A hacked website rarely announces itself politely. More often, you notice something is off – spam pages in Google, strange redirects, locked-out admin access, hosting warnings, or customers telling you your site looks broken. If you are trying to figure out how to fix a hacked WordPress site, the first job is not panic. The second is to stop making the problem worse.
A lot of business owners lose time by guessing. They delete random plugins, restore the wrong backup, or keep using a compromised site while malware continues to spread. A hacked WordPress site can usually be cleaned up, but the order matters. You need to contain it, confirm what changed, clean it properly, and close the door it came through.
How to fix a hacked WordPress site without making it worse
Start by putting the site into maintenance mode if you still have access, or ask your host to temporarily suspend public access if the site is actively redirecting visitors or sending spam. That may feel drastic, but leaving a hacked site live can damage your reputation, your search visibility, and your customers’ trust.
Before changing anything else, make a full backup of the current hacked state. That sounds backwards, but it matters. A backup gives you something to inspect later and can help if cleanup steps go sideways. Save the website files and database. If your host provides snapshots, note the available restore points too.
Next, change passwords immediately. Start with WordPress admin accounts, then hosting, SFTP, database, domain registrar, and any connected email accounts. Use strong, unique passwords and turn on two-factor authentication where available. If one login was compromised, assume others may be at risk.
Then check whether all admin users are legitimate. Hackers often create a new administrator account so they can get back in after you think the problem is solved. If you see an unfamiliar user, do not just delete it blindly. Note the username and email, then remove it carefully once you have confirmed it is malicious.
Confirm the signs of a hacked WordPress site
Not every broken site is hacked. A failed plugin update, PHP version mismatch, or bad custom code can also knock a site offline. The difference matters because malware cleanup is different from standard troubleshooting.
Common signs of compromise include spam content appearing on your site, redirects to unrelated pages, browser security warnings, sudden hosting resource spikes, unknown admin users, modified core files, or SEO spam pages that exist only for search engines. Sometimes the front end looks normal while the damage is hidden in files, scheduled tasks, or the database.
This is where many site owners hit a fork in the road. If the site is business-critical and you do not know what you are looking at, professional cleanup is often the safer option. Malware can be tucked into theme files, uploads folders, database entries, mu-plugins, or even wp-config.php. Missing one backdoor means the hacker returns.
Restore from backup or clean manually?
If you have a clean backup from before the hack, restoring it may be the fastest path. But only if you know the backup is actually clean. Restoring a compromised backup just rewinds the clock a few days.
A clean restore also does not solve the original weakness. If the hack came through an outdated plugin, weak password, nulled theme, or poor hosting isolation, the site can be reinfected almost immediately.
Manual cleanup makes more sense when you do not have a trustworthy backup, when the infection has been present for a while, or when you need to preserve recent content or e-commerce data. It takes longer, but it gives you a clearer view of what changed.
Clean the WordPress files properly
The safest file cleanup method is to replace as much as possible with fresh copies. Download a clean copy of WordPress core and replace all core files except wp-config.php and the wp-content folder. That removes many common file-level infections.
After that, remove and reinstall every plugin and theme from trusted sources. If a plugin or theme is no longer maintained, this is a good time to stop using it. Old abandoned software is one of the most common entry points for small business WordPress sites.
Check the uploads directory carefully. It should mostly contain media files such as images, PDFs, and videos. If you find PHP files in uploads, treat that as suspicious. There are exceptions, but in most small business sites, executable files there are a red flag.
Also inspect key files that attackers like to modify, including .htaccess, wp-config.php, index.php, and any must-use plugins. Look for obfuscated code, strange includes, long encoded strings, or references to unknown external scripts.
Clean the database and hidden spam
A hacked WordPress site is not always fixed by replacing files. Many infections add spam links, fake pages, malicious redirects, or hidden admin settings in the database.
Check posts, pages, drafts, widgets, menus, and options tables for injected content. Review siteurl and home values to confirm they have not been changed. Look for suspicious JavaScript in headers, footers, and custom code fields. If SEO spam has been injected, you may find hundreds of low-quality pages targeting unrelated searches.
This is also the time to review scheduled tasks and user roles. Some malware schedules itself to recreate files after deletion. If the infection keeps returning, there is still a persistence method somewhere.
Scan, review, and verify
Use a reputable security scanner to help identify known malware patterns, file changes, and suspicious behaviour. Scanners are useful, but they are not perfect. They can miss custom malware and they sometimes flag harmless code. Treat scan results as a guide, not the final answer.
After cleanup, test the site manually. Visit key pages, forms, checkout flows, and admin areas. Check source code for unexpected scripts. Review server logs if you have access. Look for repeated login attempts, requests to strange files, or activity from the same suspicious IPs.
If your host had blacklisted or suspended the site, ask for a fresh malware review once you are confident the cleanup is complete.
Close the security gaps that caused the hack
Learning how to fix a hacked WordPress site is only half the job. The other half is making sure it does not happen again next week.
Update WordPress core, plugins, themes, and PHP. Remove anything inactive that you do not need. Limit the number of plugins to tools you actually use and trust. If your site depends on old custom code, have it reviewed instead of hoping it keeps working forever.
Tighten logins. Use strong passwords, enable two-factor authentication, limit login attempts, and reduce the number of administrator accounts. If multiple people manage the site, give each person their own login instead of sharing one account.
Review your hosting setup too. Cheap, overcrowded hosting can make security and recovery harder. Good WordPress hosting will give you proper backups, malware response, current server software, and support that understands WordPress rather than reading from a script.
Finally, set up ongoing maintenance. Most WordPress hacks do not happen because WordPress is inherently unsafe. They happen because websites are left unattended. Updates get skipped. Plugins age out. Passwords stay weak. No one notices the warning signs until the site is already compromised.
When to bring in help
There is a point where DIY stops saving money. If the site handles leads, bookings, payments, or customer data, speed and accuracy matter. The longer a hacked site stays compromised, the more business risk you carry.
Professional help makes sense when you are locked out, backups are unreliable, malware keeps returning, search results are showing spam, or you simply cannot afford to spend two days inside file directories and database tables. A proper cleanup should include investigation, removal, patching the entry point, and post-cleanup hardening.
If you need that kind of hands-on support, Westshore Web handles WordPress rescue work for business owners who need the site cleaned, secured, and stable again without getting stuck in a support maze.
A hacked site feels urgent because it is. But it is also fixable. The smartest move is to be methodical, clean it properly, and treat security as part of running the website, not a one-time repair.