My WordPress site is hacked, what to do?

Estimated reading time: 4 min


Getting your website hacked can be a huge pain to deal with. Worse still, if you don’t do it right, you might end up back at square one – with malicious code still ravaging your site.

As soon as you start being suspicious of having been hacked, there are immediate steps that should be taken in order to minimise the damage and ensure you’re back on your feet as soon as possible.

This guide is a simple 5-step process that will help you lock in on the problem and fix it with minimal headaches.


A ‘hacked’ website could mean anything from someone gaining complete remote access to someone using your server as part of a botnet. For the context of this article, we’ll assume the hacker wasn’t able to get much further than your WordPress installation.

The good news is that unless someone actually managed to get your password, there’s not much they can do in the way of deleting important files. Sure, they can probably send themselves copies, but most servers are locked down pretty tight (due to the fact that they run Linux.)

The bad news is there’s lots of work to be done if all the signs point to your website having been hacked.

Step 1: Clean-up

The first step to take is to track down the source of the hack and clean up compromised files.

Most viruses make their way into a system through infected or outdated plugins.

An infected plugin means malicious actors have somehow managed to get access to the plugin itself and embedded their own code inside. This embedded code could do anything from adding you to a botnet to deleting important files from your server.

Outdated plugins are security holes because of bugs in the plugin itself or its dependencies. These make you more vulnerable to being hacked as long as they are present on your system. Always make sure you update your plugins to the latest version.

There are plenty of tools on the market to help you find suspicious or compromised files. Alternatively, you can get in touch with your hosting company and let them know about your predicament. They might help you locate and clean up the compromised files if you can’t do it yourself.

The alternative option is the nuke button – delete all the plugins and themes, keeping only content that can be backed up and restored in later steps.

Step 2: Make a backup of the content

Whether or not you’ve managed to find the offending files, you should create backups of your content. This will prove useful later on.

WordPress is a web application composed of the frontend – themes, plugins, and all ‘website’-related features – and the backend, a MySQL database. In order to fully backup your WordPress site, both the frontend and backend have to be copied and stored on a different machine.

To back up the frontend, you should FTP into your server and download necessary files and subdirectories under “/wp-content” – where all your uploads, themes, and plugins are located. If your hosting providers provide access to tools like PhpMyadmin and cPanel, it’ll be that much easier to backup both the database and specific directories.

You shouldn’t backup “/wp-content/themes” or “/wp-content/plugins”. They are going to be reinstalled from scratch later on.

Step 3: Reinstall a clean WordPress installation

It’s possible for malware to find its way to the WordPress installation, infecting even core files. Some security software is able to pick out modified files like these and warn you about it, but it’s not foolproof.

The safest course of action is to completely wipe WordPress from your system and reinstall it from scratch.

To uninstall WordPress, FTP into your server and delete the directory where WordPress was installed.

You should also drop the Mysql database where your website data is stored. This should be done using whichever interface your hosting provider allows you to manage your server from.

To reinstall WordPress, follow their famous 5-step process. Alternatively, a lot of web-hosts currently offer one-click installation options, saving you a few minutes of effort. You will create the Mysql database in the process.

Step 4: Redownload & reinstall themes and plugins

It’s now time to restore your currently-blank website back to its former glory. You can safely reinstall all the themes and plugins that your site previously used. Their data will be restored in the next step.

Unless you were able to diagnose and pinpoint the infected files on your server, don’t restore the plugins folder from your backup. It might be a pain setting up all your plugins and themes from scratch, but it will avoid the risk of accidentally re-introducing the virus into your system.

Step 5: Import content from a backup

At this point, all that’s left to do is import your content from backup. It’s is a two-phase process that involves restoring your database and actual website content.

Simply copy the folders you’d previously backed up from “/wp-content” (not including “/wp-content/themes” and “wp-content/plugins”) back to their original location and you’re almost done! All you need to do now is restore your database.

Restoring your database should by and large be the same process you followed when backing it up. Whatever tool you used, it should have functionality allowing you to restore your database.


Dealing with a compromised website is gut-wrenching at the best of times and a complete-time vacuum at the worst. While nuking WordPress and starting off from scratch may seem extreme to some, tracking down and getting rid of infections is no easy task. It’s often best not to take the risk.

So, while less severe methods might work for you, depending on the intensity of the infection, dumping everything and starting over is often the best way to minimize hair-pulling.

Lastly, prevention is better than cure. Always update your software to the latest version, have strict roles and permissions in place, use a firewall, and run occasional security scans on your site.

Was this article helpful?
Dislike 0
Views: 273

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *