Introduction

A hacked WordPress site is not fixed the moment the homepage looks normal again. A real recovery means containing the incident, removing persistence, restoring trusted files, rotating secrets, and verifying the attacker no longer has access.

Symptoms

  • Unknown admin users, plugins, or scheduled tasks appear in WordPress
  • The site redirects visitors to spam, malware, or fake login pages
  • Core files, theme files, or uploads contain unfamiliar PHP code
  • Search engines or browsers warn that the site may be compromised
  • Hosting logs show strange login, file-write, or outbound request patterns

Common Causes

  • Vulnerable plugins or themes were exploited
  • Weak, reused, or leaked administrator credentials allowed access
  • Insecure hosting permissions let attackers write executable files
  • Backdoors were left in wp-content, uploads, or must-use plugins after a prior incident
  • Outdated WordPress core or server software exposed known weaknesses

Step-by-Step Fix

  1. Put the site in maintenance mode or restrict access if needed so you can investigate without active attacker interference.
  2. Preserve logs, affected files, and timestamps before cleanup so you do not lose the evidence needed to understand the breach path.
  3. Rotate all WordPress admin passwords, hosting credentials, database passwords, API keys, and any other secrets connected to the site.
  4. Remove unknown admin accounts, suspicious scheduled tasks, rogue plugins, and unauthorized file changes after comparing against trusted sources.
  5. Replace WordPress core, themes, and plugins with clean copies from known-good upstream packages rather than editing compromised files in place.
  6. Scan wp-content/uploads, theme directories, and custom plugin paths for executable backdoors or injected code that should not exist there.
  7. Update WordPress, plugins, themes, and the hosting stack to close the vulnerability that allowed the compromise.
  8. Verify the cleaned site no longer serves malicious redirects, spam pages, or suspicious outbound requests, and request search engine review if warnings were triggered.
  9. After recovery, enable stronger admin security, backups, update discipline, and file integrity monitoring to reduce the chance of repeat compromise.