Key Takeaways: What You’ll Learn in This Guide
- Immediate Triage: How to stop the bleeding and protect your visitors immediately.
- The “No-Backup” Strategy: How to surgically reconstruct your site even if you have zero restore points.
- Forensic Cleanup: Step-by-step instructions to find hidden malware in files and the database.
- Reputation Recovery: How to get off Google’s blacklist and restore your SEO rankings.

Don’t Panic: Understanding Your Situation First
Discovering your site has been compromised is a heart-dropping moment. Whether your screen is displaying a “This site may be hacked” warning from Google or redirecting to a gambling site, the adrenaline spike is real. However, panic leads to mistakes.
Why Having No Backup Isn’t the End of the World
The most common fear is “I have no backup, so I have lost everything.” This is rarely true.
WordPress separates your content (stored in the database) from the software (core files, plugins, themes). In 95% of hacks, the attackers want to hijack your traffic, not delete your database. Your blog posts, page content, and customer data are likely still sitting safely in the database, surrounded by infected files. We can strip away the infected software and reconnect the clean database.
Realistic Timeline: How Long Will Recovery Take?
This is not a five-minute fix. A thorough manual cleanup typically takes between 2 to 6 hours, depending on the severity of the infection and your technical familiarity. If you are cleaning a large ecommerce site, it may take longer. Clear your schedule for the day.
DIY vs. Professional Help: Making the Right Choice
This guide is technical. You will need to use FTP, access your database, and potentially use command-line tools.
- DIY: If you are comfortable editing
wp-config.phpand know what an SQL query is, proceed with this guide. - Pro: If the terms “FTP” or “phpMyAdmin” sound alien to you, or if this is a high-revenue business site, it is safer to hire an expert. Our Malware Removal Services can handle the cleanup for you to ensure no residual backdoors are left behind.
How to Confirm Your WordPress Site Has Been Hacked
Visual and Frontend Warning Signs
- Defacement: The homepage has been replaced by a message claiming the site was hacked by a specific group.
- Pop-ups: Visitors complain about aggressive pop-ups or new tabs opening automatically.
- White Screen: The site fails to load entirely (often caused by a syntax error in the malware code).
WordPress Dashboard and Admin Anomalies
- Login Failure: Your admin password no longer works, and the “Lost Password” email never arrives.
- New Administrators: You see users like
admin_123orwp_updaterin the Users tab that you did not create. - Strange Plugins: A plugin appears that you didn’t install, often hidden with a generic name like “Core Security” or “WP Maintenance”.
SEO Red Flags and Google Search Console Warnings
- The “Japanese Keyword Hack”: Your Google search results show Japanese characters selling counterfeit goods.
- Meta Description Changes: Your search snippets display spammy text about pharmaceuticals or loans.
- GSC Alert: Google Search Console sends an email explicitly stating “Security issue detected.”
Server-Level Indicators and File Activity
- Spike in Usage: Your host emails you about exceeding CPU or memory limits (due to cryptomining scripts).
- Modified Files: Core files like
index.phporwp-config.phpshow “Last Modified” dates from today or yesterday, even though you haven’t updated anything.
Quick Diagnostic Tools to Confirm the Hack
Before you start digging, run a remote scan:
- Sucuri SiteCheck: A free remote scanner that checks for visible malware and blacklist status.
- Google Safe Browsing Transparency Report: Check if Google has officially flagged your URL.
Common Types of WordPress Hacks (And Why It Matters for Cleanup)
Understanding hack types determines your cleanup strategy. Database spam needs SQL surgery; backdoors require file forensics. Here’s the 2026 breakdown:
2025 WordPress Hack Evolution
WordPress 6.5+ introduced new attack surfaces that traditional scanners miss:
Block Editor Risks
Malware now hides in /wp-content/block-templates/*.json files:
bash
find . -name "*.json" -exec grep -l "eval\|base64" {} \;
Impact: Dynamic spam pages regenerate after cleanup.[1]
AI-Generated Malware
Hackers use AI to create obfuscated JS backdoors:
bash
grep -r "atob.*document\|eval.*fromCharCode" /wp-content/themes/
Impact: Evades signature-based scanners like Wordfence.
Prevent Future Attacks: Follow our No-Plugin Hardening Guide.
SEO Spam and Pharma Hacks
The attacker injects thousands of pages selling Viagra or Cialis. These are often database-heavy infections.
Japanese Keyword Hack
Similar to Pharma hacks but creates pages in Japanese. These are notoriously difficult to clean because they often hijack the .htaccess file and generate pages dynamically.
Malicious Redirects
Code injected into header.php or JavaScript files sends your mobile visitors to scam sites while showing desktop visitors (and you) the normal site.
Backdoor Infections
Small snippets of code (like eval(base64_decode)) hidden in legitimate files. They allow the hacker to regain access even after you change your password.
Common Types of WordPress Hacks (And Why It Matters for Cleanup)
Understanding hack types determines your cleanup strategy. Database spam needs SQL surgery; backdoors require file forensics. Here’s the 2025 breakdown:[1]
WordPress Hack Types Comparison
|
Hack Type |
Description |
Primary Targets |
Detection Methods |
Cleanup Priority |
2025 Evolution |
|---|---|---|---|---|---|
|
SEO Spam & Pharma Hacks |
Injects thousands of spam pages selling Viagra/Cialis for SEO poisoning |
Database (wp_posts, wp_options) |
GSC alerts, SQL: |
High (DB heavy) |
AI-generated doorway pages |
|
Japanese Keyword Hack |
Creates dynamic Japanese spam pages, hijacks .htaccess for generation |
.htaccess, wp_options |
Japanese chars in SERPs, dynamic URL scan |
Critical (regen) |
Block JSON template injection |
|
Malicious Redirects |
Mobile-only redirects to scams via injected JS/header code |
header.php, JS files |
Mobile browser test, Sucuri scan, |
High (user harm) |
AI-obfuscated JS backdoors |
|
Backdoor Infections |
Hidden eval(base64_decode) snippets for persistent re-access |
functions.php, index.php, uploads |
|
Critical (persists) |
WP 6.5+ block template malware |
Emergency First Response: Critical Steps in the First 30 Minutes
Step 1: Document Everything Before Making Changes
Take screenshots of the dashboard, the hack itself, and any error messages. If this is a business site, you may need this for insurance or legal reasons later.
Step 2: Put Your Site into Maintenance Mode Immediately
Do not let users get infected. Create a file named .maintenance in your root directory or use your hosting panel to suspend the site temporarily.
Step 3: Contact Your Hosting Provider
Even if you don’t have backups, they might. Many managed hosts (like those utilizing cPanel/Plesk) keep server-level backups for 7-30 days. Ask them immediately if they can restore the site to a date before the infection signs appeared.
Step 4: Change All Access Passwords Right Now
Assume they have your keys. Change:
- Hosting Panel Login.
- FTP/SFTP accounts.
- Database user password.
- Your email password (if it is linked to the admin account).
Step 5: Create a Backup of the Hacked State (Yes, Really)
This sounds counter-intuitive, but downloading the infected site allows you to:
- Recover specific images or content files later if you accidentally delete too much.
- Analyze how the hack happened later (forensics).Label this folder clearly: DANGER_HACKED_SITE_BACKUP.
The Ultimate Guide to Cleaning a Hacked WordPress Site Step-by-Step
Essential Tools and Preparation Checklist
Free vs. Premium Malware Scanning Tools Compared
- Wordfence (Free): Excellent for deep file scanning. It compares your core files against the official WordPress repository.
- GotMLS (Anti-Malware Security and Brute-Force Firewall): A highly rated free tool specifically designed to find “known threats” that other scanners miss.
FTP/SFTP Access Requirements
You need a client like FileZilla or Cyberduck. You cannot rely on the WordPress dashboard file editor, as it might be broken or compromised.
Database Access via phpMyAdmin or Command Line
You will need access to your hosting control panel to run SQL queries.
Phase 1: Full Site Malware Scan
Using Security Plugins
If you can still access your dashboard:
- Install Wordfence.
- Go to scan settings and enable “Scan theme and plugin files against repository versions” and “Scan outside your WordPress installation”.
- Run the scan. Note down every file it flags. Do not just click “Delete” yet. We need to understand what is being removed.
Server-Level Scanning Tools
If you have SSH access, use clamav (if installed) or manual grep commands (detailed in Phase 4) to find infections without relying on PHP.
Phase 2: Cleaning WordPress Core Files
This is the “Nuclear Option” for core files and is the only way to be 100% sure the core is clean.
How to Safely Replace Core Files Without Losing Data
- Download a fresh version of WordPress from WordPress.org.
- Unzip it on your computer.
- Connect to your server via FTP.
- Delete the
wp-adminandwp-includesdirectories on your server. - Upload the fresh
wp-adminandwp-includesdirectories from your computer. - Upload the fresh individual
.phpfiles from the root folder (index.php,wp-login.php, etc.) and overwrite the old ones.
Files You Should Never Delete
Do NOT delete:
wp-content/(This holds your images, themes, and plugins).wp-config.php(This connects your site to the database)..htaccess(Though you must inspect it).
Phase 3: Cleaning the wp-content Folder
This is the most tedious part. Malware loves to hide here.
Inspecting and Cleaning Plugin Files
The safest method is to note which plugins you have, delete the plugin folders entirely, and re-install them fresh from the WordPress repository. Malware often hides inside /wp-content/plugins/legit-plugin/malicious-file.php.
Inspecting and Cleaning Theme Files
- If you use a free/premium theme (like Blocksy or Bricks Builder) and have not modified the code: Delete the theme folder and re-install a fresh copy.
- If you have a Custom Child Theme: You must manually inspect every file (
functions.php,header.php,footer.php) for injected code. Look for long strings of random characters.
Reviewing the Uploads Folder for Malicious Files
The /wp-content/uploads/ folder should only contain media (images, PDFs, videos).
- Open the folder in FTP.
- Search for any file ending in
.php,.phtml, or.js. - Delete them. There is almost no valid reason for a PHP file to exist in your uploads folder.
Phase 4: Finding and Removing Hidden Backdoors
Common Backdoor Code Patterns to Search For
Hackers leave “keys” to let themselves back in. Look for:
eval(base64_decode(gzinflate(shell_exec(
Using Linux Commands to Find Malicious Code (SSH Access)
If you have terminal access, run this command inside your public_html directory to find suspicious files instantly:
Bash
grep -rE "base64_decode|eval\(|gzinflate|shell_exec" .
Obfuscated Code: What It Looks Like and How to Remove It
Legitimate code is readable (e.g., echo “Hello World”;). Obfuscated code looks like a scramble:
$sF=”bas”.”e64_d”.”ecode”; eval($sF(“XZy…”));
If you see this in header.php or wp-config.php, delete the code block immediately.
Phase 5: Deep Cleaning Your WordPress Database
Checking wp_options for Malicious Entries
Hackers often store redirect scripts in the wp_options table (specifically the siteurl or home fields, or inside widget data).
- Open phpMyAdmin.
- Browse
wp_options. - Ensure
siteurlandhomematch your actual website URL.
Scanning wp_posts for Injected Spam Content
Run a search in phpMyAdmin for spam terms (e.g., “viagra”, “casino”, “loan”).
SQL
SELECT * FROM wp_posts WHERE post_content LIKE '%viagra%';
If you find results, you can manually delete them or use a bulk SQL command to clean them.
Auditing wp_users for Unauthorized Admin Accounts
Check the wp_users table. If you see a user you don’t recognise, check their permissions in wp_usermeta. If they are an administrator, delete the user.
Phase 6: Reinstalling Themes and Plugins from Trusted Sources
Why You Must Download Fresh Copies
Do not rely on your old backups for plugin files; they might be infected too. Always download fresh copies from the official repository or the developer’s site.
Preserving Your Settings and Configurations
Reinstalling a plugin usually does not delete its settings (which are stored in the database). When you re-upload “WooCommerce,” your products and settings will still be there.
Phase 7: Securing wp-config.php and .htaccess
Regenerating WordPress Secret Keys and Salts
This invalidates all current login cookies.
- Go to the WordPress Salt Generator.
- Copy the new keys.
- Edit
wp-config.phpand replace the old keys.
Cleaning and Securing .htaccess
Hackers use .htaccess to redirect visitors.
- Rename your current
.htaccessto.htaccess_old. - Login to WordPress > Settings > Permalinks.
- Click “Save Changes”. WordPress will generate a fresh, clean
.htaccessfile.
Phase 8: Complete Password and Access Reset
You are almost done. Now, lock the doors.
- Hosting: Change your cPanel/Plesk password.
- FTP: Change all FTP user passwords.
- Database: Create a new database user password and update it in
wp-config.php. - WordPress: Force a password reset for all users.
What If You’re Locked Out of Your WordPress Dashboard?
Resetting Admin Password via phpMyAdmin
- Go to
wp_userstable. - Find your username.
- Edit the row.
- In the
user_passfield, select MD5 in the function dropdown. - Type your new password in the value field.
- Click Go.
Emergency Recovery via functions.php
If you need to create a new admin quickly, add this to your active theme’s functions.php file (via FTP):
PHP
function add_admin_acct(){
$user = 'TemporaryAdmin';
$pass = 'Password123!';
$email = 'email@domain.com';
if ( !username_exists( $user ) && !email_exists( $email ) ) {
$user_id = wp_create_user( $user, $pass, $email );
$user = new WP_User( $user_id );
$user->set_role( 'administrator' );
}
}
add_action('init','add_admin_acct');
Remove this code immediately after logging in.
Verifying Your Site Is Completely Clean
Running Multiple Malware Scans
Now that the manual work is done, run Wordfence or GotMLS again. They should return zero issues.
Testing All Site Functionality
Check your checkout process, contact forms, and mobile view. Sometimes removing malware breaks functionality if the malware had modified core files.
Checking for Reinfection Signs
Wait 24 hours. Check the “Last Modified” dates on your files again. If files are changing without your input, the backdoor is still there.
Recovering Your Site’s Reputation After a Hack
Removing Your Site from Google’s Blacklist
- Go to Google Search Console.
- Navigate to Security & Manual Actions > Security Issues.
- If Google flags issues, select “I have fixed these issues” and “Request Review.”
- Describe clearly what you did (e.g., “Deleted infected core files, updated plugins, reset passwords”).
Clearing Other Security Blacklists
Check your site on VirusTotal. If vendors like McAfee or Norton flag you, you may need to submit whitelist requests on their respective websites.
Post-Mortem: How Did Your WordPress Site Get Hacked?
Outdated WordPress Core, Plugins, or Themes
This is the #1 cause. A known vulnerability in an old plugin is an open door.
Nulled (Pirated) Themes and Plugins
If you downloaded a “Pro” plugin for free from a warehouse site, it likely contained the malware payload pre-installed. Never use nulled software.
Vulnerable REST API Endpoints
Hackers can use the API to enumerate users. See our No-Plugin Security Guide for how to disable this.
Fortifying Your Site: Complete WordPress Security Hardening
Cleaning is half the battle. Now you must prevent it from happening again.
Implementing Automatic Updates
Enable auto-updates for minor versions in wp-config.php:
define( ‘WP_AUTO_UPDATE_CORE’, ‘minor’ );
Enforcing Strong Passwords and Two-Factor Authentication (2FA)
Install a lightweight 2FA plugin or use the “No-Plugin” Basic Auth method.
Setting Correct File and Folder Permissions
Ensure folders are 755 and files are 644. wp-config.php should be 400 or 440.
Setting Up a Bulletproof Backup Strategy
Do not rely on your host. Use a solution that saves backups to an external cloud (Google Drive, S3).
The ‘No-Plugin’ WordPress Security Guide: Complete Manual Hardening for 2026
The “Silent Scout”: Anatomy of a WordPress Breach (And How We Locked It Down)
When to Hire a Professional WordPress Security Service
Signs the Hack Is Beyond DIY Repair
- The malware reinfects the site immediately after cleaning.
- You have multiple sites on the same server that are cross-infecting each other.
- The database is corrupted, and posts are missing.
Reputable WordPress Security Companies to Consider
If you are overwhelmed, our team at Ulement specialises in Malware Removal Service. We can perform forensic cleaning and implement the hardening strategies mentioned in this guide.
Conclusion: From Crisis to Confidence – Your Path Forward
Recovering from a hack is stressful, but it is also an opportunity. By rebuilding your site’s security architecture from the ground up, you end up with a faster, safer, and more resilient website.
If you have followed this guide, your site should now be clean. Your next step is to focus on performance and SEO recovery. Check out our Website Load Speed Improvement Guide to ensure your clean site runs faster than ever, or consult our SEO Services to regain your lost traffic.


