how to fix a hacked WordPress website

Discover how to fix a hacked WordPress website.


Having your website hacked can be a nightmare because it can damage your reputation and impact your business. However, with the right strategies and prompt actions, you can solve this issue as quickly as possible and have your website running in its former state. Today’s post will teach you how to fix a hacked WordPress website.

In addition to all of that, you will discover some strategies to protect your WordPress website from future hacks.

If you are ready to learn, let’s get started.

Here is how to fix a hacked WordPress website.


1) Identify the signs of the hacked website.

The first step in fixing a hacked WordPress is to identify the signs of a breach. These may include:

  • Sudden drops in website traffic or search engine rankings
  • Unusual or unauthorized changes, such as the addition of new pages, links, or spammy content,
  • Warnings from web browsers or search engines about malicious activity on your site.
  • Unexpected redirects to unrelated or malicious websites.
  • Suspicious files or code injections in your website’s directories.

2) Take immediate action.

Right after you’ve identified the signs of a hack, it’s extremely crucial to take immediate action to mitigate the damage and prevent further harm.

Here are some of the main actions you can take:

Change all passwords associated with your WordPress website to deny hackers access to your web space.

You should change the following passwords: admin password, FTP password, and database password.
Disable any plugins or themes that you suspect may have been compromised.

Take your website offline temporarily to prevent visitors from accessing potentially harmful content.

Contact your web hosting provider to inform them of the hack and seek their assistance to help you restore your website.

A lot of hosting providers will be able to help you in these situations.

Most of them have experienced staff who deal with these kinds of things daily.

Recommended reading: The secrets for building WordPress websites in just a few clicks

3) Restore from Backup

My biggest advice for all of you who are going to read this blog is to always back up your website. Don’t wait for something wrong to happen before you think about backing up your website.

You can use a hosting provider like Hostinger because they offer daily backup. In this case, regardless of what happens to your website, you will be able to remain calm and restore your previous files.

Watch this video on how to restore WordPress from backup.


Let’s say you have a blog with daily content. If you don’t have a hosting provider like Hostinger to help you with daily backup, you risk losing some content on your website.

If you don’t have any backups, you will have to manually remove the malware, which might take a lot of work to do.

4) Remove malware.

After identifying the source of the hack and assessing the damage, you will need to clean up your website and also remove any malicious code or files by going through the list of infected files in File Manager.

Here are some steps you can follow to remove the malware:

Manually remove any suspicious files or code injections from your website’s directories.

Restoring your website from a clean backup, if available, is important. Be sure to choose a backup from before the hack occurred to ensure that you’re not restoring compromised files.

You can try to use security plugins or services to automatically detect and remove malware from your website. Sometimes, in 90% of the cases, the infected files belong to one of these three categories.

Core files

The core files are located in the root directory of your WordPress website and also in the wp-admin and wp-includes folders. In case these files are infected, the best thing you can do is to overwrite them with a fresh WordPress download.

If it is the plugin that has been infected, you can safely delete the whole folder that contains your plugin. Later on, you can just reinstall the plugin from your dashboard.


In case the hacker gains access through the theme, the malware will be there, so be careful with the plugins and themes you will download for your website.

For example, if the files that have been infected are part of a theme you are not using, you can safely delete the theme to get rid of the malware.

On the other hand, if the infected files are part of the theme that you are currently using, you will need to change the theme in the database to take care of that. Otherwise, your site will stop working. Later on, you will be able to safely remove the folder.

Recommended reading: 10 reasons why SEO audit is important

5) Remove users.

Make sure to remove any admin accounts you don’t recognize from your WordPress site as soon as possible.

If you have other authorized administrators who are allowed to make changes, talk to them to see if they have added new users or new admin accounts. If they haven’t done that, process the removal of these new accounts.


6) Remove unwanted files.

You can install a plugin like Wordfence to find out if any files in your WordPress installation shouldn’t be there. This plugin is great for scanning your website and telling you if any files shouldn’t be there.


Discover how to fix a hacked WordPress website

7) Clean out your sitemap and try to resubmit it to search engines.

Search engines may flag your sitemap.xml file if they have hacked it.  After cleaning out your sitemap, you can regenerate it again by using an SEO plugin like Yoast SEO and sending your site to the Google search console, which will tell Google you need your site to be crawled.

8) Reinstall WordPress Core

Let’s say you have tried everything mentioned above and from other sources, and you still can’t solve the problems.

The best thing you can do in this situation is to try to reinstall WordPress itself again because the files in the previous WordPress core have been compromised, so now you will need to replace them with a new and clean WordPress installation.

Keep in mind that if you use an auto-installer to install WordPress, don’t use that again, as it will overwrite your database and you’ll lose your previous content. Instead, use SFTP to upload the files only.

9) Implement security measures.

After cleaning up your website, it’s essential to implement security measures to prevent future hacks. This may include:
Keep your WordPress installation, themes, and plugins up-to-date to patch any known security vulnerabilities.

Installing a reputable security plugin to monitor your website for suspicious activity and block malicious attacks.

Enabling two-factor authentication (2FA) for your WordPress login will add an extra layer of security.

Regularly back up your website’s files and database to ensure that you have a clean copy to restore in case of future hacks.

10) Secure the site to prevent future hacks.

Super, you have access again to your WP admin. Now, it’s extremely important to make sure your site is secure.

So, it’s crucial to monitor your website regularly for any signs of suspicious activity and take proactive measures to maintain security.

This may involve:
Setting up security alerts to notify you of any unusual activity on your website, such as failed login attempts or file changes,

Conducting regular security audits of your website to identify and address any potential vulnerabilities.

Educating yourself and your team about best practices for website security and staying informed about the latest threats and security trends.

Watch this video about how to fix a hacked WordPress website


How to Prevent Your WordPress Site from Being Hacked?


Maintaining the security and integrity of your WordPress site on the internet requires preventing hacking.

Here are some essential steps you can take to minimize the risk of a hack:

1) Keep WordPress Core, Themes, and Plugins Updated:

You have to regularly update your WordPress core installation, themes, and plugins to ensure that you have the latest security patches and bug fixes. Outdated software is always one of the most common ways hackers exploit vulnerabilities to gain access to websites.

Make sure you don’t install Insure plugins or themes. For instance, in the future, if you will need to install WordPress plugins, make sure they’ve been tested with your version of WordPress and you’re downloading them from a reputable source.

If you have to buy a premium theme or plugin, please check their reputation and also ask for recommendations. You can read reviews about what previous users are saying before you make your final decision.

2) Use a strong password:

Make sure you use strong, unique passwords for your WordPress admin account, FTP/SFTP, and database.
Avoid using common passwords or easily guessable combinations. Consider a password manager to generate and store complex passwords securely.

3) Limit Login Attempts:

Implement a limit on the number of login attempts allowed within a certain timeframe. This helps prevent brute-force attacks, where hackers attempt to guess your login credentials by repeatedly trying different combinations of usernames and passwords.

4. Enable two-factor authentication (2FA).

You can try to enable two-factor authentication for your WordPress login to add an extra layer of security. When you have 2FA enabled, users must provide a second form of verification, such as a code sent to their mobile device, in addition to their password, to log in to the website.

5. Use secure hosting:

Choose a reputable web hosting provider that prioritizes security and offers features such as regular backups, firewalls, and malware scanning.

6. Install a security plugin:

You can install a plugin like Wordfence to help you manage the security of your website.

Installing a security plugin can help you protect your website from common security threats. These plugins can help you look for features such as malware scanning, firewall protection, and security alerts.

Another great thing about having a security plugin on your site is that it will notify you of any suspicious activity, such as unauthorized logins or the implementation of files that shouldn’t be there.

7) Install the SSL certificate on your site.

SSL will help you add security to your site, and most hosting providers offer free SSL certificates.

When you have an SSL certificate installed on your website, it will secure the data transmission between the user’s browser and your web server.

If you are handling sensitive information, such as login credentials or payment details, having HTTPS enabled is mandatory.

8) Keep your site updated.

It is extremely important to always keep your website up-to-date. When your WordPress version or your themes and plugins are updated, you should also make sure you update them to improve the security of your website.

While updating your WordPress website, always try to back up things like files and databases. In case of a hack or data loss, you will be able to restore your website to a previous, clean state quickly and save time.

How do I make a backup of a WordPress website?


First and foremost, what is a backup?

A backup is a separate copy of your website’s files and database from your live website. It serves as a safeguard against data loss or website downtime in case of unexpected events such as hacking, server crashes, or accidental deletions.

Regularly backing up your website ensures you have a recent and complete copy of its content and settings, which you can quickly restore to restore functionality and minimize disruption in the event of a problem.

To back up your WordPress website, you can install a plugin like All-in-One WP Migration to help you manually back up your website.
or you can watch this video if you want to use another plugin for that.

You can also back up your website directly through your hosting dashboard; most of them offer this functionality.
For example, you can use Hostinger if you don’t have a hosting provider yet because it offers daily backup automatically.
If you want to know how to back up your website with Hostinger, you can watch this video.

In conclusion:

Fixing a hacked WordPress website can be a little bit challenging, but if you implement the knowledge we have shared with you and the resources available online, it’s possible to recover your website and strengthen its security.

By following these tips, you will know how to fix a hacked WordPress website and protect it from future hacks. Applying these tips will help you secure your online presence for your visitors and build a strong, reputable website.

If you find this article useful, leave a comment below.

6 thoughts on “Discover how to fix a hacked WordPress website”

  1. I truly appreciated the work you’ve put forth here. The sketch is tasteful, your authored material stylish, yet you appear to have developed some nervousness regarding what you intend to deliver next. Rest assured, I’ll return more regularly, much like I’ve done almost constantly, should you maintain this upward trajectory.

  2. What a fantastic resource! The articles are meticulously crafted, offering a perfect balance of depth and accessibility. I always walk away having gained new understanding. My sincere appreciation to the team behind this outstanding website.

  3. This website is an absolute gem! The content is incredibly well-researched, engaging, and valuable. I particularly enjoyed the [specific section] which provided unique insights I haven’t found elsewhere. Keep up the amazing work!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.