A complete step-by-step recovery guide – from immediate containment to long-term protection. Most sites can be fully restored within hours.
Quick Summary
- WordPress powers 43%+ of all websites – making it the most targeted CMS by automated attacks worldwide.
- Immediate steps: Take your site offline, change all passwords, scan for malware.
- Recovery: Restore a clean backup OR manually remove infected files and unknown users.
- Prevention: Install a security plugin, enable a firewall, use 2FA, and keep all software updated.
- Most hacks exploit outdated plugins, weak passwords, or nulled themes – not WordPress core itself.
43%
of all websites run WordPress
90%
of hacked CMS sites are WordPress
96%
of vulnerabilities from plugins/themes
How to tell if your WordPress site has been hacked
Before attempting any fix, confirm the compromise. Rushing a cleanup on the wrong assumption wastes time and can make things worse.
Spot even one of these? Follow the recovery steps below immediately.
Data Insight
According to multiple security research reports, over 90% of all hacked CMS-based websites run WordPress – primarily because of poor maintenance, not flaws in WordPress core itself.
1
Contain the damage immediately
Act fast. Every minute your site stays online, hackers can dig deeper, steal data, or use your server to attack others.
- ⚠Change ALL passwords – WordPress admin, hosting account, FTP/SFTP, and database (phpMyAdmin)
- ⚠Put your site in maintenance mode to stop visitors from being exposed to malware
- ⚠Revoke and regenerate all API keys and secret keys in wp-config.php
- ⚠Notify your hosting provider – many have emergency response protocols
Critical Warning
Hackers frequently install hidden backdoors. Changing passwords alone does not close the breach – you must also scan and clean infected files.
2
Scan your site for malware
Identify every infected file before removing anything. Blind deletion can break your site.
A Wordfence scan flagging two infected files – a plugin file and a PHP backdoor hidden in the uploads folder.
Recommended security scanning tools
● Wordfence Security
● Sucuri SiteCheck
● MalCare Scanner
● Hosting malware scanner
What to look for during a scan
- ⚠Suspicious PHP files appearing in unexpected locations
- ⚠Obfuscated code – long random-looking character strings
- ⚠Unknown scripts injected into theme files (functions.php, header.php)
- ⚠Modified core WordPress files (compare against official checksums)
Where WordPress vulnerabilities actually come from
Understanding the source of most attacks helps you prioritise your security investments correctly.
Sources: Wordfence and Sucuri annual security reports.
3
Clean the infection – two approaches
You have two paths. Choose based on whether you have a clean backup.
Option A is always faster – but only safe if you can confirm the backup predates the hack.
Important
If your backup is already infected, restoring it will reinfect your site. Always verify backup integrity and creation date before restoring.
Pro Tip
Where hackers hide malware: Always check functions.php, header.php, and random plugin sub-folders. These are the most common locations for injected backdoor code.
4
Lock down your site – prevent reinfection
Cleaning is only half the job. If the original vulnerability is still open, attackers will return within hours.
These five controls eliminate the vast majority of WordPress attack vectors.
Data Insight
Around 60% of hacked WordPress sites were running outdated software at the time of the breach. Enabling auto-updates alone eliminates the majority of attack risk.
Typical WordPress hack recovery timeline
Hour 0DiscoveryConfirm hack, change all passwords
Hour 1ScanRun malware scan, log all results
Hour 3CleanupRestore backup or clean files manually
Hour 6HardenPatch vulnerabilities, enable 2FA + firewall
Hour 72Google reviewSubmit reconsideration request
Most sites are fully operational within 6 hours when a clean backup is available.
5
Repair your Google and SEO standing
A hacked site can be blacklisted by Google, destroying your search rankings. Act quickly to minimise the damage.
Rankings typically recover within 1-3 weeks after Google clears the security review – the faster you submit, the less damage.
- ✓Open Google Search Console and check the Security Issues report
- ✓Submit a security review request once your site is clean
- ✓Check for manual actions in the Manual Actions panel
- ✓Request reconsideration if your site was manually penalised
- ✓Monitor organic traffic closely for 4-6 weeks after cleanup
SEO Risk
If Google’s blacklist warning is left unresolved, it can wipe out months or years of search ranking gains virtually overnight. Prioritise the review request immediately after cleanup.
Why most WordPress hacks are not personal
“The vast majority of WordPress hacks are automated attacks scanning thousands of sites for known vulnerabilities – not manual targeting of individual websites.“
This matters because it changes your defence strategy. You do not need to be impenetrable – you just need to be better secured than the average WordPress site. Most bots move on quickly when they hit resistance.
The Hidden Backdoor Problem
Even after a thorough cleanup, some sites get reinfected within days. This is almost always because of hidden backdoor scripts buried deep inside plugin folders or obfuscated within core files. A professional security audit focuses specifically on this layer, which most automated cleanups miss entirely.
Pro-level WordPress hardening (advanced)
Once your site is clean, these advanced measures will substantially reduce the chance of a repeat attack.
- ✓Disable file editing in WordPress – add
define('DISALLOW_FILE_EDIT', true);to wp-config.php - ✓Change the default login URL away from /wp-admin using a security plugin
- ✓Implement a Web Application Firewall (WAF) – Cloudflare free plan works well for most sites
- ✓Block XML-RPC attacks if you do not use the WordPress mobile app or Jetpack
- ✓Set correct file permissions: directories at 755, files at 644, wp-config.php at 440
- ✓Never install nulled (pirated) themes or plugins – they are the single fastest path to compromise
Frequently asked questions
How long does it take to recover a hacked WordPress site?
With a clean backup available, most sites can be fully restored within 1-3 hours. Manual cleanup without a backup typically takes 3-8 hours depending on the extent of the infection.
Will my Google rankings recover after a hack?
Yes, rankings typically recover after you submit a security review through Google Search Console and receive clearance. The process usually takes 1-3 weeks. The sooner you act, the less lasting SEO damage.
Can I prevent 100% of WordPress hacks?
No security system is perfect, but you can eliminate the vast majority of risk by keeping software updated, using strong passwords with 2FA, installing a reputable security plugin, and avoiding nulled themes or plugins.
Should I tell my visitors that my site was hacked?
If user data was exposed, disclosure is not only ethical but may be legally required depending on your jurisdiction (GDPR, CCPA). Consult a privacy professional if you believe visitor data was compromised.
How much does professional WordPress malware removal cost?
Professional cleanup services typically range from $100 to $500 per incident. Ongoing security monitoring plans generally cost $10 to $30 per month. The cost of a hack – in lost traffic, revenue, and reputation – almost always far exceeds prevention costs.
Final checklist – save this
- ✓ Change all passwords immediately and revoke all API keys
- ✓ Scan with Wordfence or Sucuri before removing anything
- ✓ Restore from a verified clean backup wherever possible
- ✓ Install a security plugin and firewall after cleanup
- ✓ Update WordPress core, all plugins, and all themes
- ✓ Enable two-factor authentication on all admin accounts
- ✓ Submit Google Search Console security review within 24 hours
- ✓ Biggest mistake: fixing the hack but not the underlying vulnerability
Getting hacked feels scary – but it is fixable.
What actually matters is what you do after the hack.
Secure it once, secure it properly – and you will likely never deal with this again.
