WordPress Website Hacked

WordPress Website Hacked? Scan & Clean Hacked WordPress Site

March 14, 2024

If you’ve ever found yourself in a situation where your WordPress website hacked, WP Gauge is here to rescue you. With years of dedicated experience helping WordPress administrators identify and rectify hacked websites, we have crafted this comprehensive guide to assist WordPress owners in detecting and cleaning a WordPress hack. While this guide may not cover every possible scenario, following its steps will help address many common infections.

The first crucial step in ridding your WordPress website of Malware is to pinpoint the type of hack that has occurred. This initial identification is essential for streamlining the cleanup process.

We recommend using WP Gauge, a tool designed to quickly scan your website to detect Malware and other security issues.

To further enhance your website’s security, especially if you have multiple WordPress sites on the same server, we encourage scanning all of them (WP Gauge can assist with this). Cross-site contamination is a significant reason for reinfections, so isolating each of your websites within their hosting environments is vital.

With WP Gauge by your side, you can efficiently and effectively tackle WordPress website hacks, safeguarding your online presence and ensuring a secure online experience for your visitors.

Furthermore, we have put together this manual to stroll WordPress proprietors through figuring out and cleaning a WordPress hack. This is not supposed to be an all-encompassing manual, but if observed, it must help cope with some of the infections we see.

Find and discover the WordPress hack.

Scan your WordPress website for Malware and signs of infection

The first step to removing Malware from your WordPress website is to identify the type of hack. This will help you narrow down the contamination, making it less challenging.

Scan your web pages

  1. Visit the Webpage Test site.
  2. Enter your website and click on Start Test.
  3. Click on the waterfall result.
  4. Review the requested information.
  5. Note any suspicious or unrecognizable requests.

This outside tool presents insights into what is loading on your WordPress web page. From here, you can assess all web page requests being made while your web page is loaded, which lets you narrow down any malicious/unwanted domains loading on your web page.

Check core WordPress file integrity.

WordPress installations comprise many middle documents that stay constant between versions. Most core files within WordPress have never been modified. Centre documents are placed within the web root, with the wp-consists of and wp-admin directories. An integrity test must be executed to ensure that no core files have been maliciously changed.

A few distinct approaches exist to manually test if center files have been modified on a CMS-based website.

Check for recently modified documents.

Changed documents may have been part of the hack. Many methods can be used to check recently modified documents, like reviewing cPanel or SSH.

Check your site on VirusTotal.

Visit the VirusTotal website

Click the URL tab, input your web page URL, and search

On this page, you may check:

Detection: Check the popularity of a website blocklist from 70+ vendors.

Details: View the history and HTTP reaction out of your website.

Links: Review any outgoing hyperlinks.

Community: Review remarks from the general public about the protection of your site.

Remove Malware from your WordPress site and database

Now that you realize the way to discover the place of malicious content material, you can cast off Malware and feature a clean, working WordPress site once more.

The steps listed below require the right to enter the WordPress file structure and database. You will need to get entry through sFTP/FTP/SSH to view your file structure at the side of database credentials to gain access to your database. Be sure to make a complete website backup before continuing with those steps!

If you aren’t acquainted with manipulating database tables or enhancing PHP, please seek help from an expert Incident Response Team member who can eliminate website Malware.

Pro Tip

The way to do away with Malware and pick out hacked files in WordPress is by comparing the contemporary nation of the site with the vintage, which is acknowledged as an easy backup. If a backup is to be had, you could compare the two versions and determine what has been changed. A restore can be the quickest option to get your site functional again.

Clean WordPress website hacked documents.

WordPress is made from many documents and folders, and each works together to create a purposeful website. Most of these files are core files, which are steady throughout installations of the identical version.

If the contamination is in your core documents, you could fix the Malware manually by downloading a sparkling installation from a reliable WordPress website and changing each compromised report with smooth copies. Just don’t overwrite your wp-config. Use a personal home page record or wp-content material folder, and ensure you have a working backup beforehand!

How to clean hacked WordPress core documents?

Note down the model of your WordPress website by viewing the record wp-includes/model. Personal home page.

Navigate to the legitimate WordPress web page and download the version that matches your wp-consists of/model. Personal home page file.

Extract the WordPress setup on your computer.

Log into your report structure through sFTP/FTP or your hosting account.

Replace every inflamed middle document with an accessible replica.

Clean hacked database tables

To cast off malware contamination from your WordPress database, use your database admin panel to connect to the database. You can also use tools like PHP MyAdmin.

Manually remove a malware infection from your WordPress database.

Log into your database admin panel.

Make a backup of the database earlier than making modifications.

Search for suspicious content (i.e., spam keywords, malicious links).

Open the row that carries suspicious content.

Manually cast off any suspicious content material.

Test to verify the website remains operational after modifications.

Remove any database and get the right of entry to the equipment you could have uploaded.

Beginners can use the payload information provided by the malware scanner. Intermediate users can also manually look for standard malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, and str_replace.

You may also observe that your WordPress website hacked on a specific date and that unrecognizable spam posts have been injected into it. This can also arise if an administrator’s password becomes compromised.

Secure WordPress user accounts

Attackers will often create malicious admin users and FTP customers to gain access to your site again at a later date, so it’s crucial to check the user account to gain entry through every possible access factor into your website. If a WordPress website becomes inflamed and is cleaned, the malicious admin/FTP users stay, and the web page will quickly end up reinfected.

Remove any customers you do now not apprehend so the hackers no longer have access, along with:

FTP Users

SSH Users

WordPress Admin

End Users

Get rid of suspicious customers from WordPress

Back up your web page and database before intending.

Log into WordPress as an admin and click Users.

Find the suspicious new consumer money owed.

Hover over the suspicious person and click Delete.

If a user has content material related to it, you will be prompted with the option to maintain or put off any related content material. It is usually recommended that you keep the content material and manipulate it afterward to avoid any unintended statistics loss.

We advocate assigning the best admin person and assigning different user roles to the desired minimum of privileges (e.g., contributor, author, editor).


Certain malware infections will upload malicious electronic mail debts if available on a web hosting platform. (For example, the Anonymous Fox infection.) Log into your web hosting account and consider the Email Accounts if relevant. Remove any users you no longer recognize.

Remove hidden backdoors in your WordPress website hacked.

Hackers usually find a way to get returned to your website. More often than not, we see a couple of backdoors of diverse types in hacked WordPress websites.

We regularly locate backdoors embedded in documents named just like WordPress center documents but placed within the wrong directories. Attackers can also inject backdoors into files like wp-config.Php and directories like wp-content material/subject matters, wp-content/plugins, and wp-content material/uploads.

Backdoors usually include the subsequent PHP features







reg_replace (with /e/)


These functions can also be used legitimately through plugins, so test any changes. Eliminating benign features or not casting off all the malicious code can ruin your web page.

Most malicious code we see in WordPress sites uses a few encoding shapes to save you from detection. Aside from top-class additives that use encoding to guard their authentication mechanism, it’s common to look at encoding inside the professional WordPress repository.

To efficiently stop a WordPress hack, all backdoors must be closed. Otherwise, your website will be reinfected quickly.

Protect your WordPress website hacked.

In this final step, you will discover ways to restore the problems that caused your WordPress website hacked in the first place. You can even carry out crucial steps to improve the security of your WordPress website.

Patch out-of-date software

One of the leading causes of infections is outdated software. This includes the WordPress model, plugins, themes, and all other software installed on the site. Critical vulnerability patches are often released with the help of plugin and theme authors, and it is crucial to stay updated on cutting-edge updates.

Update all software programs on your server (i.e., Apache, cPanel, PHP) to ensure no protection patches are lacking.

This consists of

Out-of-date plugins

Apache version

PHP model

WHM/cPanel model

WordPress version

Reinstalling all plugins and extensions after a hack helps ensure they’re functional and free from residual Malware.

Change person passwords to save your reinfection

It would be best to exchange passwords for all to get the right of entry to factors on your WordPress web page. This includes WordPress user money owed, FTP/SFTP, SSH, cPanel, and your database.

You have to lessen the variety of admin money owed for all your systems to absolutely the minimum. Practice the idea of least privilege. Only deliver humans the right of entry they require to do the task they need for as long as they want it.

All accounts need to use robust passwords. A correct password is constructed around complexity, period, and forte. You can generate a stable password with Passwords Generator and use a password supervisor to keep track of your passwords.

Scan your PC for Malware

Have all WordPress customers run a scan with a reputable antivirus application on their running systems.

WordPress can be compromised if a user with an inflamed computer has been admitted to the dashboard. Some infections are designed to leap from a PC into text editors or FTP customers.

Pro Tip

You have to have the most effective antivirus actively protecting your gadget to keep away from conflicts.

Use a website firewall to help save your Malware.

The number of vulnerabilities exploited by attackers grows every day. Trying to hold up may be difficult for directors. Website Firewalls have been invented to provide a perimeter protection system surrounding your WordPress website and might assist in filtering malicious requests on your server.

  • Leveraging IP access restrictions for the WordPress dashboard

stable your WordPress site via the following website safety satisfactory practices:

  • Using a WordPress firewall
  • Patching your 

How can I tell if my WordPress website hacked?

Answer: WordPress website hacked can include sudden changes in the website’s appearance, new unknown users in the admin panel, unexpected redirects, slow loading times, and unauthorized ads or content. You might also receive notifications from your hosting provider or Google warning about suspicious activity.


What are the first steps I should take if my WordPress website hacked?

Answer: Immediately change all passwords associated with your website, including WordPress admin, FTP, and database passwords. Scan your site using a reputable security plugin or service. Contact your hosting provider for assistance, as they may have specific procedures and backups available. It’s also important to update all WordPress core files, themes, and plugins to their latest versions.

How can I clean my hacked WordPress website?

Answer: To clean a WordPress website hacked, start by running a complete scan with a trusted security plugin or service. This should identify any malicious code or files. Remove any identified malware, restore damaged files from clean backups, and remove unauthorized access points such as suspicious admin users. Check that all your themes and plugins are from reliable sources and update them. Finally, implement security measures to prevent future attacks.

Is it possible to prevent my WordPress website hacked?

Answer: While no site is entirely hack-proof, you can significantly reduce the risk by following best practices: regularly update WordPress, themes, and plugins; use strong passwords and two-factor authentication; choose a secure hosting provider; install a security plugin; limit login attempts; regularly backup your site; and avoid using nulled themes/plugins.

After cleaning a hack, how can I ensure my WordPress website remains secure?

Answer: Post-cleanup, continuously monitor your site for unusual activity. Keep everything updated, including WordPress, themes, and plugins. Regularly change passwords and ensure they are strong. Consider using a web application firewall (WAF) for added security. Regularly back up your site and conduct security audits to identify and fix potential vulnerabilities. Engaging in ongoing security awareness and education is also vital to stay ahead of new threats.

Safwan F

Safwan is the WordPress person at WP Gauge who loves sharing experiences with others who are just as enthusiastic about WordPress. On the WP Gauge platform, he shares practical tips and tricks inspired by real-life situations, making web security easy for everyone to understand.