In this guide, we show you how to repair a WordPress site that has been hacked and infected with malware. WordPress is the most used CMS in the world. Unfortunately, this also means that it is very popular with hackers.
When we notice that a site has been compromised, we take it offline to make sure that the hackers no longer have access. This action also helps to protect your Google ranking and your visitors, since they might get infected just by visiting your site.
As soon as all malware has been removed and WordPress has been updated, you can request a new scan via your Control Panel to have your site reopened.
- Step 1 - Change passwords
- Step 2 - Follow the recommended steps in Control Panel
- Step 3 - Create a backup (Recommended)
- Step 4 - Restore a backup (Optional)
- Step 5 - Remove malware
- Step 6 - Add a temporary password login to your site
- Step 7 - Request a malware scan via the Control Panel
- Step 8 - Secure the site to prevent future hacks
Step 1 - Change passwords
The first thing to do if (you suspect) your website has been hacked is to change your passwords. That way you deny hackers access to your web space.
You should change the following passwords:
Note: Remember to update your database password in the wp-config file, since that will still have your old password and cause errors.
Step 2 - Follow the recommended steps in Control Panel
In your Control Panel, you find more information about the type of hack, as well as a list of files that have been infected with malware.
Tip: Even if FTP access is suspended, you can still access your web space with our File Manager or SFTP.
Step 3 - Create a backup (recommended)
If you don't have a recent website backup, we recommend you make one before making any changes. That way you still have access to all your files and content if something goes wrong.
You can use Backup & Restore in the control panel and restore your site with just one click. You can also do a manual backup of your web space and database. Read the guides below for more information.
- Getting started with Backup and Restore
- Backup your web space via SFTP
- Backup your web space with File Manager
- How do I make a backup of my database?
Step 4 - Restore a backup (optional)
If you have a backup of your site, now is the time to restore it. Keep in mind that your site may have been hacked before the backup was created. In that case, you still need to remove malware manually.
You can check this by comparing the date that your backup was created, with the date the infected files on your site were last edited. If your backup is from a later date, this means your site was already hacked.
Unfortunately, hackers will sometimes also manipulate the date a file was changed. If you are in doubt whether your backup is clean, you can always ask our support to have a look.
Note: Even if the backup is from before your site was compromised, it's still very important to change passwords, update to the latest version and check for other vulnerabilities.
Step 5 - Remove malware
It is now time to remove remaining malware from your site, by going through the list of infected files in File Manager. You can always contact our support and ask for an updated list of files that are (still) infected.
In 90% of the cases, the infected files belong to one of the following three categories that you can read more about below:
- Core files
Core files - The core files are located in the root directory of your WordPress website, as well as in the wp-admin and wp-includes folders. If these files are infected, you can simply overwrite them with a fresh WordPress download.
Check out our step-by-step guide to lead you through the process: Update WordPress manually
Plugins - If the hacker gained access through a plugin, the malware will usually be located in the plugins folder.
You can safely delete the whole folder that contains your plugin. Afterward, you can then reinstall it from your dashboard. You will find the plugins folder in wp-content > plugins.
Themes - The malware will be in the themes folder if the hacker gained access through a theme. If the infected files are part of a theme you are not actively using, you can safely remove the complete folder.
If the infected files are part of the theme that you are using, you first need to change the theme in the database. Otherwise, your site will stop working. Afterward, you'll be able to safely remove the folder.
Check our guide on how to do this: Change your WordPress theme from the database
Step 6 - Add a temporary password login to your site (Recommended)
We recommend you (temporarily) protect your site with a password. That way, you can safely update all your plugins and themes. When your site is fully updated and secure, you can remove the login again.
You add a login to your site with the .htaccess file. Check out our guide for more information.
Step 7 - Request a malware scan via the Control Panel
Access can be restored if all malware has been removed and you updated WordPress and all plugins and themes or added password protection to your site.
When you've completed all the recommended steps, you can request a new malware scan using the button "Request reactivation of website" at the bottom of the page. There can be two different scan results:
- No malware found: The webspace is clean again, and your website will be reopened immediately.
- Malware found: The scan still detected corrupted files. Please remove all infected files we listed and try again.
Note: Depending on how many files need to be scanned, a malware scan takes a couple of minutes or up to a few hours.
You can request reactivation twice from your Control Panel. However, if malware was also found during the second scan, please contact our support. Then our technicians will have to handle it manually and check it further.
Step 8 - Secure the site to prevent future hacks
Now that you have access again to your WP Admin, it's a good idea to make sure your site is secure.
Check plugins and themes - Go through all your plugins and themes and remove the ones you don't use. Also, check if the plugins and themes you use are still maintained. If you can see that a plugin hasn't been updated during the last year, it's a good idea to look for an alternative.
Check WordPress users and reset passwords - Sometimes hackers create their own users for your WP Admin. Go through the created users and remove any users you don't recognize. It's also a good idea to change the passwords for all users.