provides a clean slate but requires significant effort to restore your content and settings. If you’re uncertain about this process, consider seeking the assistance of a professional or your hosting provider.

6. Remove New WordPress Users With Admin Privileges

When your WordPress website is compromised, hackers might exploit vulnerabilities to gain unauthorized access. One way they can maintain control is by creating new user accounts with administrator privileges. To regain control and enhance security, follow these steps:

Log in to Your WordPress Dashboard
Access your WordPress admin dashboard by going to the login page and entering your credentials.

Navigate to the “Users” Section
Once logged in, go to the “Users” section within your WordPress dashboard. It’s typically found on the left-hand menu.

Review the List of Users
You’ll see a list of all the users registered on your website. Pay special attention to users with “Administrator” roles.

Identify Suspicious Users
Look for any user accounts that you didn’t create or recognize. These are the accounts that may have been added by the hackers.

Delete Suspicious Users
To remove these suspicious users, hover your cursor over their username to reveal the “Delete” option. Click “Delete” to remove the user account.

Check for Malicious Changes
After removing these users, it’s essential to review your website for any malicious changes they might have made. This could include altered settings, new plugins or themes, or any suspicious content.

Change All Passwords
For enhanced security, change the passwords for all remaining user accounts, especially the administrator account. Create strong, unique passwords to minimize the risk of further unauthorized access.

Implement Security Measures
To prevent future unauthorized access and maintain website security, consider the following measures:

  • Use a security plugin to monitor and protect your site from threats.
  • Limit login attempts to prevent brute force attacks.
  • Employ two-factor authentication for all user accounts, if possible.
  • Regularly update WordPress, themes, and plugins to patch vulnerabilities.
  • Conduct security scans to detect and remove any remaining malware or backdoors.

By removing unauthorized users with administrator privileges, you’re eliminating a potential point of control for hackers and reducing the risk of further compromise. It’s a critical step in the recovery process and should be followed by additional security measures to fortify your website against future attacks.

7. Search for Malware

After your WordPress site has been compromised, it’s vital to search for and eliminate any malware that may have been injected by the hackers. Malware can be hidden throughout your website, and its presence can continue to cause problems if not dealt with effectively. Here’s how to address this issue:

Use Reputable Security Plugins:
Utilize well-established WordPress security plugins known for their effectiveness in malware scanning and removal. Some of the popular options include Wordfence, Sucuri, and MalCare.

Perform a Comprehensive Scan:
Activate your chosen security plugin and run a comprehensive scan of your entire website. These tools are designed to examine your site’s files and database to detect and identify malicious code.

Identify Malicious Code:
The security plugin will flag and notify you of any suspicious or malicious code it discovers. This could be hidden scripts, unauthorized files, or suspicious patterns in your database.

Remove the Malware:
Follow the instructions provided by the security plugin to remove the identified malware. In most cases, you can use the plugin to clean your website automatically, and it will delete or quarantine the malicious elements.

Regular Scanning and Monitoring:
To maintain a secure website, consider configuring your security plugin for regular scans and real-time monitoring. These features can help detect and remove malware as soon as it’s identified.

By using reputable WordPress security plugins and conducting regular scans, you can effectively identify and remove any malware that may have compromised your site. This is a critical step in the recovery process to ensure your website is secure and free from harmful code that could potentially harm your site and its visitors.

8. Disable PHP Execution

Disabling PHP execution is an essential security step to protect your WordPress site from potential threats.

Purpose of Disabling PHP Execution:
When your website is compromised, hackers might inject malicious PHP files. These files can execute harmful scripts and further damage your site. Disabling PHP execution prevents these scripts from running, minimizing the risk of additional harm.

Identifying Suspicious PHP Files:
Begin by identifying any PHP files in your WordPress installation that look unfamiliar or suspicious. Such files may be part of the hack and could pose a threat.

How to Disable PHP Execution:
To disable PHP execution for suspicious files, you can take several steps:

  • Change the file extension: Renaming PHP files with a different extension like .txt or .html can effectively disable their execution.
  • Modify file permissions: Adjust the file permissions to ensure that PHP files are not executable. Setting them to read-only can be an effective way to prevent execution.
  • Use a security plugin: WordPress security plugins can help you identify and disable suspicious files automatically.

Regular Security Scans:
Regularly scanning your WordPress site for potential threats and malware is a crucial part of security maintenance. Security plugins can aid in these scans, helping you detect and address issues promptly.

By disabling PHP execution for suspicious files, you minimize the risk of additional damage and protect your site from harmful scripts that may have been introduced during the hacking incident.

9. Clean the WordPress Database

Your WordPress database stores all the content and settings of your website. When your site is hacked, the database can be compromised with unauthorized entries or changes. To restore your website’s integrity, you’ll want to manually clean your database. Here’s how you can do it:

Backup Your Database:
Before making any changes to your database, it’s crucial to create a backup. This backup serves as a safety net in case something goes wrong during the cleaning process. You can back up your database using a plugin or through your hosting control panel.

Access Your Database:
To clean your database, you’ll need access to your site’s database through a tool like phpMyAdmin, which is typically available through your hosting control panel.

Review Database Tables:
Your WordPress database consists of multiple tables, each containing specific types of data. You’ll need to review these tables for any unfamiliar or suspicious entries. Look for things like unrecognized user accounts, additional posts or pages, or any other data that doesn’t belong to your website.

Remove Suspicious Entries:
Once you’ve identified suspicious entries, you can manually remove them from your database. Be cautious during this process, as altering the wrong data can have unintended consequences. If you’re unsure about a particular entry, it’s best to leave it untouched.

Optimize the Database:
After cleaning out suspicious entries, you can optimize your database to improve its performance. Most database management tools, including phpMyAdmin, offer an option to optimize your tables.

Recheck Your Website:
Once you’ve cleaned and optimized your database, it’s essential to revisit your website to ensure that it’s functioning correctly and that no legitimate data was removed during the process.

Implement Security Measures:
To prevent future database compromises, consider implementing security measures such as:

  • Regularly changing your database and website passwords.
  • Monitoring your website for potential threats using a security plugin.
  • Updating WordPress, themes, and plugins to patch vulnerabilities.
  • Implementing a web application firewall (WAF) to protect against malicious traffic.
  • Running periodic security scans to detect and remove malware or any remaining suspicious entries.


10. Clean the WordPress Sitemap

Cleaning your WordPress sitemap is an important step in recovering from a hack.

Purpose of Cleaning the Sitemap:
Your website’s sitemap is a structured list of all the pages and content on your site. Hackers may inject spammy or unrelated links into your sitemap to boost their SEO or drive traffic to malicious websites. Cleaning the sitemap involves removing these unwanted links to maintain the integrity of your site’s content.

Updating the Sitemap:
To clean the sitemap, you should update it by:

Removing spammy links: Identify and delete any links that are unrelated to your site’s content or that lead to harmful websites.
Ensuring the accuracy of your sitemap: Make sure that all the listed pages and content accurately represent your website. Add any missing, legitimate pages.
Tools for Managing the Sitemap:
WordPress offers plugins and SEO tools that allow you to manage your sitemap efficiently. You can use these tools to review, modify, and update the sitemap.

Regularly Monitor the Sitemap:
To maintain the cleanliness of your sitemap, consider periodically monitoring it for any unusual or unauthorized changes. Regular checks help ensure that your sitemap accurately reflects your website’s content.

Cleaning your WordPress sitemap is crucial for maintaining the quality and integrity of your website’s content. By removing spammy or unrelated links injected by hackers, you enhance your site’s SEO and user experience while reducing potential security risks.

11. Contact Your Hosting Provider

When dealing with a hacked website, reaching out to your hosting provider is the final and crucial step in the recovery process. Here’s a concise explanation of why and how to contact your hosting provider for help:

Reasons to Contact Your Hosting Provider:
If you’re unsure about the recovery process or suspect that your website remains compromised, it’s a wise decision to contact your hosting provider. They are well-equipped to assist with a range of issues related to your website’s performance and security.

Professional Assistance:
Hosting providers have experienced support teams with expertise in managing web hosting environments. They can provide valuable guidance, resources, and solutions tailored to your specific situation, making it easier for you to recover your website.

Restoring from a Clean Backup:
In some cases, hosting providers can restore your website from a clean backup. This action effectively reverts your site to a state before the hack occurred, eliminating the compromises caused by the security breach. It’s a reliable and efficient recovery method.

Cooperation with Support:
When you contact your hosting provider, be ready to collaborate with their support team. They might request information about the hack, the issues you’ve encountered, and any other relevant details to assist in the recovery process effectively.

Implementing Security Measures:
In addition to addressing the immediate issue, your hosting provider can offer guidance on enhancing your website’s security to prevent future compromises. Recommendations may include regular backups, the use of security plugins, and implementing firewall protection.

Getting in touch with your hosting provider is a prudent step, particularly if you’re uncertain about the recovery process or if your website’s security remains a concern. Hosting companies are well-prepared to assist you in resolving issues and providing professional support to restore your site to a secure and fully operational state.

Hacked WordPress FAQ

Q1: Can a hacked website be fixed?

Yes, a hacked website can be fixed. By following the steps outlined in this guide, you can restore your site and enhance its security to prevent future hacks.

Q2: How do I know if my WordPress website has been hacked?

Common signs of a hacked website include changes to content, unusual user accounts, spammy content, site redirection, performance issues, suspicious traffic, and being flagged by search engines.

Q3: How can I prevent future hacks?

To prevent future hacks, regularly update your WordPress core, themes, and plugins, use strong and unique passwords, employ a web application firewall (WAF), and regularly monitor your site for unusual activities.

Q4: Should I pay a ransom to hackers?

Paying a ransom to hackers is strongly discouraged, as it does not guarantee that your site will be restored, and it encourages further hacking attempts.


The experience of a hacked website can be unsettling, but it’s also an opportunity to emerge stronger and better prepared. In the digital landscape, where cyber threats loom, understanding how to restore a compromised site is an invaluable skill.

This step-by-step guide has taken you on a journey through the process of recovery, starting from identifying the signs of a hack to cleaning up your site and implementing essential security measures. Along the way, you’ve learned the importance of regular backups, strong passwords, updated software, and the role of reliable security plugins. Armed with this knowledge, you have the power to reclaim your website and protect it from future threats.

Remember, vigilance and proactive security measures are your best allies. Continuously monitor your website for vulnerabilities, keep everything up to date, and invest in robust security solutions. By staying informed and prepared, you can minimize the risks and enjoy a safer and more resilient online presence.

As you conclude this journey of restoration and recovery, you do so with a newfound confidence in your ability to overcome adversity in the ever-evolving digital landscape. Your WordPress website is not only revived but also fortified, ready to face the challenges of tomorrow.

Leave a Reply

Your email address will not be published. Required fields are marked *

Forgot Password