How to Clean a Hacked WordPress Site: A Complete Step-by-Step Guide (2025)

Discovering your WordPress site has been hacked can be alarming, but acting quickly and methodically can help you remove malware, restore security, and prevent future attacks. This comprehensive guide walks you through cleaning a hacked WordPress site, from initial detection to full recovery, with professional tips to strengthen your site’s defenses.
Need more details: https://www.youtube.com/@easythemestore

Signs Your WordPress Site is Hacked

Before cleaning, confirm the hack. Look for:

• Strange files or code in your theme/plugins
• Unknown admin users in Users > All Users
• Google Search Console alerts (“This site may be hacked”)
• Spam links/content injected into pages
• Redirects to malicious sites
• Slow performance or crashes

Step 1: Isolate the Infection

1. Take Your Site Offline

• Use Maintenance Mode (via plugins like WP Maintenance Mode)

• Temporarily block visitors via .htaccess:
  RewriteEngine On
  RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000 # Replace with your IP
  RewriteRule ^(.*)$ /maintenance.html [R=503,L]  

2. Notify Your Hosting Provider

• Many hosts (SiteGround, WP Engine) offer free hack cleanup for customers.

Step 2: Identify the Hack Source

1. Scan for Malware

• Wordfence (Free plugin with malware scanning)
• Sucuri SiteCheck (Online scanner: https://sitecheck.sucuri.net)
• Manual Check:
• Review wp-content/uploads/ for suspicious .php files
• Check wp-config.php for unauthorized code

2. Review Recent Changes

• Audit plugins/themes: Deactivate recently added ones.
• Check user registrations: Delete unknown admins.

Step 3: Clean the Infection

Option A: Manual Cleanup (Advanced Users)

1. Delete Suspicious Files

   • Look for:

• eval(base64_decode()) in theme files
• wp-admin/ or wp-includes/ files modified recently
• Use FTP/File Manager (cPanel) to remove them.

1. Reinstall Core Files

• Download a fresh WordPress zip from wordpress.org
• Replace (do NOT overwrite wp-config.php or wp-content/):
• /wp-admin/
• /wp-includes/

1. Clean the Database

• Use phpMyAdmin to:
  Scan wp_options for malicious scripts
  Remove suspicious wp_users entries

Option B: Use Security Plugins (Beginners)

1. Install Wordfence or MalCare

   • Run a full scan and quarantine infected files.

2. Use Sucuri’s Remote Cleanup (Paid service)

Step 4: Secure Your Site

1. Update Everything

• WordPress core, themes, plugins to latest versions.
• Delete unused plugins/themes.

2. Strengthen Logins

• Enable 2FA (via Wordfence or Google Authenticator)
• Limit login attempts (Plugin: Loginizer)
• Change all passwords (WP admin, FTP, hosting, database).

3. Harden Security

• Disable file editing: Add to wp-config.php:
  define(‘DISALLOW_FILE_EDIT’, true);

• Block XML-RPC (if unused):
  # Add to .htaccess
  <Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
  </Files> 

4. Install a Firewall

• Cloudflare (Free WAF rules)
• Wordfence Firewall

Step 5: Monitor & Prevent Future Hacks

1. Regular Backups

• Use UpdraftPlus or host backups.

2. Continuous Scans

• Schedule weekly Wordfence scans.

3. Stay Informed

• Subscribe to WordPress security blogs (Sucuri, WPBeginner).

When to Call a Professional

If:

• The hack keeps returning
• You’re uncomfortable with code
• Google blacklisted your site

Recommended Services:

• Sucuri ($199/year for cleanup + firewall)
• Wordfence Premium (Enterprise-grade protection)

Final Checklist

✅ Isolate the site (Maintenance Mode)
✅ Scan for malware (Wordfence/Sucuri)
✅ Remove infected files/database entries
✅ Update WordPress + plugins
✅ Strengthen security (2FA, firewall)
✅ Set up backups + monitoring

Key Takeaways

• Act fast to limit damage.
• Manual cleanup works but is technical.
• Prevention > Cure: A secured site rarely gets hacked.

Need help with a specific hack? Describe your issue, and I’ll guide you! 🔒