Cleaning a hacked WordPress site is stressful. But with a systematic approach, you can remove the malware completely, understand how the attacker got in, and prevent it from happening again.
Before you start
Take a backup. Yes, even of the infected site. If something goes wrong during cleaning, you'll want to be able to restore the exact state you started from. Store it somewhere the attacker can't reach.
Don't just restore an old backup. Many site owners think restoring last week's backup is the fix. It's not. Unless you understand how the attacker got in and fix that vulnerability, they'll be back within hours.
Step 1: Contain the damage
If your site is actively serving malware to visitors or has been blacklisted by Google, take it offline temporarily. Put up a maintenance page. Protecting your visitors comes first. Not sure if you've been hacked? Review the 5 warning signs your WordPress site has been compromised.
Step 2: Scan with WO Security Shield
Install WO Security Shield and run a full security scan. The scan will produce a prioritised list of:
- Critical findings — active malware, backdoors, modified core files
- Warning findings — suspicious files, integrity changes, rogue admin accounts
- Informational findings — hardening recommendations
Work through critical findings first.
Step 3: Clean core files
Run the core integrity check. For every file that doesn't match the official WordPress checksum, use the Restore Official Copy action. This fetches the authentic file from WordPress.org and overwrites the tampered version.
Step 4: Clean plugins and themes
Delete every plugin and theme you're not actively using. For active plugins, check their integrity baselines. If a plugin's files have been modified, delete and reinstall it fresh from WordPress.org (or the original source).
Never re-upload a potentially infected plugin. Always download a fresh copy.
Step 5: Remove backdoors and malicious files
This is often the most time-consuming step. For a detailed walkthrough, see our dedicated guide on finding and removing PHP backdoors. WO Security Shield will list every suspicious PHP file it found. For each one:
- Read the code — understand what it does
- Quarantine it (safer than deleting — you can review it later)
- If it's confirmed malware, delete it permanently
Pay special attention to files in:
/wp-content/uploads/(should never contain PHP)- WordPress root (any unfamiliar PHP files)
/wp-content/mu-plugins/(loads automatically, often used for persistence)
Step 6: Clean the database
Check wp_options for injected scripts, wp_posts for content injection, and wp_users for rogue admin accounts.
-- Look for script injections in options
SELECT option_name, option_value FROM wp_options
WHERE option_value LIKE '%<script%' OR option_value LIKE '%eval(%';
Step 7: Change all credentials
- WordPress admin passwords (all accounts)
- Database password
- FTP/SFTP credentials
- Hosting panel password
- Any API keys stored in
wp-config.php
Step 8: Find and fix the entry point
This is the step most people skip — and why they get reinfected. Check your server access logs for the first time a backdoor file was accessed. Trace back to how it got there:
- Was it an outdated plugin with a known vulnerability?
- Was the admin account password guessed?
- Was a file manager plugin used to upload it?
Fix the root cause before putting your site back online.
Step 9: Harden going forward
Install WO Security Shield permanently with:
- File integrity monitoring enabled
- Login protection and 2FA active
- Firewall rules on
- Scheduled weekly scans
Then submit a reconsideration request to Google Search Console to remove any blacklist warnings.
For help cleaning your site, visit wosecurity.com.
Common Mistakes That Lead to Re-infection
We've cleaned hundreds of hacked WordPress sites, and the same mistakes come up repeatedly. Avoid these:
1. Only Cleaning the Visible Hack
If your homepage was defaced, it's tempting to just fix the homepage and move on. But the defacement is a symptom, not the cause. The attacker likely has:
- Multiple PHP backdoors scattered across your installation
- A modified
functions.phporwp-config.php - A rogue admin account
Cleaning only the visible damage guarantees re-infection within days.
2. Not Identifying the Entry Point
The most critical question: how did they get in? Common entry points:
| Entry point | How to check |
|---|---|
| Outdated plugin with known CVE | Check plugin versions against WPScan vulnerability database |
| Weak admin password | Review login logs for brute-force attempts |
| Compromised hosting credentials | Ask your host if other accounts on the shared server were hit |
| Nulled/pirated themes | If you didn't pay for it, assume it has a backdoor |
| File upload vulnerability | Check for PHP files in /wp-content/uploads/ |
3. Restoring a Backup Without Checking It
Your backup might already contain the backdoor. Attackers often persist for weeks before becoming visible. If your backup is from after the initial compromise, you're restoring the infection.
Always scan your backup before restoring it. Extract the files locally and run a malware scan before uploading anything to your server.
4. Keeping the Same Passwords
Every credential must change:
- WordPress admin passwords (all admin-level users)
- Database password (update in
wp-config.phptoo) - FTP/SFTP passwords
- Hosting control panel password
- SSH keys (regenerate, don't reuse)
Recovery Timeline: What to Expect
| Phase | Duration | What's happening |
|---|---|---|
| Initial cleanup | 1–4 hours | Remove malware, backdoors, rogue accounts |
| Monitoring period | 48–72 hours | Watch for signs of re-infection |
| Google reconsideration | 1–14 days | Google reviews your site after cleanup |
| SEO recovery | 2–8 weeks | Rankings gradually return to normal |
| Full reputation recovery | 1–3 months | Blacklists fully clear, trust restored |
The monitoring period is crucial. If you see new suspicious files appearing within 48 hours, the entry point wasn't properly closed.
When to Call a Professional
DIY cleanup works well for simple infections — a single backdoor in a known location, a defaced homepage. But consider professional help if:
- You find more than 3 backdoor files
- Core WordPress files have been modified
- The database has been tampered with (check
wp_usersandwp_options) - You can't identify the entry point
- The site gets re-infected after your cleanup
WO Security Shield offers a no fix, no fee malware removal service — if we can't clean it, you don't pay.