WordPress Hack Cleanup: How to Fix a Hacked WordPress Site (Step-by-Step Guide)

Is your WordPress website redirecting visitors to suspicious sites, showing pop-ups, or behaving oddly? You might be dealing with a WordPress hack — and you’re not alone. In 2025, attacks on WordPress sites are more common than ever due to outdated plugins, weak passwords, or poorly secured themes.

In this guide, we’ll walk you through how to fix a hacked WordPress site, clean malware, and secure your WordPress website against future attacks.

Signs Your WordPress Site Has Been Hacked

Before we get into cleanup, let’s identify the common red flags:

  • Your site redirects to another domain (common in the WordPress redirect hack)
  • Unexpected pop-ups or ads
  • Google marks your site as “This site may be hacked”
  • New, unauthorized admin users
  • Suspicious files or scripts in your WordPress core or theme folders
  • Unusual server resource usage or email spam

If you recognize any of these, it’s time for some serious WordPress malware removal.

Step-by-Step WordPress Hack Cleanup

Step-by-Step WordPress Hack Cleanup

1. Put Your Site in Maintenance Mode

Use a plugin like WP Maintenance Mode or manually add a maintenance page. This protects your users and your SEO while you clean up.

2. Backup Everything (Yes, Even the Hacked Files)

Before making any changes, back up your entire site. This includes:

  • All WordPress files (themes, plugins, uploads, etc.)
  • The database file (usually a .sql export) – it contains your posts, pages, users, and settings

Even if your site is compromised, having a full backup ensures you can analyze the infection later or roll back if needed.

3. Scan for Malware

Install and run a WordPress security plugin like:

  • Wordfence
  • MalCare
  • Sucuri Security

These tools detect suspicious files, code injections, and changes to core files.

4. Manually Remove Malware (If Needed)

Go through flagged files in:

  • /wp-content/themes/
  • /wp-content/plugins/
  • /wp-content/uploads/
  • .htaccess
  • wp-config.php

Delete any suspicious code, especially obfuscated base64 strings, eval(), and iframes linking to external URLs.

5. Restore Clean Core Files

Replace WordPress core files with fresh ones from WordPress.org. Be sure not to overwrite wp-config.php or the /wp-content/ directory.

6. Reset All Passwords

Change passwords for:

  • WordPress admin accounts
  • Hosting cPanel
  • FTP/SFTP users
  • Database (update wp-config.php afterward)

7. Remove Unwanted Users

Go to Users > All Users and delete anyone you don’t recognize.

8. Remove Unused or Untrusted Plugins

  • Deactivate and delete any plugins you no longer use.
  • Avoid plugins from unverified sources, as they can become attack vectors.
  • Consider replacing outdated plugins with trusted alternatives from the official WordPress repository.

9. Update Everything

  • WordPress core
  • Themes
  • Plugins

Outdated components are a major reason WordPress sites get hacked.

10. Check for SEO Spam or Blacklist Status

Use tools like:

  • Google Search Console
  • Sucuri SiteCheck
  • Ahrefs (for detecting hacked backlinks)

Request a review from Google if your site was blacklisted.

11. Refresh Permalinks

  • Go to Settings > Permalinks in your WordPress dashboard.
  • Click Save Changes (no need to change the structure).

This rebuilds your .htaccess file and removes any malicious redirects.

12. Refresh the Database

  • Use a plugin like WP-Optimize or Advanced Database Cleaner.
  • Clean up:
    • Post revisions
    • Spam comments
    • Transient options
    • Orphaned metadata
  • Optimize tables to improve performance after the hack.

How to Secure Your WordPress Site After a Hack

To avoid being hacked again:

  • Install a WordPress firewall plugin (e.g., Wordfence or Sucuri)
  • Disable file editing in wp-config.php: 
                
        define( 'DISALLOW_FILE_EDIT', true );
  • Limit login attempts
  • Use 2FA (Two-Factor Authentication)
  • Enable automatic updates
  • Regularly scan your site for malware
  • Keep off-site backups with tools like UpdraftPlus or BlogVault
  • Add Security Headers: Implement security headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security to reduce vulnerability to attacks.

    👉 Learn how to add security headers to WordPress

Final Thoughts

A hacked site can be a nightmare, but the sooner you act, the easier the cleanup. With this guide, you’ve got a clear path to remove malware from WordPress, prevent SEO damage, and secure your WordPress website for the future.

Need professional help? Consider using a WordPress malware removal service or a managed security solution.

Shiva Sheshendra - Shivafeb17

About Author

Shiva Sheshendra

Senior Web Developer / Senior PHP Developer / Full Stack Developer

“Web Development, Website Maintenance, Server Management, On-Page SEO, Security, and Malware Removal”

Connect with Developer View Portfolio

Request A Callback

Ready to unlock your digital potential?
Request a callback to learn how we can help

© All rights reserved 2025 codenbrand. Designed and Developed by shivafeb17

WhatsApp Icon