devLap

WordPress Site Hacked? Here's How to Recover It Fast

php dev.to

Discovering your WordPress site has been hacked is one of the worst feelings for any website owner. Defaced homepage, Google warning, hosting suspension, spam redirects — whatever the symptom, the fix needs to happen fast.

I've cleaned dozens of compromised WordPress sites over my 14+ years as a WordPress developer. Here's the exact 8-step process I follow every time.

Signs Your WordPress Site Has Been Hacked

  • Homepage replaced with a defacement message
  • Google Search Console shows "This site may be hacked"
  • Visitors redirected to spam or phishing sites
  • New admin users you didn't create
  • Locked out of wp-admin
  • Hosting account suspended for malware

Step 1: Back Up Everything

Before touching anything, download the entire public_html folder via FTP and export your database from phpMyAdmin — even with infected files. You may need them for comparison.

Step 2: Scan for Malware

Use one of these free tools:

  • Wordfence (WordPress plugin) — full file scan
  • Sucuri SiteCheck — external scan at sitecheck.sucuri.net
  • MalCare — deep scan with file-level comparison

Step 3: Remove Malicious Code

Common infection points:

  • wp-config.php — look for base64-encoded strings
  • functions.php in active theme
  • .htaccess — check for injected redirect rules
  • /wp-content/uploads/ — any PHP files here are malware

Replace wp-admin/ and wp-includes/ with a fresh WordPress download matching your version.

Step 4: Change All Passwords and Secret Keys

  • WordPress admin password
  • Database password (update in cPanel and wp-config.php)
  • FTP/SFTP credentials
  • WordPress secret keys (regenerate at wordpress.org/secret-key)

Step 5: Update Everything

Update WordPress core, all plugins, all themes. Delete unused themes and any nulled plugins permanently.

Step 6: Clean the Database

Run these SQL queries in phpMyAdmin:

-- Find injected scripts in posts
SELECT ID, post_title FROM wp_posts 
WHERE post_content LIKE '%eval(%' 
   OR post_content LIKE '%base64_decode%';

-- Check options for malicious values
SELECT option_name FROM wp_options 
WHERE option_value LIKE '%eval(%';
Enter fullscreen mode Exit fullscreen mode

Step 7: Harden Security

Disable PHP in uploads folder — create .htaccess inside /wp-content/uploads/:

<Files *.php>
  deny from all
</Files>
Enter fullscreen mode Exit fullscreen mode

Also: limit login attempts, enable 2FA, set correct file permissions (folders 755, files 644).

Step 8: Request Google Review

If Google flagged your site — go to Search Console → Security Issues → Request Review after cleanup.

Need professional help? I offer emergency WordPress malware removal with same-day turnaround. Full guide with more details here.

Source: dev.to

arrow_back Back to Tutorials