How do I repair a hacked WordPress site?

In this guide, we show you how to repair a WordPress site that has been hacked and infected with malware. WordPress is the most used CMS in the world. Unfortunately, this also means that it is very popular with hackers.

When we notice that a site has been compromised, we take it offline to make sure that the hackers can no longer access it. This also helps to protect your Google ranking and your visitors, since they could get compromised just by visiting your site.

As soon as all malware has been removed and WordPress has been updated, you can leave us a request to open your WordPress site it via your Control Panel. 

Did you know? 
Our Malware Removal service can remove malware and abusive content from your WordPress site. Use the Premium Care contact form to get details, pricing, and priority assistance.

Step 1 - Change passwords

The first thing to do if (you suspect) your website has been hacked is to change your passwords. That way you block hackers from accessing your web space.

You should change the following passwords:

Note: Remember to update your database password in the wp-config file, since it will still have your old password and cause errors.

Step 2 - Follow the recommended steps in Control Panel

In your Control Panel, you find more information about the issue, as well as a list of files that have been infected with malware. You can also find these instructions and more information on malware in our FAQ about malware removal and prevention.

Tip: Even if FTP access is suspended, you can still access your web space with our File Manager and SFTP.

Step 3 - Create a backup (recommended)

If you don't have a recent website backup, we recommend you make one before making any changes. That way you still have access to all your files and content if something goes wrong.

You can use Backup & Restore in the Control Panel and restore your site with just one click. You can also do a manual backup of your web space and database. Read the guides below for more information.

Step 4 - Restore a backup (optional)

If you have a backup of your site, now is the time to restore it. Keep in mind that your site may have been hacked before the backup was created. In that case, you still need to remove malware manually.

You can check this by comparing the date that your backup was created, with the date the infected files on your site were last edited. If your backup is from a later date, this means your site was already hacked.

Unfortunately, hackers will sometimes also manipulate the date a file was changed. If you are in doubt whether your backup is clean, you can always ask our support to have a look.

Note: Even if the backup is from before your site was compromised, it's still very important to change passwords, update to the latest version and check for other vulnerabilities.

Step 5 - Remove malware

It is now time to remove remaining malware from your site, by going through the list of infected files in File Manager. You can always contact our support and ask for an updated list of files that are (still) infected.

In 90% of the cases, the infected files belong to one of the following three categories that you can read more about below:
 

  • Core files
  • Plugins
  • Themes

Core files - The core files are located in the root directory of your WordPress website, as well as in the wp-admin and wp-includes folders. If these files are infected, you can simply overwrite them with a fresh WordPress download.

Check out our step-by-step guide to lead you through the process: Update WordPress manually

Plugins - If the hacker gained access through a plugin, the malware will usually be located in the plugins folder.

You can safely delete the whole folder that contains your plugin. Afterwards, you can then reinstall it from your dashboard. You will find the plugins folder in wp-content > plugins.

Themes - The malware will be in the themes folder if the hacker gained access through a theme. If the infected files are part of a theme you are not actively using, you can safely remove the complete folder.

If the infected files are part of the theme that you are using, you first need to change the theme in the database. Otherwise, your site will stop working. Afterwards, you'll be able to safely remove the folder.

Check our guide on how to do this: Change your WordPress theme from the database

Step 6 - Add a temporary password login to your site (Recommended)

We recommend you (temporarily) protect your site with a password. That way, you can safely update all your plugins and themes. When your site is fully updated and secure, you can remove the login again.

You can protect your site with a password with the .htaccess file. Check out our guide for more information. 

Step 7 - Request a malware scan via the Control Panel

Access can be restored if all malware has been removed and you updated WordPress and all plugins and themes or added password protection to your site.

When you've completed all the recommended steps, you can request a new malware scan using the button "Request reactivation of website" at the bottom of the page. There can be two different scan results: 

  • No malware found: The webspace is clean again, and your website will be reopened immediately.
  • Malware found: The scan still detected corrupted files. Please remove all infected files we listed and try again.  

Note: Depending on how many files need to be scanned, a malware scan takes a couple of minutes or up to a few hours.

You can request reactivation twice from your Control Panel. However, if malware was also found during the second scan, please contact our support. Then our technicians will have to handle it manually and check it further.

Step 8 - Secure the site to prevent future hacks

Now that you have access again to your WP Admin, it's a good idea to make sure your site is secure.

Check plugins and themes - Go through all your plugins and themes and remove the ones you don't use. Also, check if the plugins and themes you use are still maintained. If a plugin hasn't been updated during the last year, it's a good idea to look for an alternative.

Check WordPress users and reset passwords - Sometimes hackers create their own users for your WP Admin. Go through the created users and remove any users you don't recognize. It's also a good idea to change the passwords for all users.

Related articles:

Was this article helpful?

Can’t find what you are looking for?

Start a chat

It's the quickest way to get in touch, every day of the year.

Start chat

Give us a call

Available on weekdays from 10am to 2pm (UTC).

Call +44 20 8106 0910