Get Started
Guides April 22, 2026 12 min read

My WordPress Site Was Hacked – Here’s Exactly What to Do

A step-by-step incident response guide for hacked WordPress sites. From locking down access and scanning for malware to cleaning files, removing backdoors, and hardening the site so it doesn't happen again.

You’ve just discovered your WordPress site has been hacked. Maybe Google flagged it as dangerous. Maybe your host suspended it. Maybe a visitor told you the homepage is showing something it shouldn’t. Whatever the signal – the feeling is the same: panic, confusion, and a clock that feels like it’s ticking.

WordPress Hacked Recovery Guide. Take a breath. A compromised site is a serious problem, but it’s a solvable one. Thousands of WordPress sites get cleaned and hardened every week. This guide walks you through the entire process, step by step – from the moment you realize something is wrong to a fully cleaned, locked-down, and monitored site.

Work through this in order. Don’t skip ahead.

WordPress hacked recovery guide: Before You Start: Understand What You’re Dealing With

Hacks come in several forms, and knowing which type you’re dealing with helps you prioritize. Common categories include:

  • Malware injection – malicious code added to PHP files, the database, or JavaScript assets. Often redirects visitors, shows ads, or mines cryptocurrency.
  • Backdoor installation – a hidden file or code block that lets the attacker re-enter the site even after you change passwords. The most dangerous and most commonly missed.
  • Admin account creation – the attacker created a new administrator account, giving them persistent control through the WordPress dashboard.
  • SEO spam – hidden links to pharmaceutical or gambling sites appear in your pages, exploiting your domain authority.
  • Defacement – the attacker replaced the homepage or other pages with their own message. Usually more visible than other types but sometimes easier to clean.
  • Data exfiltration – the attacker copied your database, customer data, or credentials. May leave no visible trace on the front end.

Most real-world compromises involve more than one of these. Assume the worst until the scan proves otherwise.

WordPress hacked recovery guide: Step 1 – Take the Site Offline Immediately

Your first priority is to stop the spread of damage – to your visitors, your SEO reputation, and your data.

Enable maintenance mode

Put the site in maintenance mode so visitors don’t see malicious content or get infected themselves. If you still have access to the WordPress dashboard, a simple maintenance plugin works. If you don’t, create a temporary index.html file in the web root with a “site under maintenance” message – it will take precedence over WordPress’s routing.

Contact your host

Let your hosting provider know immediately. Most managed WordPress hosts have an incident response process and can:

  • Isolate the account to prevent spread to other sites on shared hosting
  • Provide access to server logs from the period of the attack
  • Restore from a server-side backup if one exists
  • Confirm whether the compromise appears to have spread beyond the web root

Don’t assume the host will notice or act without you telling them.

Step 2 – Lock Down All Access Points

Before you do any cleaning, cut off the attacker’s active access. Otherwise, every file you clean can become re-infected within minutes.

Change every password – in this order

  1. WordPress admin passwords – change all administrator accounts, not just yours. Go to Users → All Users, edit each admin, and set a new strong password.
  2. Database password – update in your host’s control panel, then update the DB_PASSWORD value in wp-config.php to match.
  3. FTP/SFTP credentials – change in your host’s control panel. If an attacker stole your FTP password, they have direct filesystem access.
  4. Hosting control panel password – cPanel, Plesk, or your host’s custom dashboard.
  5. Email address associated with the domain – if an attacker controls this, they can reset everything else.

Regenerate WordPress secret keys

WordPress uses secret keys to secure authentication cookies. If the attacker had PHP access, they may have read these from wp-config.php. Generate fresh keys at api.wordpress.org/secret-key/1.1/salt/ and replace the corresponding lines in wp-config.php. This invalidates all existing login sessions, logging out any attacker who has an active session.

Remove unrecognized admin accounts

Go to Users → All Users and filter by Administrator role. Delete any account you don’t recognize immediately. Be suspicious of accounts with generic names (admin, administrator, support, backup) or email addresses at domains you don’t recognize. If you’re not sure – delete it. Legitimate users will ask to have their access restored.

Revoke all application passwords and API tokens

Disable Application Passwords entirely from the Trusti Security Hardening module – this prevents any new tokens from being created and cuts off any attacker who obtained one. For third-party integrations (payment gateways, CRMs, email services), rotate their API keys directly from those platforms’ dashboards as well.

Step 3 – Scan for Malware and Modified Files

This is where the real investigation happens. You need to find every file the attacker touched, added, or modified – including files designed to look legitimate.

Run a Trusti Security scan

If you have the Trusti Security plugin installed, start here. The Core File Scanner compares every WordPress core file on your server against the official checksums from WordPress.org. It surfaces:

  • Modified core files – any WordPress file that differs from the official version gets flagged, along with exactly what changed. Attackers frequently inject code into wp-includes/ and wp-admin/ files because they’re less likely to be inspected.
  • Extra files in core directories – files that don’t belong in wp-admin/ or wp-includes/ get flagged individually. A common backdoor technique drops a single PHP file named to blend in (e.g. wp-includes/class-wp-https.php) that has no counterpart in a clean install.

The scan results give you a prioritized list: start with any modified or added files in core directories – these are the highest-risk items and almost always indicate active compromise.

Scan the database

Attackers often store malicious payloads in the database, particularly in:

  • wp_options – the siteurl and home values are common redirect targets. The active_plugins serialized array can be modified to load a non-existent plugin from a malicious path.
  • wp_posts – injected JavaScript or hidden links in post content, especially in older posts that aren’t regularly reviewed.
  • wp_usermeta – modified user capabilities to grant administrator privileges to compromised accounts.

Use phpMyAdmin or a direct MySQL query to search for suspicious strings in the wp_options and wp_posts tables. Look for <script tags, eval(, and any URLs that don’t belong to your domain.

Step 4 – Clean the Infection

Delete extra files flagged by Trusti

Open the Core File Scanner in Trusti Security and delete every file it flagged as unknown or extra – files that don’t belong in wp-admin/ or wp-includes/. There is no scenario where a legitimate file would exist in those directories that isn’t part of a standard WordPress install. The scanner lets you delete flagged files directly from the dashboard – no FTP needed.

Replace infected core files

For any core file the scanner flagged as modified, the safest approach is to replace the entire WordPress core with a clean copy. Download the exact version of WordPress you’re running from wordpress.org/download/releases/, then overwrite all core files via FTP or SSH. This replaces any modified file with the official version. Do not overwrite wp-config.php or the wp-content/ directory.

Clean or replace infected plugins and themes

For each plugin or theme that shows signs of modification:

  1. Deactivate and delete the plugin from the WordPress dashboard
  2. Reinstall it fresh from the WordPress repository or from the developer’s official download
  3. Do not restore from your own backup of the plugin folder – the backup may also be infected

For premium plugins and themes you can’t re-download, inspect the files manually and compare against an original copy from the developer. When in doubt, contact the developer for a clean copy.

Clean malicious database entries

Restore any tampered wp_options values – particularly siteurl, home, and active_plugins – to their correct values. Remove any injected <script> tags from post content. If the infection was widespread across many posts, a SQL query can strip injected content in bulk – but take a database backup first before running any bulk SQL UPDATE.

Step 5 – Verify the Site Is Clean

Don’t declare victory until you’ve verified from outside your own environment.

  • Run the Trusti Core Scanner again – it should return no modified or extra files in core directories. If it still flags files, repeat Step 4 for those files.
  • Check Google Safe Browsing – visit Google’s Transparency Report and search your domain. If Google flagged it as dangerous, this shows you when the warning went out and whether it’s still active.
  • Use an external malware scanner – run your URL through Sucuri SiteCheck or VirusTotal’s URL scanner for a second opinion from external signature databases.
  • Check your site as a logged-out visitor – browse the site from an incognito window. Some malware only targets non-logged-in visitors or specific user agents.
  • Check Google Search Console – look for any manual actions, security issues notifications, or unusual crawl activity. If Google flagged the site, you’ll need to request a review after cleaning (see Step 7).

Step 6 – Update Everything

Most successful WordPress attacks exploit known vulnerabilities in outdated software. After cleaning the site, close the door that let the attacker in.

  • WordPress core – update to the latest version
  • All plugins – update every installed plugin, including deactivated ones. Deactivated plugins with vulnerable code can still be exploited if the files are present on disk.
  • All themes – update your active theme and any installed parent themes
  • PHP version – check your PHP version in the host control panel. If you’re running PHP 7.x or older, upgrade to PHP 8.2 or 8.3. Older PHP versions have known vulnerabilities and no longer receive security fixes.

If you can identify which plugin or theme was the entry point – check the Trusti scanner results and correlate with the file modification dates – uninstall it entirely if the developer hasn’t patched it, or replace it with an actively maintained alternative.

Step 7 – Remove Warnings and Restore Reputation

Once the site is clean, you need to actively clear the warnings that are sending visitors away.

Request a Google review

In Google Search Console, go to Security & Manual Actions → Security Issues. After cleaning the site, click Request Review. Provide a clear description of what you found, what you removed, and what you’ve done to prevent recurrence. Google typically processes these within a few days. The “Dangerous site” warning in Chrome disappears once Google confirms the site is clean.

Notify your users if data was exposed

If the site collected any user data – email addresses, passwords, payment information – you may have a legal obligation to notify affected users and, depending on your jurisdiction and the type of data, relevant authorities (e.g. under GDPR in Europe or various state breach notification laws in the US). Consult a lawyer if you’re unsure. Disclosing proactively is always better than others discovering it later.

Check for blacklisting

If the server IP sent spam during the compromise, it may have landed on email blacklists. Run a check against the major blacklists (Spamhaus, Barracuda, SORBS, SpamCop) and submit removal requests for any active listings. Work through this checklist before you take the site out of maintenance mode.

Step 8 – Harden the Site to Prevent Recurrence

Cleaning a hacked site without hardening it is the most common reason sites get hacked again within weeks. Work through this checklist before you take the site out of maintenance mode.

Enable Trusti Security’s protection modules

If you weren’t running Trusti Security before the attack, now is the time to set it up properly. After installing the plugin, enable these modules in priority order:

  • Login protection – rate limiting and lockouts after failed login attempts. Stops brute force attacks before they succeed. Enable IP-based lockouts and consider limiting login access by IP if you always log in from the same location.
  • Admin activity log – records every administrative action in the WordPress dashboard. After a compromise, this log tells you exactly what the attacker did while they had access. Going forward, it gives you early warning of unauthorized activity.
  • Security notifications – configure email alerts for new admin user creation, plugin installation, file changes, and failed login surges. The most dangerous events in a WordPress compromise are detectable in real time if you configure alerting.
  • Core file monitoring – schedules regular integrity checks and alerts you the moment a core file changes or an unexpected file appears in a core directory. Catch the next attack before it causes damage.

Change the admin URL

Moving the login page away from the default /wp-admin/ path eliminates the vast majority of automated attacks – bots and scanners rely on the default URL being there. Enable the Custom Admin URL module in Trusti Security to set a custom login slug. Direct access to wp-login.php and wp-admin/ automatically returns a 404 or redirect for non-logged-in users instead of showing the login form.

Disable XML-RPC if you don’t use it

xmlrpc.php is a frequent target for brute force attacks and is rarely needed on modern WordPress sites. Disable it from the Trusti Security Hardening module unless you have a specific tool that requires it (Jetpack, the WordPress mobile app, and some older publishing tools use it).

Enable two-factor authentication

Enable 2FA for all administrator accounts. A stolen password is useless if the attacker can’t get past the second factor. Trusti Security includes 2FA support – enable it for all admin and editor roles at minimum.

Set correct file permissions

Correct permissions limit what an attacker can do even if they find an exploitable vulnerability. The recommended settings:

  • Directories: 755
  • Files: 644
  • wp-config.php: 600 or 640
  • .htaccess: 644

Step 9 – Set Up Ongoing Monitoring

The difference between a site that gets hacked once and a site that gets hacked repeatedly is monitoring. Attacks don’t announce themselves. Without visibility, the average time between a compromise and discovery is weeks – sometimes months.

  • Trusti Security plugin – run a full security scan after every plugin or theme update. Enable scheduled core file integrity checks. Keep the admin activity log enabled permanently.
  • Uptime monitoring – a basic uptime monitor (many are free) will alert you within minutes if the site goes down, which is often the first sign of a severe compromise or host suspension.
  • Google Search Console – keep it connected and check the Security Issues tab regularly. Google often detects malware before the site owner does.
  • Backup strategy – automated daily backups to an off-site location (not on the same server). Verify that backups are actually completing and test restoration periodically. A backup you haven’t tested is not a backup.

A Note on When to Call a Professional

This guide covers the full recovery process for most WordPress hacks, but some situations warrant professional help:

  • The compromise involved a server with multiple sites and you can’t determine the scope
  • Customer payment data or sensitive personal data may have been accessed
  • Your host has suspended the account and won’t restore access until a professional clean is verified
  • The attack involved server-level access (root compromise, SSH key theft) rather than just the WordPress layer
  • You’ve cleaned the site and it keeps getting re-infected

In these cases, a specialist incident response service is worth the cost. Re-infections from an improperly cleaned site can damage your SEO and reputation far more than the original attack.

Summary: The Recovery Checklist

  1. Take the site offline / enable maintenance mode
  2. Contact your host
  3. Change all passwords (WordPress, database, FTP, cPanel, email)
  4. Regenerate WordPress secret keys
  5. Remove unrecognized admin accounts
  6. Run Trusti Security Core File Scanner – note all flagged files
  7. Replace infected core files with clean copies from WordPress.org
  8. Delete extra PHP files from core directories and uploads folder
  9. Reinstall plugins and themes fresh from official sources
  10. Clean the database (options, posts, usermeta)
  11. Run the scanner again – confirm clean
  12. Verify externally (Google Safe Browsing, Sucuri SiteCheck)
  13. Update WordPress core, all plugins, all themes, PHP version
  14. Request Google review and blacklist removal if needed
  15. Enable and configure all Trusti Security protection modules
  16. Enable 2FA for all admin accounts
  17. Set up ongoing monitoring (Trusti, uptime monitor, Search Console, backups)

A WordPress compromise is stressful, but it’s recoverable. Work through the steps methodically, don’t skip the hardening phase, and set up the monitoring that will catch the next attempt before it becomes the next incident.

Related Articles