How to clean a hacked WordPress site?

/ Woocommerce, Wordpress maintenance / By

1. First identify the attack

Possible signs that a site has been hacked

  • Suspicious redirects: Users or administrators end up on unknown or spammy websites.

  • Strange files: You may find files in folders that you did not create (e.g. PHP files with unknown names).

  • Content changes: Strange posts, pages, or links have appeared on the website.

  • Notifications from security software: For example, Wordfence or Google Safe Browsing indicates that a site is potentially dangerous.

If you notice any of these symptoms, there is reason to believe that your site may have been compromised. Start the cleanup process immediately.

2. Put the site into maintenance mode

Before cleaning, it is wise to restrict public access:

  1. Activate maintenance mode: Use, for example, the Maintenance plugin or a .htaccess file to temporarily lock down the site.

  2. Notify users: If your site contains user accounts (e.g., an online store), let them know that the site is temporarily under maintenance and advise them to change their passwords if necessary.

This way, you avoid exposing visitors to potential malware while preventing attackers from further manipulation.

3. Make a backup

Even if the site is infected, it is extremely important to make a backup:

  • Use either your hosting control panel or a backup plugin (such as UpdraftPlus) to save your files and database.

  • Store the backup in an external location (Dropbox, Google Drive, etc.).

A backup may be needed later if something goes wrong during the cleaning process or you want to analyze the infected files in depth.

4. Scan the site with Wordfence

Wordfence is a popular WordPress security plugin that provides:

  • Malware scanning: Checks core files, themes, and plugins for malicious code or backdoors.

  • Firewall (WAF) and real-time traffic monitoring: Blocks suspicious requests and displays information about active visitors.

How to use Wordfence:

  1. Install and activate Wordfence from your WordPress admin panel.

  2. Run a full scan: The plugin checks a large number of files and database entries, identifying anomalies.

  3. View results: Wordfence shows a list of infected or suspicious files and related activities.

  4. Repair or delete malicious code: Wordfence often offers the option to automatically clean infected files. If necessary, you can manually delete or replace the files.

Tip: If Wordfence can’t solve all your problems, you might want to try other security platforms, such as Sucuri or MalCare.

5. Delete unused themes and plugins

Attackers often exploit older or vulnerable plugins/themes, which is why:

  • Remove all unused themes and plugins.

  • Update the rest so they are not burdened by known security flaws.

  • Check for security vulnerabilities using the WPScan Vulnerability Database.

This way you reduce the number of potential attack channels.

6. Reset all passwords

The attack may also involve the theft of user login credentials:

  • Administrator passwords: Choose long and complex passwords (uppercase and lowercase letters, numbers, special symbols).

  • User accounts: Require all registered users to update their passwords.

  • Hosting, cPanel, and database passwords: Set new, secure passwords for these as well.

7. Check .htaccess and core files

Malware can nest in critical files like .htaccess, wp-config.php, or wp-settings.php.

  • Compare these files to the official WordPress core or a previous clean backup.

  • Look for strange code: for example, suspicious redirects, base64 encoding, or “eval()” functions.

  • Replace the files with the official WordPress download version if necessary if you are not sure if the code is clean.

8. Reinstall WordPress core

If the site is severely infected or you are not sure how many files have been corrupted, you can do the following:

  1. Delete the wp-admin and wp-includes directories (after creating a backup).

  2. Download the latest version of WordPress and upload it to the server.
  3. Check that wp-config.php is clean and the database connection is set up correctly.

The content is preserved because it is in the database, but any possible malicious code in the core files is removed.

9. Security measures for the future

After cleaning the page, it is important to prevent similar attacks in the future:

  • Two-Factor Authentication (2FA): Wordfence and many other plugins support the use of 2FA for admin logins.

  • Web Application Firewall: Wordfence Premium or services like Sucuri filter dangerous traffic before it reaches your site.

  • Regular updates: Always update WordPress core, plugins, and themes as soon as updates are available.

  • Limit login attempts: Configure a plugin that prevents repeated failed logins (to prevent brute force attacks).

  • Disable file editing from the admin interface: Add the line to your wp-config.php file: phpCopyEditdefine(‘DISALLOW_FILE_EDIT’, true); This way, an attacker cannot edit files through the WordPress admin interface.

  • Regular security scans: Set up regular malware scans in Wordfence or other tools.

Summary

Cleaning up a hacked WordPress site can seem daunting, but a consistent and well-planned action plan will help you act quickly and successfully. Wordfence and similar security plugins can detect and remove malware, while preventative measures – such as updates, using a strong firewall, and two-factor authentication – can significantly reduce the likelihood of another attack. A strong security strategy will keep your website safe and up and running, and give visitors the confidence that it’s safe to browse your site.

Similar posts

clivecode

Scroll to Top