The Ultimate Guide to Cleaning a Hacked WordPress Site (Even Without Backups)

Discovering your WordPress site has been hacked is a nightmare, especially if you have no backups. But it’s not the end of the road. This comprehensive technical guide walks you through the forensic process of manually cleaning malware, stripping infected core files, and surgically reconstructing your site without losing your hard-earned content. Learn how to stop the attack, identify hidden backdoors, and harden your security against future threats.

Key Takeaways: What You’ll Learn in This Guide

  • Immediate Triage: How to stop the bleeding and protect your visitors immediately.
  • The “No-Backup” Strategy: How to surgically reconstruct your site even if you have zero restore points.
  • Forensic Cleanup: Step-by-step instructions to find hidden malware in files and the database.
  • Reputation Recovery: How to get off Google’s blacklist and restore your SEO rankings.
hacked wordpress site no backup complete cleanup guide

Don’t Panic: Understanding Your Situation First

Discovering your site has been compromised is a heart-dropping moment. Whether your screen is displaying a “This site may be hacked” warning from Google or redirecting to a gambling site, the adrenaline spike is real. However, panic leads to mistakes.

Why Having No Backup Isn’t the End of the World

The most common fear is “I have no backup, so I have lost everything.” This is rarely true.

WordPress separates your content (stored in the database) from the software (core files, plugins, themes). In 95% of hacks, the attackers want to hijack your traffic, not delete your database. Your blog posts, page content, and customer data are likely still sitting safely in the database, surrounded by infected files. We can strip away the infected software and reconnect the clean database.

Realistic Timeline: How Long Will Recovery Take?

This is not a five-minute fix. A thorough manual cleanup typically takes between 2 to 6 hours, depending on the severity of the infection and your technical familiarity. If you are cleaning a large ecommerce site, it may take longer. Clear your schedule for the day.

DIY vs. Professional Help: Making the Right Choice

This guide is technical. You will need to use FTP, access your database, and potentially use command-line tools.

  • DIY: If you are comfortable editing wp-config.php and know what an SQL query is, proceed with this guide.
  • Pro: If the terms “FTP” or “phpMyAdmin” sound alien to you, or if this is a high-revenue business site, it is safer to hire an expert. Our Malware Removal Services can handle the cleanup for you to ensure no residual backdoors are left behind.

How to Confirm Your WordPress Site Has Been Hacked

Visual and Frontend Warning Signs

  • Defacement: The homepage has been replaced by a message claiming the site was hacked by a specific group.
  • Pop-ups: Visitors complain about aggressive pop-ups or new tabs opening automatically.
  • White Screen: The site fails to load entirely (often caused by a syntax error in the malware code).

WordPress Dashboard and Admin Anomalies

  • Login Failure: Your admin password no longer works, and the “Lost Password” email never arrives.
  • New Administrators: You see users like admin_123 or wp_updater in the Users tab that you did not create.
  • Strange Plugins: A plugin appears that you didn’t install, often hidden with a generic name like “Core Security” or “WP Maintenance”.

SEO Red Flags and Google Search Console Warnings

  • The “Japanese Keyword Hack”: Your Google search results show Japanese characters selling counterfeit goods.
  • Meta Description Changes: Your search snippets display spammy text about pharmaceuticals or loans.
  • GSC Alert: Google Search Console sends an email explicitly stating “Security issue detected.”

Server-Level Indicators and File Activity

  • Spike in Usage: Your host emails you about exceeding CPU or memory limits (due to cryptomining scripts).
  • Modified Files: Core files like index.php or wp-config.php show “Last Modified” dates from today or yesterday, even though you haven’t updated anything.

Quick Diagnostic Tools to Confirm the Hack

Before you start digging, run a remote scan:

  1. Sucuri SiteCheck: A free remote scanner that checks for visible malware and blacklist status.
  2. Google Safe Browsing Transparency Report: Check if Google has officially flagged your URL.

Common Types of WordPress Hacks (And Why It Matters for Cleanup)

Understanding hack types determines your cleanup strategy. Database spam needs SQL surgery; backdoors require file forensics. Here’s the 2026 breakdown:

2025 WordPress Hack Evolution

WordPress 6.5+ introduced new attack surfaces that traditional scanners miss:

Block Editor Risks

Malware now hides in /wp-content/block-templates/*.json files:

bash

find . -name "*.json" -exec grep -l "eval\|base64" {} \;

Impact: Dynamic spam pages regenerate after cleanup.[1]

AI-Generated Malware

Hackers use AI to create obfuscated JS backdoors:

bash

grep -r "atob.*document\|eval.*fromCharCode" /wp-content/themes/

Impact: Evades signature-based scanners like Wordfence.

Prevent Future Attacks: Follow our No-Plugin Hardening Guide.

SEO Spam and Pharma Hacks

The attacker injects thousands of pages selling Viagra or Cialis. These are often database-heavy infections.

Japanese Keyword Hack

Similar to Pharma hacks but creates pages in Japanese. These are notoriously difficult to clean because they often hijack the .htaccess file and generate pages dynamically.

Malicious Redirects

Code injected into header.php or JavaScript files sends your mobile visitors to scam sites while showing desktop visitors (and you) the normal site.

Backdoor Infections

Small snippets of code (like eval(base64_decode)) hidden in legitimate files. They allow the hacker to regain access even after you change your password.

Common Types of WordPress Hacks (And Why It Matters for Cleanup)

Understanding hack types determines your cleanup strategy. Database spam needs SQL surgery; backdoors require file forensics. Here’s the 2025 breakdown:[1]

WordPress Hack Types Comparison

Hack Type

Description

Primary Targets

Detection Methods

Cleanup Priority

2025 Evolution

SEO Spam & Pharma Hacks

Injects thousands of spam pages selling Viagra/Cialis for SEO poisoning

Database (wp_posts, wp_options)

GSC alerts, SQL: LIKE '%viagra%' 

High (DB heavy)

AI-generated doorway pages

Japanese Keyword Hack

Creates dynamic Japanese spam pages, hijacks .htaccess for generation

.htaccess, wp_options

Japanese chars in SERPs, dynamic URL scan

Critical (regen)

Block JSON template injection

Malicious Redirects

Mobile-only redirects to scams via injected JS/header code

header.php, JS files

Mobile browser test, Sucuri scan, grep -r "userAgent.*redirect"

High (user harm)

AI-obfuscated JS backdoors

Backdoor Infections

Hidden eval(base64_decode) snippets for persistent re-access

functions.php, index.php, uploads

grep -r "eval$$base64_decode" , recent .php files

Critical (persists)

WP 6.5+ block template malware


Emergency First Response: Critical Steps in the First 30 Minutes

Step 1: Document Everything Before Making Changes

Take screenshots of the dashboard, the hack itself, and any error messages. If this is a business site, you may need this for insurance or legal reasons later.

Step 2: Put Your Site into Maintenance Mode Immediately

Do not let users get infected. Create a file named .maintenance in your root directory or use your hosting panel to suspend the site temporarily.

Step 3: Contact Your Hosting Provider

Even if you don’t have backups, they might. Many managed hosts (like those utilizing cPanel/Plesk) keep server-level backups for 7-30 days. Ask them immediately if they can restore the site to a date before the infection signs appeared.

Step 4: Change All Access Passwords Right Now

Assume they have your keys. Change:

  • Hosting Panel Login.
  • FTP/SFTP accounts.
  • Database user password.
  • Your email password (if it is linked to the admin account).

Step 5: Create a Backup of the Hacked State (Yes, Really)

This sounds counter-intuitive, but downloading the infected site allows you to:

  1. Recover specific images or content files later if you accidentally delete too much.
  2. Analyze how the hack happened later (forensics).Label this folder clearly: DANGER_HACKED_SITE_BACKUP.

The Ultimate Guide to Cleaning a Hacked WordPress Site Step-by-Step

Essential Tools and Preparation Checklist

Free vs. Premium Malware Scanning Tools Compared

  • Wordfence (Free): Excellent for deep file scanning. It compares your core files against the official WordPress repository.
  • GotMLS (Anti-Malware Security and Brute-Force Firewall): A highly rated free tool specifically designed to find “known threats” that other scanners miss.

FTP/SFTP Access Requirements

You need a client like FileZilla or Cyberduck. You cannot rely on the WordPress dashboard file editor, as it might be broken or compromised.

Database Access via phpMyAdmin or Command Line

You will need access to your hosting control panel to run SQL queries.

Phase 1: Full Site Malware Scan

Using Security Plugins

If you can still access your dashboard:

  1. Install Wordfence.
  2. Go to scan settings and enable “Scan theme and plugin files against repository versions” and “Scan outside your WordPress installation”.
  3. Run the scan. Note down every file it flags. Do not just click “Delete” yet. We need to understand what is being removed.

Server-Level Scanning Tools

If you have SSH access, use clamav (if installed) or manual grep commands (detailed in Phase 4) to find infections without relying on PHP.

Phase 2: Cleaning WordPress Core Files

This is the “Nuclear Option” for core files and is the only way to be 100% sure the core is clean.

How to Safely Replace Core Files Without Losing Data

  1. Download a fresh version of WordPress from WordPress.org.
  2. Unzip it on your computer.
  3. Connect to your server via FTP.
  4. Delete the wp-admin and wp-includes directories on your server.
  5. Upload the fresh wp-admin and wp-includes directories from your computer.
  6. Upload the fresh individual .php files from the root folder (index.phpwp-login.php, etc.) and overwrite the old ones.

Files You Should Never Delete

Do NOT delete:

  • wp-content/ (This holds your images, themes, and plugins).
  • wp-config.php (This connects your site to the database).
  • .htaccess (Though you must inspect it).

Phase 3: Cleaning the wp-content Folder

This is the most tedious part. Malware loves to hide here.

Inspecting and Cleaning Plugin Files

The safest method is to note which plugins you have, delete the plugin folders entirely, and re-install them fresh from the WordPress repository. Malware often hides inside /wp-content/plugins/legit-plugin/malicious-file.php.

Inspecting and Cleaning Theme Files

  1. If you use a free/premium theme (like Blocksy or Bricks Builder) and have not modified the code: Delete the theme folder and re-install a fresh copy.
  2. If you have a Custom Child Theme: You must manually inspect every file (functions.phpheader.phpfooter.php) for injected code. Look for long strings of random characters.

Reviewing the Uploads Folder for Malicious Files

The /wp-content/uploads/ folder should only contain media (images, PDFs, videos).

  1. Open the folder in FTP.
  2. Search for any file ending in .php.phtml, or .js.
  3. Delete them. There is almost no valid reason for a PHP file to exist in your uploads folder.

Phase 4: Finding and Removing Hidden Backdoors

Common Backdoor Code Patterns to Search For

Hackers leave “keys” to let themselves back in. Look for:

  • eval(
  • base64_decode(
  • gzinflate(
  • shell_exec(

Using Linux Commands to Find Malicious Code (SSH Access)

If you have terminal access, run this command inside your public_html directory to find suspicious files instantly:

Bash

grep -rE "base64_decode|eval\(|gzinflate|shell_exec" .

Obfuscated Code: What It Looks Like and How to Remove It

Legitimate code is readable (e.g., echo “Hello World”;). Obfuscated code looks like a scramble:

$sF=”bas”.”e64_d”.”ecode”; eval($sF(“XZy…”));

If you see this in header.php or wp-config.php, delete the code block immediately.

Phase 5: Deep Cleaning Your WordPress Database

Checking wp_options for Malicious Entries

Hackers often store redirect scripts in the wp_options table (specifically the siteurl or home fields, or inside widget data).

  1. Open phpMyAdmin.
  2. Browse wp_options.
  3. Ensure siteurl and home match your actual website URL.

Scanning wp_posts for Injected Spam Content

Run a search in phpMyAdmin for spam terms (e.g., “viagra”, “casino”, “loan”).

SQL

SELECT * FROM wp_posts WHERE post_content LIKE '%viagra%';

If you find results, you can manually delete them or use a bulk SQL command to clean them.

Auditing wp_users for Unauthorized Admin Accounts

Check the wp_users table. If you see a user you don’t recognise, check their permissions in wp_usermeta. If they are an administrator, delete the user.

Phase 6: Reinstalling Themes and Plugins from Trusted Sources

Why You Must Download Fresh Copies

Do not rely on your old backups for plugin files; they might be infected too. Always download fresh copies from the official repository or the developer’s site.

Preserving Your Settings and Configurations

Reinstalling a plugin usually does not delete its settings (which are stored in the database). When you re-upload “WooCommerce,” your products and settings will still be there.

Phase 7: Securing wp-config.php and .htaccess

Regenerating WordPress Secret Keys and Salts

This invalidates all current login cookies.

  1. Go to the WordPress Salt Generator.
  2. Copy the new keys.
  3. Edit wp-config.php and replace the old keys.

Cleaning and Securing .htaccess

Hackers use .htaccess to redirect visitors.

  1. Rename your current .htaccess to .htaccess_old.
  2. Login to WordPress > Settings > Permalinks.
  3. Click “Save Changes”. WordPress will generate a fresh, clean .htaccess file.

Phase 8: Complete Password and Access Reset

You are almost done. Now, lock the doors.

  1. Hosting: Change your cPanel/Plesk password.
  2. FTP: Change all FTP user passwords.
  3. Database: Create a new database user password and update it in wp-config.php.
  4. WordPress: Force a password reset for all users.

What If You’re Locked Out of Your WordPress Dashboard?

Resetting Admin Password via phpMyAdmin

  1. Go to wp_users table.
  2. Find your username.
  3. Edit the row.
  4. In the user_pass field, select MD5 in the function dropdown.
  5. Type your new password in the value field.
  6. Click Go.

Emergency Recovery via functions.php

If you need to create a new admin quickly, add this to your active theme’s functions.php file (via FTP):

PHP

function add_admin_acct(){
    $user = 'TemporaryAdmin';
    $pass = 'Password123!';
    $email = 'email@domain.com';
    if ( !username_exists( $user ) && !email_exists( $email ) ) {
        $user_id = wp_create_user( $user, $pass, $email );
        $user = new WP_User( $user_id );
        $user->set_role( 'administrator' );
    }
}
add_action('init','add_admin_acct');

Remove this code immediately after logging in.


Verifying Your Site Is Completely Clean

Running Multiple Malware Scans

Now that the manual work is done, run Wordfence or GotMLS again. They should return zero issues.

Testing All Site Functionality

Check your checkout process, contact forms, and mobile view. Sometimes removing malware breaks functionality if the malware had modified core files.

Checking for Reinfection Signs

Wait 24 hours. Check the “Last Modified” dates on your files again. If files are changing without your input, the backdoor is still there.


Recovering Your Site’s Reputation After a Hack

Removing Your Site from Google’s Blacklist

  1. Go to Google Search Console.
  2. Navigate to Security & Manual Actions > Security Issues.
  3. If Google flags issues, select “I have fixed these issues” and “Request Review.”
  4. Describe clearly what you did (e.g., “Deleted infected core files, updated plugins, reset passwords”).

Clearing Other Security Blacklists

Check your site on VirusTotal. If vendors like McAfee or Norton flag you, you may need to submit whitelist requests on their respective websites.


Post-Mortem: How Did Your WordPress Site Get Hacked?

Outdated WordPress Core, Plugins, or Themes

This is the #1 cause. A known vulnerability in an old plugin is an open door.

Nulled (Pirated) Themes and Plugins

If you downloaded a “Pro” plugin for free from a warehouse site, it likely contained the malware payload pre-installed. Never use nulled software.

Vulnerable REST API Endpoints

Hackers can use the API to enumerate users. See our No-Plugin Security Guide for how to disable this.


Fortifying Your Site: Complete WordPress Security Hardening

Cleaning is half the battle. Now you must prevent it from happening again.

Implementing Automatic Updates

Enable auto-updates for minor versions in wp-config.php:

define( ‘WP_AUTO_UPDATE_CORE’, ‘minor’ );

Enforcing Strong Passwords and Two-Factor Authentication (2FA)

Install a lightweight 2FA plugin or use the “No-Plugin” Basic Auth method.

Setting Correct File and Folder Permissions

Ensure folders are 755 and files are 644wp-config.php should be 400 or 440.

Setting Up a Bulletproof Backup Strategy

Do not rely on your host. Use a solution that saves backups to an external cloud (Google Drive, S3).

When to Hire a Professional WordPress Security Service

Signs the Hack Is Beyond DIY Repair

  • The malware reinfects the site immediately after cleaning.
  • You have multiple sites on the same server that are cross-infecting each other.
  • The database is corrupted, and posts are missing.

Reputable WordPress Security Companies to Consider

If you are overwhelmed, our team at Ulement specialises in Malware Removal Service. We can perform forensic cleaning and implement the hardening strategies mentioned in this guide.


Conclusion: From Crisis to Confidence – Your Path Forward

Recovering from a hack is stressful, but it is also an opportunity. By rebuilding your site’s security architecture from the ground up, you end up with a faster, safer, and more resilient website.

If you have followed this guide, your site should now be clean. Your next step is to focus on performance and SEO recovery. Check out our Website Load Speed Improvement Guide to ensure your clean site runs faster than ever, or consult our SEO Services to regain your lost traffic.


FAQs About Cleaning Hacked WordPress Sites

Yes. As long as your database (content) is intact, you can rebuild the site files around it.

A thorough manual cleanup takes 2-6 hours. Automatic scanners are faster but often miss backdoors.

Usually, no. Your blog posts and pages are in the database. Replacing core files and plugins does not delete database content.

You need zero results on server-side scans, clean logs for 24 hours, and a clear status in Google Search Console.

Yes, if you don’t patch the vulnerability (hole) that let them in. Hardening your site is mandatory after cleanup.

Get
Free Site Audit

Analyse your speed, security, and SEO gaps. Get a clear roadmap to outrank your competition.

Ger Started