How to Fix a Hacked WordPress Site (Step-by-Step 2026 Guide)

How do you know if your WordPress site has been hacked?

Most hacks are not obvious. You will not always see a defaced homepage. The signs are subtler: unexpected redirects to spam sites, new admin users you did not create, Google Search Console security warnings, sudden drops in organic traffic, or your hosting provider suspending your account.

Check these indicators immediately:

Symptom	What It Means	Severity
Redirects to spam/pharma sites	Injected JavaScript or .htaccess redirect	High
Google “This site may be hacked” warning	Google detected malware during crawl	Critical
Unknown admin users in wp-admin	Attacker created persistent access	Critical
Spam pages indexed in Google (site:yourdomain.com)	SEO spam injection (Japanese keyword hack)	High
Hosting account suspended	Host detected outbound spam or resource abuse	Critical
Slow site with high server load	Cryptominer or spam relay running	Medium

If you see any of these, your site is compromised. Do not wait – act now.

What should you do first when your WordPress site is hacked?

Take the site offline immediately. This prevents further damage to visitors and stops Google from crawling infected pages (which tanks your rankings faster).

Step 1: Enable maintenance mode or block public access.

Add this to your .htaccess file temporarily:

order deny,allow
deny from all
allow from YOUR.IP.ADDRESS

Make sure to replace the YOUR.IP.ADDRESS with your actual IP address – you can get it here: https://www.whatismyip.com/.

Or if you have WP-CLI access:

wp maintenance-mode activate

Step 2: Change all passwords immediately.

• WordPress admin passwords (all users)
• Database password (in wp-config.php)
• FTP/SFTP credentials
• Hosting control panel password
• Any API keys stored in wp-config.php

Do this before cleanup. If the attacker has your credentials, they will reinfect during your cleanup.

Step 3: Take a full backup of the infected site.

Yes, back up the hacked version. You need it for forensics – understanding what was changed and when. Label it clearly so nobody accidentally restores it.

How do you find and remove malware from WordPress?

I use a combination of automated scanning and manual file inspection. Neither alone is sufficient.

Automated scanning:

• Server-side malware scanners that check every file against known malicious signatures
• WordPress core and plugin integrity verification (comparing files against official checksums)
• Database scanning for injected content and unauthorized modifications

Manual inspection targets:

1. wp-config.php – Look for eval(), base64_decode(), or unfamiliar require/include statements above the “That’s all, stop editing” comment
2. .htaccess files – Check root and every subdirectory. Hackers add redirect rules in nested .htaccess files
3. wp-content/uploads/ – PHP files should never exist here. Any .php file in uploads is almost certainly malicious
4. Theme functions.php – Injected code often hides at the very top or bottom of this file
5. Database wp_options table – Check siteurl, home, and any options with base64-encoded values

What to look for in files:

eval(base64_decode(...))
eval(gzinflate(base64_decode(...)))
preg_replace with /e modifier
$_POST/$_GET/$_REQUEST used in eval
str_rot13()
chr() chains building strings

Remove every instance. If a core file is modified, replace it with a clean copy from wordpress.org matching your exact version.

How do you identify the entry point?

Finding the malware is half the job. You also need to find how they got in, or they will be back within days.

Common entry points in 2026:

1. Vulnerable plugins (80%+ of WordPress hacks) – Check your plugins against the WPScan vulnerability database. Pay attention to plugins that have not been updated in 12+ months.
2. Weak admin credentials – If any admin account used a password like “admin123” or appeared in a breach database, that is likely the entry point.
3. Outdated PHP version – PHP 7.4 reached end-of-life in 2022. If your host still runs it, known exploits exist.
4. Compromised hosting neighbor – On shared hosting, a compromised site in another account can sometimes access yours through symlink attacks.

How to narrow it down:

Check file modification dates. The oldest modified malicious file is usually closest to the entry point. Server access logs (if available) from that date will show the initial exploit request.

How do you harden WordPress after cleaning a hack?

Cleanup without hardening is temporary. Here is what I configure on every site after remediation:

• Update everything – WordPress core, all plugins, all themes. Delete unused themes and plugins entirely.
• Enforce strong passwords – Require 16+ character passwords for all admin accounts. Enable two-factor authentication.
• Block PHP execution in uploads – Add a .htaccess rule to wp-content/uploads/ that prevents PHP execution.
• Change database prefix – If still using wp_, change it. Automated SQL injection tools target the default prefix.
• Install a WAF – Cloudflare (free tier works) or Wordfence firewall. Block known attack patterns at the edge.
• Set correct file permissions – Directories at 755, files at 644, wp-config.php at 400.
• Remove the file editor – Add define('DISALLOW_FILE_EDIT', true); to wp-config.php.
• Limit login attempts – Block IPs after 5 failed attempts. Most brute-force attacks try thousands of combinations.

How long does it take to fix a hacked WordPress site?

Simple infections (injected scripts in theme files, spam links in posts) take 2-4 hours to clean and harden. Complex compromises (database-level backdoors, multiple reinfection vectors, rootkit-style persistence) can take 1-3 days for full remediation and verification.

The verification step matters. After cleanup, I run scans daily for a week to confirm the infection does not return. Reinfection within 48 hours means you missed a backdoor or did not patch the entry point.

When should you hire a professional instead of fixing it yourself?

Fix it yourself if: you are comfortable with SSH, can read PHP code, and the infection is limited to a few files you can identify.

Hire a professional if: Google is showing security warnings (time-sensitive SEO damage), you cannot identify the entry point, the infection keeps returning after cleanup, or customer data may have been exposed (legal and compliance implications).

The cost of professional WordPress malware removal typically runs $200-$600 depending on severity. Compare that to the cost of lost revenue, damaged rankings, and customer trust erosion from a prolonged infection.