Recovering a WordPress hacked website can be a daunting task, but by following a systematic approach, you can restore your site and strengthen its security. This step-by-step guide will walk you through the process.

Disclaimer: Before starting, it’s highly recommended to have a recent, clean backup of your website. If you don’t, proceed with caution, as manual removal can be complex. If you’re unsure at any point, consider seeking help from a professional WordPress security service or your hosting provider.

Phase 1: Immediate Actions and Assessment of the Hacked Website

The first steps are crucial to stop the damage and assess the extent of the hack.

Step 1: Don’t Panic and Put Your Site into Maintenance Mode

It’s easy to get overwhelmed, but clear thinking is essential. Immediately put your website into maintenance mode to prevent further damage, protect your visitors from malicious content, and provide yourself with a stable environment to work.

• How: You can use a plugin like “WP Maintenance Mode & Coming Soon” or “SeedProd” if you can still access your WordPress dashboard. If not, you might need to create a simple index.html file and upload it via FTP to your root directory, redirecting all traffic to it.

Step 2: Change All Passwords

Assume all your passwords have been compromised. Change them immediately and make them strong (a mix of uppercase, lowercase, numbers, and symbols).

• Affected Passwords:
  • WordPress Admin (all user accounts, especially administrators)
  • Hosting account password
  • FTP/SFTP account password
  • Database password (and update it in wp-config.php)
  • Email accounts associated with your website
  • Any other third-party services connected to your site (CDN, security plugins, etc.)

Step 3: Scan Your Hacked Website for Malware

Identifying the malicious code is critical for effective removal.

• Tools: Use a reputable WordPress security plugin like Sucuri, Wordfence, or MalCare if you can install and activate them. Many offer free scanners.
• Manual Scan (if plugins aren’t an option):
  • Check Recently Modified Files: Access your site via FTP/SFTP or your hosting’s file manager. Look for files with recent modification dates that you don’t recognize. Common locations include the root directory, wp-content/uploads, wp-content/themes, and wp-content/plugins.
  • Examine Core Files: Compare your WordPress core files (everything except wp-content and wp-config.php) with a fresh download from WordPress.org. Any discrepancies could indicate injected code.
  • Check .htaccess files: Malicious rules are often added to .htaccess files in your root or other directories for redirects or unauthorized access.
  • Review wp-config.php: Look for any suspicious code at the top or bottom of this file.
  • Database Inspection: Via phpMyAdmin, examine your database for suspicious content, especially in post content, options, and user tables (look for new, unauthorized admin users or changed user roles).

Step 4: Create a Backup (Even if it’s Compromised)

Even if your site is hacked, create a backup now. This serves as a snapshot of the current state, which can be useful for analysis or if something goes wrong during the cleanup. Do not overwrite any existing clean backups you may have.

Phase 2: Cleaning and Restoration of a Hacked Website

Now, you’ll work on removing the malicious elements and restoring your site’s integrity.

Step 5: Clean WordPress Core Files

The safest way to clean core files is to replace them with fresh ones.

• Download Fresh WordPress: Download the exact version of WordPress your site was running from WordPress.org.
• Delete and Upload:
  1. Via FTP/SFTP, delete all files and folders in your WordPress root directory except for the wp-content folder and wp-config.php file.
  2. Upload the fresh WordPress files (from the downloaded zip) to your root directory, overwriting existing files.
  3. Important: Do NOT upload the wp-content folder or wp-config.php from the fresh download, as these contain your unique content and database connection details.

Step 6: Clean Themes and Plugins

Plugins and themes are frequent entry points for hackers.

• Delete and Reinstall:
  1. Go to wp-content/themes and wp-content/plugins via FTP/SFTP.
  2. Delete any themes or plugins you don’t actively use.
  3. For active themes and plugins, delete their respective folders.
  4. Download fresh copies of your themes (from reputable sources, like the WordPress.org theme directory or the theme developer’s site) and plugins (from the WordPress.org plugin directory or the plugin developer’s site).
  5. Upload the fresh theme and plugin folders via FTP/SFTP.
  6. Important: If you have custom code in your theme’s functions.php or other theme files, you will need to re-add it carefully after the fresh install, ensuring no malicious code is reintroduced. Consider using a child theme for custom code in the future.

Step 7: Clean Your Database

Malware can inject malicious content, spam links, or new user accounts into your database.

• Manual Inspection (via phpMyAdmin):
  • wp_options table: Look for suspicious entries, especially siteurl and home if your site is redirecting.
  • wp_posts table: Scan post content and excerpts for injected spam links or malicious scripts.
  • wp_users table: Verify all user accounts. Delete any unfamiliar users, especially those with Administrator privileges.
• Security Plugin: Many security plugins offer database scanning and cleanup features that can help automate this process.

Step 8: Remove Any Backdoors

Hackers often leave “backdoors” to regain access even after you’ve cleaned the site. These are typically small pieces of code hidden in seemingly legitimate files.

• Common Backdoor Locations:
  • wp-includes directory (e.g., in files like wp-feed.php, wp-blog-header.php)
  • wp-content directory (e.g., a hidden .php file in uploads or a fake plugin/theme folder)
  • wp-config.php (already checked, but double-check for anything unusual)
• Detection: This is often the hardest part. Security plugins are best for this. Look for functions like eval, base64_decode, gzinflate, str_rot13 combined with long, obfuscated strings. Be extremely careful when deleting, as legitimate WordPress files use some of these functions.

Step 9: Review wp-config.php and Salt Keys

Ensure your wp-config.php file is clean and generate new security keys (salts).

• Clean wp-config.php: Double-check for any suspicious code.
• Generate New Salts: Visit the WordPress Salts API (search for “WordPress salt key generator”) and copy the new keys. Replace the existing salts in your wp-config.php file with the new ones. This will invalidate all existing logins, including any the hacker might have.

Step 10: Reset Permalinks

After reinstalling WordPress, your permalinks might need to be refreshed.

• How: Go to Settings > Permalinks in your WordPress dashboard and simply click “Save Changes” without making any modifications. This will regenerate your .htaccess file correctly.

Phase 3: Post-Hack Security Measures

Once your site is clean, it’s crucial to implement measures to prevent future attacks.

Step 11: Update Everything

Ensure WordPress core, all themes, and all plugins are updated to their latest versions. This closes known vulnerabilities.

Step 12: Implement Stronger Security Measures

• Security Plugin: Install and configure a robust security plugin (like Wordfence, Sucuri, iThemes Security). Use its features for malware scanning, firewall, login hardening, and file integrity monitoring.
• Web Application Firewall (WAF): Consider using a WAF like Cloudflare, which filters malicious traffic before it reaches your server.
• Two-Factor Authentication (2FA): Enable 2FA for all administrator accounts.
• Limit Login Attempts: Use a plugin or your security plugin’s feature to limit the number of failed login attempts to prevent brute-force attacks.
• Change Default Admin Username: If you still have an “admin” username, create a new administrator account with a unique, non-obvious username and delete the old “admin” account.
• Strong Passwords (Enforced): Encourage or enforce strong passwords for all users.
• Regular Backups: Implement a reliable, automated backup solution that stores backups off-site. Test your backups regularly to ensure they can be restored.
• File Permissions: Ensure correct file and folder permissions (typically 755 for folders and 644 for files).
• Disable File Editing: Add define('DISALLOW_FILE_EDIT', true); to your wp-config.php file to prevent editing themes and plugins from the WordPress dashboard.
• Remove Unused Themes and Plugins: Delete any themes and plugins that are not active or essential.
• Monitor User Activity: Use an activity log plugin to keep track of changes and logins on your site.
• Secure wp-config.php: Move wp-config.php one level above the root WordPress directory if your hosting allows it.

Step 13: Monitor Your Site

Continuously monitor your website for suspicious activity.

• Google Search Console: Check for any security warnings or messages from Google. Resubmit your site for review after cleanup.
• Uptime Monitoring: Use a service to monitor your site’s uptime and be alerted to any unexpected downtime.
• Regular Scans: Schedule regular malware scans with your security plugin.

By meticulously following these steps, you can significantly improve your chances of recovering a hacked WordPress website and preventing future incidents. Remember that website security is an ongoing process, not a one-time fix.