Hacked WordPress Site? Here’s the Fastest Way to Recover (Before It’s Too Late)
Uh-Oh, Your WordPress Site Got Hacked. Now What?
Your WordPress site has been hacked. Panic sets in—your site is down, visitors see weird redirects, or worse, Google marks it as unsafe. What now? The faster you act, the better. Let’s walk through the exact steps to recover your hacked WordPress site before it causes more damage.
Step 1: Stay Calm & Assess the Damage
First, take a deep breath. Hacking happens, and you can recover. Now, check for these signs:
- Your website is redirecting to unknown sites.
- There are strange pop-ups or ads.
- You can’t log in.
- Google is showing a warning that your site is compromised.
- Unfamiliar users or files appear in your WordPress dashboard.
The type of hack determines the recovery steps, so take note of what’s happening.
Step 2: Put Your Site in Maintenance Mode
Prevent further harm by putting your site in maintenance mode. If you can still log in, use a maintenance plugin or add this to your .htaccess file:
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteRule ^(.*)$ /maintenance.html [R=503,L]This keeps visitors away while you fix things.
Step 3: Change All Passwords
Change passwords for:
- WordPress admin
- Hosting account
- FTP/SFTP access
- Database
- Any third-party integrations
Use a strong, unique password for each. Consider a password manager to keep track.
Step 4: Restore a Clean Backup (If Available)
If you have a recent backup, restore it. Many hosting providers offer backups, or you might have one via a backup plugin like UpdraftPlus or VaultPress.
No backup? Don’t worry—there’s still hope.
Step 5: Scan for Malware & Remove Suspicious Files
Use security plugins like:
- Wordfence
- Sucuri Security
- MalCare
Scan your site for malicious code and remove any infected files. If you’re unsure, download your site files via FTP and compare them with a fresh WordPress installation.
Step 6: Reinstall WordPress Core Files
Hackers often modify core WordPress files. To ensure a clean install:
- Download the latest WordPress version from wordpress.org.
- Delete everything except
wp-contentandwp-config.php. - Upload the fresh WordPress files.
This keeps your content but replaces any altered system files.
Step 7: Check & Fix User Accounts
Go to Users > All Users in your dashboard. If you see unfamiliar admin accounts, delete them immediately.
Step 8: Reinstall or Update Plugins & Themes
Outdated plugins/themes are common entry points for hackers. Delete any unused plugins and themes. Then:
- Update all remaining plugins and themes.
- Download fresh copies from official sources.
- Avoid nulled (pirated) themes or plugins—they often contain malware.
Step 9: Secure Your Website to Prevent Future Hacks
Now that your site is clean, take these steps to keep hackers out:
- Enable Two-Factor Authentication (2FA): Adds an extra layer of security.
- Use a Web Application Firewall (WAF): Services like Cloudflare or Sucuri block attacks before they reach your site.
- Limit Login Attempts: Prevents brute-force attacks.
- Disable File Editing: Add this to
wp-config.phpto stop hackers from injecting code:
define('DISALLOW_FILE_EDIT', true);- Regular Backups: Automate backups using a plugin or hosting service.
Step 10: Request a Security Review from Google (If Blacklisted)
If Google flagged your site as unsafe, go to Google Search Console > Security Issues and request a review after cleaning up the hack.
Final Thoughts
A hacked WordPress site is a nightmare, but recovery is possible if you act fast. Follow these steps, and once your site is back, focus on prevention. If the process feels overwhelming, consider professional WordPress security services—we’re here to help you stay protected.
Got questions? Need expert recovery assistance? Let’s chat and secure your site today!