Skip to header Skip to main navigation Skip to main content Skip to footer

User account menu

  • Log in
Web Support Geeks

Main navigation

  • Website Support
      • Website Support for Schools
      • Website Support for Universities/Colleges
      • Website Support for Libraries
      • Support for Hospital Website
      • Support for Medical Office Website
      • Support for Community Health Center Website
      • Support for Biotech Website
      • Support for Doctor Website
      • Support for Insurance Website
      • Support for Book Website
      • Support for Journal Website
      • Support for Magazine Website
      • Support for Newspaper Website
      • Support for Video Game Website
      • Support for Corporate Website
      • Support for Technology Website
      • Support for Finance Website
      • Support for Corporate Intranet
      • Support for Government Website
      • Support for City Website
      • Support for State Website
      • Support for Non-Profit Website
      • Support for Foundation Website
  • CMS Support
    • Drupal Website Support
    • WordPress Website Support
    • Joomla Website Support
    • Shopify Website Support
    • Wix Website Support
    • Squarespace Website Support
  • Web Trainings
      • Drupal Training for Marketers
      • Drupal Training for Social Media Marketers
      • Drupal Training for Content Managers
      • Drupal Training for Project Managers
      • Drupal Training for Analysts
      • Drupal Training for Executives
      • WordPress Training for Marketers
      • WordPress Training for Social Media Marketers
      • WordPress Training for Content Managers
      • WordPress Training for Project Managers
      • WordPress Training for Analysts
      • WordPress Training for Executives
  • Resources
  • Blogs
  • Training Videos
  • Portfolio & Clients
  • About Us
  • Let's Work Together!

How to Fix a Hacked WordPress Site (Step-by-Step) in 2026

Breadcrumb

  • Home
  • How to Fix a Hacked WordPress Site (Step-by-Step) in 2026
By Web Support | 1:17 PM EDT, Wed April 08, 2026

A hacked WordPress site can damage your reputation, harm your SEO rankings, and put your users at risk. The good news: most hacks are fixable if you act quickly and follow a structured process.

This guide walks you through exactly how to identify, clean, and secure your site in 2026—whether you're a beginner or an experienced site owner.

Step 1: Stay Calm and Confirm the Hack

Not every issue is a hack. First, verify what’s actually happening.

Common signs of a hacked WordPress site:

  • Unexpected redirects (e.g., to spam or malicious sites)
  • Google warning: “This site may be hacked”
  • New admin users you didn’t create
  • Strange content (spam posts, links, or ads)
  • Hosting provider suspends your account
  • Sudden drop in traffic or SEO rankings
  • Files modified recently without your knowledge

Quick checks:

  • Visit your site in incognito mode
  • Check Google Search Console for security issues
  • Scan your site using an online malware scanner

If you confirm suspicious activity, move quickly.

Step 2: Put Your Site in Maintenance Mode

Before fixing anything, prevent further damage.

Do this immediately:

  • Take your site offline (maintenance mode plugin or hosting panel)
  • Notify your hosting provider
  • Inform your team (if applicable)

This prevents visitors from being exposed to malware and stops hackers from continuing activity.

Step 3: Change ALL Passwords

Assume every credential is compromised.

Update:

  • WordPress admin passwords
  • Hosting account
  • FTP/SFTP credentials
  • Database password
  • Email accounts linked to the site

Best practices:

  • Use long, unique passwords (password manager recommended)
  • Enable 2FA (Two-Factor Authentication) wherever possible

Step 4: Backup Your Current Site (Even If It’s Hacked)

This might sound counterintuitive, but it’s important.

Why:

  • You may need files later for investigation
  • You can compare clean vs infected versions

Download:

  • All WordPress files
  • Database export

Step 5: Scan and Identify Malware

Now you need to locate the malicious code.

Tools you can use:

  • Security plugins (WordPress-based)
  • Server-side malware scanners
  • Online scanners

Look for:

  • Suspicious PHP files
  • Obfuscated code (e.g., base64, eval)
  • Recently modified files
  • Unknown plugins/themes
  • Hidden admin users

Step 6: Remove Malicious Code and Files

This is the most critical step.

Manual cleaning approach:

  1. Delete all WordPress core files (except wp-config.php and wp-content)
  2. Reinstall fresh WordPress core files
  3. Replace all plugins and themes with clean versions
  4. Remove unused plugins/themes entirely
  5. Inspect wp-content/uploads for hidden PHP files (should NOT be there)

Database cleaning:

  • Remove spam posts/pages
  • Delete suspicious users
  • Check wp_options for injected scripts
  • Look for suspicious cron jobs

If you're unsure, use a professional malware removal service.

Step 7: Restore from a Clean Backup (If Available)

If you have a backup from before the hack, this can save time.

Important:

  • Make sure the backup is truly clean
  • Still update all plugins/themes afterward
  • Change passwords even after restoring

Step 8: Check for Backdoors

Hackers often leave hidden access points.

Common backdoor locations:

  • wp-content/uploads
  • wp-includes
  • Randomly named PHP files

What to look for:

  • Files with strange names (e.g., x.php, wp-log1n.php)
  • Code using eval(), exec(), base64_decode()

Remove anything suspicious.

Step 9: Fix SEO Spam and Blacklisting

If your site was used for spam, clean it up.

Actions:

  • Remove spam pages and links
  • Check Google Search Console → Security Issues
  • Request a review after cleanup

Also check:

  • Your sitemap
  • Indexed pages in Google (site:yourdomain.com)

Step 10: Harden Your WordPress Security

Now that your site is clean, prevent future attacks.

Essential hardening steps:

1. Update everything

  • WordPress core
  • Plugins
  • Themes

2. Install a security plugin

Look for features like:

  • Firewall
  • Malware scanning
  • Login protection

3. Enable 2FA

Especially for admin users.

4. Limit login attempts

Prevent brute-force attacks.

5. Disable file editing

Add this to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

6. Change login URL

Avoid using default /wp-admin or /wp-login.php

7. Set proper file permissions

  • Files: 644
  • Directories: 755

8. Use HTTPS

Install an SSL certificate if not already enabled.

Step 11: Identify How the Hack Happened

If you don’t fix the root cause, it can happen again.

Common causes:

  • Outdated plugins/themes
  • Weak passwords
  • Nulled (pirated) themes/plugins
  • Poor hosting security
  • Lack of firewall

Check logs:

  • Server access logs
  • Error logs
  • Login attempts

Step 12: Monitor Your Site Going Forward

Security is ongoing—not a one-time fix.

Set up:

  • Real-time monitoring
  • Automated backups (daily)
  • Uptime alerts
  • Security scans

Optional: When to Hire a Professional

Consider expert help if:

  • You’re not comfortable editing files or databases
  • The infection keeps coming back
  • Your site handles sensitive data (eCommerce, memberships)
  • You’ve been blacklisted by search engines

Final Checklist

Before going live again:

  • All malware removed
  • Passwords reset
  • Core/plugins/themes updated
  • Backdoors eliminated
  • Security measures in place
  • Google review requested (if needed)

Final Thoughts

A hacked WordPress site is stressful—but fixable. The key is acting quickly, cleaning thoroughly, and strengthening your defenses so it doesn’t happen again.

Let's work together

Send us email

Web Support Geeks | 2026 | Proudly Powered by Drupal 11

Watch our Web Support Training YouTube Videos