# Fix WordPress Hacked Recovery

Your WordPress site has been hacked. There's malware, redirects to spam sites, strange admin users, or Google flags it as dangerous. A hack is stressful, but systematic recovery is possible. The key is thorough cleaning—not just fixing visible symptoms but removing all traces of the infection.

Signs Your Site Is Hacked

  • Google Safe Browsing warning in Chrome
  • Unexpected redirects to other sites
  • Unknown admin users in your dashboard
  • Spam links injected into content
  • Strange PHP files in directories
  • Defaced homepage or strange content
  • Emails you didn't send from your domain
  • Server CPU spike from malicious processes
  • Database tables you don't recognize

Immediate Response: Stop the Attack

1. Put Site in Maintenance Mode

```bash # Enable maintenance mode via WP-CLI wp maintenance-mode activate

# Or create .maintenance file echo '<?php $upgrading = time(); ?>' > .maintenance ```

2. Disable All Plugins

bash
# Deactivate all plugins
wp plugin deactivate --all

3. Change All Passwords

```bash # Change admin password wp user update admin --user_pass='new-strong-password-here'

# Change all user passwords wp user list --field=user_login | while read user; do wp user update $user --user_pass="$(openssl rand -base64 32)" done

# Change database password too (via hosting panel) ```

4. Regenerate Security Keys

```bash # Generate new salts curl -s https://api.wordpress.org/secret-key/1.1/salt/

# Replace in wp-config.php # Delete the old define statements and add new ones ```

Find the Malware

Scan Core Files

```bash # Verify core checksums wp core verify-checksums

# If files are modified, core is compromised wp core download --force ```

Find Modified Files

```bash # Find recently modified files find . -type f -mtime -7 -ls | grep -v "wp-content/cache"

# Find files with suspicious patterns grep -r "eval|base64_decode|gzinflate|str_rot13|shell_exec|passthru|system|exec" . --include="*.php" | grep -v "wp-includes"

# Find suspicious file extensions find . -type f \( -name "*.suspected" -o -name "*.bak" -o -name "*.php.suspected" -o -name "*.php.txt" \)

# Find PHP files in uploads find wp-content/uploads -type f -name "*.php" ```

Find Suspicious Database Entries

```bash # Check for unknown admin users wp user list --role=administrator --fields=ID,user_login,user_email,user_registered

# Check for suspicious usermeta wp db query "SELECT * FROM wp_usermeta WHERE meta_value LIKE '%base64%' OR meta_value LIKE '%eval%'"

# Check for injected content wp db query "SELECT * FROM wp_posts WHERE post_content LIKE '%script%' OR post_content LIKE '%iframe%'"

# Check for suspicious options wp db query "SELECT * FROM wp_options WHERE option_value LIKE '%http://%' AND option_name NOT IN ('siteurl','home')" ```

Find Backdoors

Backdoors let attackers regain access after cleanup.

```bash # Common backdoor patterns grep -r "if(isset(\$_REQUEST['cmd']))" . --include="*.php" grep -r "assert(\$_POST['x'])" . --include="*.php" grep -r "FilesMan" . --include="*.php" grep -r "WSO_webshell" . --include="*.php" grep -r "c99|r57" . --include="*.php" grep -r "@preg_replace.*@e" . --include="*.php" grep -r "\$\{.*\}" . --include="*.php" grep -r "\$\_GET[.*]\(\)" . --include="*.php"

# Hidden files find . -name ".*" -type f | grep -v ".htaccess" ```

Clean the Infection

1. Replace Core Files

```bash # Download fresh WordPress wp core download --force

# Or manually: download from wordpress.org, extract, replace all files except wp-content and wp-config.php ```

2. Clean wp-content

```bash # Remove suspicious PHP files from uploads find wp-content/uploads -name "*.php" -type f -delete

# Check themes for modifications wp theme list --fields=name,status wp theme install twentytwentyfour --activate --force

# Reinstall all plugins from official sources wp plugin list --fields=name,status,version | grep active | awk '{print $1}' | xargs -I {} wp plugin install {} --force

# Delete inactive plugins wp plugin delete $(wp plugin list --status=inactive --field=name) ```

3. Clean Database

```bash # Remove suspicious users wp user delete suspicious-user --reassign=admin

# Remove injected content wp db query "UPDATE wp_posts SET post_content = REPLACE(post_content, '<script src=\"malware.js\">', '') WHERE post_content LIKE '%malware%'"

# Remove suspicious options wp option delete suspicious-option-name

# Clear all transients (often hide malware data) wp transient delete --all

# Clear object cache wp cache flush ```

4. Remove Hidden Files

bash
# Delete suspicious hidden files
find . -name ".*php" -type f -delete
find . -name "*.php.*" -type f -delete
find . -name "1.php" -o -name "x.php" -o -name "a.php" | xargs rm -f

5. Clean .htaccess

```bash # Check .htaccess for malicious redirects cat .htaccess | grep -v "^#" | grep -v "^$"

# If compromised, regenerate wp rewrite flush --hard

# Check for multiple .htaccess files find . -name ".htaccess" -type f ```

Use Malware Scanner

WP-CLI Security Scan

```bash # Install WP-CLI security package wp package install wp-cli/security-command

# Run security scan wp security scan ```

External Scanners

```bash # Install professional scanner plugin wp plugin install wordfence --activate wp wordfence scan

# Or use Sucuri wp plugin install sucuri-scanner --activate ```

For server-level scanning:

```bash # ClamAV scan clamscan -r --infected /var/www/html

# Linux Malware Detect maldet -a /var/www/html ```

Verify Cleanup

Check Core Integrity

bash
wp core verify-checksums
# Should report: "Success: WordPress install verifies against checksums."

Check for Remaining Malware

```bash # Re-run malware pattern search grep -r "eval|base64_decode|gzinflate" . --include="*.php" | grep -v "wp-includes" | grep -v "wp-admin"

# Should return empty or only core files

# Check uploads again find wp-content/uploads -name "*.php" -type f # Should return empty ```

Test Site Functionality

```bash # Test homepage curl -I https://yourdomain.com # Should return 200 OK, no redirect

# Test admin login wp login url

# Check for redirects curl -v https://yourdomain.com | grep -i "location" ```

Security Hardening After Recovery

1. Update Everything

```bash # Update core wp core update

# Update all plugins wp plugin update --all

# Update all themes wp theme update --all

# Update PHP to latest supported version ```

2. Limit File Editing

php
// In wp-config.php
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);

3. Force SSL Admin

php
define('FORCE_SSL_ADMIN', true);

4. Set Correct File Permissions

```bash # Reset permissions find . -type d -exec chmod 755 {} \; find . -type f -exec chmod 644 {} \; chmod 600 wp-config.php chmod 755 wp-content chmod 755 wp-content/uploads

# Set ownership chown -R www-data:www-data . ```

5. Install Security Plugin

```bash wp plugin install wordfence --activate # Configure firewall and login security

# Or wp plugin install sucuri-scanner --activate ```

6. Enable Two-Factor Authentication

bash
wp plugin install two-factor --activate

7. Limit Login Attempts

bash
wp plugin install limit-login-attempts-reloaded --activate

8. Remove Unnecessary Users

bash
# Delete unused admin accounts
wp user list --role=administrator --fields=ID,user_login
wp user delete suspicious-admin --reassign=admin

9. Change Database Prefix

If your prefix is default wp_, change it:

bash
wp package install wp-cli/db-prefix-command
wp db-prefix change wp_ newprefix_

10. Block PHP in Uploads

apache
# In wp-content/uploads/.htaccess
<Files *.php>
    deny from all
</Files>

Or for Nginx:

nginx
location ~* /wp-content/uploads/.*\.php$ {
    deny all;
}

Request Google Review

If Google flagged your site:

  1. 1.Fix all issues
  2. 2.Google Search Console > Security Issues
  3. 3.Request review
  4. 4.Wait 1-3 days for review

Prevention Checklist

  • [ ] Strong passwords for all accounts
  • [ ] Two-factor authentication enabled
  • [ ] Regular updates (core, plugins, themes)
  • [ ] Security plugin with firewall
  • [ ] Limited file permissions
  • [ ] No PHP execution in uploads
  • [ ] SSL enforced
  • [ ] Regular backups (tested)
  • [ ] Database prefix changed
  • [ ] Unused plugins/themes removed
  • [ ] Admin user renamed from "admin"
  • [ ] XML-RPC disabled if not needed
  • [ ] wp-config.php moved above web root

Backup and Monitoring

Set Up Regular Backups

```bash wp plugin install updraftplus --activate

# Configure daily backups to remote storage ```

Set Up Monitoring

bash
wp plugin install wp-security-audit-log --activate
# Monitors all changes to site

File Integrity Monitoring

bash
wp package install wp-cli/security-command
wp security scan --schedule=daily

Recovery Checklist

  1. 1.[ ] Maintenance mode activated
  2. 2.[ ] All passwords changed
  3. 3.[ ] Security keys regenerated
  4. 4.[ ] Core files verified/replaced
  5. 5.[ ] Suspicious files removed
  6. 6.[ ] Database cleaned
  7. 7.[ ] Plugins reinstalled from source
  8. 8.[ ] Backdoors removed
  9. 9.[ ] .htaccess cleaned
  10. 10.[ ] Security hardening applied
  11. 11.[ ] Site tested working
  12. 12.[ ] Google review requested

A hacked site requires systematic cleanup. Don't just remove visible malware—find and eliminate all backdoors, verify file integrity, sanitize the database, and harden security to prevent reinfection.