Skip to header Skip to main navigation Skip to main content Skip to footer

CTA Menu Links

  • Fix My Website
  • Request Support
  • Get a Quick Quote
  • Schedule a Consultation
Web Support Geeks

Main navigation

  • Website Support
      • Website Support for Schools
      • Website Support for Universities/Colleges
      • Website Support for Libraries
      • Support for Hospital Website
      • Support for Medical Office Website
      • Support for Community Health Center Website
      • Support for Biotech Website
      • Support for Doctor Website
      • Support for Insurance Website
      • Support for Book Website
      • Support for Journal Website
      • Support for Magazine Website
      • Support for Newspaper Website
      • Support for Video Game Website
      • Support for Corporate Website
      • Support for Technology Website
      • Support for Finance Website
      • Support for Corporate Intranet
      • Support for Government Website
      • Support for City Website
      • Support for State Website
      • Support for Non-Profit Website
      • Support for Foundation Website
  • CMS Support
    • Drupal Website Support
    • WordPress Website Support
    • Joomla Website Support
    • Shopify Website Support
    • Wix Website Support
    • Squarespace Website Support
  • Web Trainings
      • Drupal Training for Marketers
      • Drupal Training for Social Media Marketers
      • Drupal Training for Content Managers
      • Drupal Training for Project Managers
      • Drupal Training for Analysts
      • Drupal Training for Executives
      • WordPress Training for Marketers
      • WordPress Training for Social Media Marketers
      • WordPress Training for Content Managers
      • WordPress Training for Project Managers
      • WordPress Training for Analysts
      • WordPress Training for Executives
  • Resources
  • Blogs
  • Training Videos
  • Portfolio & Clients
  • Why Us
  • About

How to Fix a Hacked WordPress Site (Step-by-Step) in 2026

Breadcrumb

  • Home
  • How to Fix a Hacked WordPress Site (Step-by-Step) in 2026
By Web Support | 1:17 PM EDT, Wed April 08, 2026

A hacked WordPress site can damage your reputation, harm your SEO rankings, and put your users at risk. The good news: most hacks are fixable if you act quickly and follow a structured process.

This guide walks you through exactly how to identify, clean, and secure your site in 2026—whether you're a beginner or an experienced site owner.

Step 1: Stay Calm and Confirm the Hack

Not every issue is a hack. First, verify what’s actually happening.

Common signs of a hacked WordPress site:

  • Unexpected redirects (e.g., to spam or malicious sites)
  • Google warning: “This site may be hacked”
  • New admin users you didn’t create
  • Strange content (spam posts, links, or ads)
  • Hosting provider suspends your account
  • Sudden drop in traffic or SEO rankings
  • Files modified recently without your knowledge

Quick checks:

  • Visit your site in incognito mode
  • Check Google Search Console for security issues
  • Scan your site using an online malware scanner

If you confirm suspicious activity, move quickly.

Step 2: Put Your Site in Maintenance Mode

Before fixing anything, prevent further damage.

Do this immediately:

  • Take your site offline (maintenance mode plugin or hosting panel)
  • Notify your hosting provider
  • Inform your team (if applicable)

This prevents visitors from being exposed to malware and stops hackers from continuing activity.

Step 3: Change ALL Passwords

Assume every credential is compromised.

Update:

  • WordPress admin passwords
  • Hosting account
  • FTP/SFTP credentials
  • Database password
  • Email accounts linked to the site

Best practices:

  • Use long, unique passwords (password manager recommended)
  • Enable 2FA (Two-Factor Authentication) wherever possible

Step 4: Backup Your Current Site (Even If It’s Hacked)

This might sound counterintuitive, but it’s important.

Why:

  • You may need files later for investigation
  • You can compare clean vs infected versions

Download:

  • All WordPress files
  • Database export

Step 5: Scan and Identify Malware

Now you need to locate the malicious code.

Tools you can use:

  • Security plugins (WordPress-based)
  • Server-side malware scanners
  • Online scanners

Look for:

  • Suspicious PHP files
  • Obfuscated code (e.g., base64, eval)
  • Recently modified files
  • Unknown plugins/themes
  • Hidden admin users

Step 6: Remove Malicious Code and Files

This is the most critical step.

Manual cleaning approach:

  1. Delete all WordPress core files (except wp-config.php and wp-content)
  2. Reinstall fresh WordPress core files
  3. Replace all plugins and themes with clean versions
  4. Remove unused plugins/themes entirely
  5. Inspect wp-content/uploads for hidden PHP files (should NOT be there)

Database cleaning:

  • Remove spam posts/pages
  • Delete suspicious users
  • Check wp_options for injected scripts
  • Look for suspicious cron jobs

If you're unsure, use a professional malware removal service.

Step 7: Restore from a Clean Backup (If Available)

If you have a backup from before the hack, this can save time.

Important:

  • Make sure the backup is truly clean
  • Still update all plugins/themes afterward
  • Change passwords even after restoring

Step 8: Check for Backdoors

Hackers often leave hidden access points.

Common backdoor locations:

  • wp-content/uploads
  • wp-includes
  • Randomly named PHP files

What to look for:

  • Files with strange names (e.g., x.php, wp-log1n.php)
  • Code using eval(), exec(), base64_decode()

Remove anything suspicious.

Step 9: Fix SEO Spam and Blacklisting

If your site was used for spam, clean it up.

Actions:

  • Remove spam pages and links
  • Check Google Search Console → Security Issues
  • Request a review after cleanup

Also check:

  • Your sitemap
  • Indexed pages in Google (site:yourdomain.com)

Step 10: Harden Your WordPress Security

Now that your site is clean, prevent future attacks.

Essential hardening steps:

1. Update everything

  • WordPress core
  • Plugins
  • Themes

2. Install a security plugin

Look for features like:

  • Firewall
  • Malware scanning
  • Login protection

3. Enable 2FA

Especially for admin users.

4. Limit login attempts

Prevent brute-force attacks.

5. Disable file editing

Add this to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

6. Change login URL

Avoid using default /wp-admin or /wp-login.php

7. Set proper file permissions

  • Files: 644
  • Directories: 755

8. Use HTTPS

Install an SSL certificate if not already enabled.

Step 11: Identify How the Hack Happened

If you don’t fix the root cause, it can happen again.

Common causes:

  • Outdated plugins/themes
  • Weak passwords
  • Nulled (pirated) themes/plugins
  • Poor hosting security
  • Lack of firewall

Check logs:

  • Server access logs
  • Error logs
  • Login attempts

Step 12: Monitor Your Site Going Forward

Security is ongoing—not a one-time fix.

Set up:

  • Real-time monitoring
  • Automated backups (daily)
  • Uptime alerts
  • Security scans

Optional: When to Hire a Professional

Consider expert help if:

  • You’re not comfortable editing files or databases
  • The infection keeps coming back
  • Your site handles sensitive data (eCommerce, memberships)
  • You’ve been blacklisted by search engines

Final Checklist

Before going live again:

  • All malware removed
  • Passwords reset
  • Core/plugins/themes updated
  • Backdoors eliminated
  • Security measures in place
  • Google review requested (if needed)

Final Thoughts

A hacked WordPress site is stressful—but fixable. The key is acting quickly, cleaning thoroughly, and strengthening your defenses so it doesn’t happen again.

Fix my Website

Request Support

Get a Quick Quote

Schedule a Consultation

Send us email

Web Support Geeks | 2026 | Proudly Powered by Drupal 11