How to Clean Up a Hacked WordPress Website

Guide Overview:

Our How to Clean Up a Hacked WordPress Website guide is perfect for those that like to get their hands dirty (DIY) or for those that want a quick jumping off point to get their issues resolved.

If you don’t have a vendor like WP Turned UP providing monthly website maintenance and/or support, we highly recommend that you consider it. It’s nice to have someone you trust, so you don’t feel alone in the fight.

The DIY (Do It Yourself) Route
The Vendor Route

The DIY (Do It Yourself) Route

If you decide to go at the cleanup on your own, perform each of the steps below until all threats are remediated.

Immediate Actions

  1. Change the passwords for any and all accounts that have admin access for your WordPress install.
  2. Establish a threat baseline by using FREE online scanners like Sucuri SiteCheck, Web Inspector, and VirusTotal. (Note: We recommend that you run tests from all of the listed scanners, as some have different strengths.).
  3. Create a brand new backup of your website to salvage what you have left at the latest point in time, being sure to label the backup as “compromised”.  (Note: If you have a backup from your web hosting provider or a 3rd party service like ManageWP, that may suffice in terms of freshness of the backup.).
  4. Restore your website from a backup. (Note: While this is the simplest solution, it’s also not a likely solution unless your website is primarily a static website where the data and content rarely changes.)
  5. Run the online scans again.
  6. If threats are still found in any of the files on your site, after the restore, a possible simple fix is to delete and replace them with clean versions by going to your WordPress Dashboard > Updates > Re-install Now. (Note: If your WordPress Dashboard is not available, you can install core WordPress files via FTP.).

Help Close the Door to Future Threats

All of these steps should be considered mandatory as part of good security practices, but especially after threats have been discovered.

  1. Since threats can originate from your workstation, ensure that your workstation is clean prior to continuing the following remediations from that same workstation. (Note: If you’re on a Windows-based workstation, update the virus definitions by going to Settings > Updates and Security > Windows Update > Check for Updates and then run an offline virus scan by going to Settings > Windows Security > Virus & Threat Protection > Run a new advanced scan > Windows Defender Offline Scan.).
  2. Change the passwords for the Web Hosting backend, FTP accounts, MySQL/MariaDB Database.
  3. Review all WordPress user accounts to see if anything looks suspicious, like unknown administrative level accounts.
  4. Visit the Keys & Salts Generator, edit your wp-config.php file via FTP or using your cPanel, replace your current Keys & Salts with the ones from the generator, and then save your wp-config.php file.
  5. Take a hard look at your website’s security measures to figure out what went wrong and how to prevent things from going wrong in the future.

Install Core WordPress File Using FTP

  1. Download the latest version of WordPress.
  2. Extract the full contents of the downloaded .zip file to your workstation.
  3. Delete the wp-content folder.
  4. Connect to your website via FTP and browse to the folder that corresponds to your website install. (Note: Typically, this is the folder named public_html.).
  5. Upload the remaining files to the folder. (Note: Your FTP program should prompt you with a “Target file already exists” message. Select Overwrite, Always use this action, and Apply to current queue only.).

Since the wp-content folder was deleted prior to uploading, this will overwrite all of the core WordPress files without affecting any of your themes or plugins. Once the upload finishes, you should have a freshly installed copy of the WordPress core files and things are hopefully running smoothly.

The Vendor Route

If you simply do not want to mess with the cleaning up of your website yourself, or if you need to take your clean up a step further, we have outlined some options below.

WordPress Maintenance & Support Companies

Many vendors that provide WordPress maintenance and support offer some level of threat protection/removal, whether it’s part of their ongoing maintenance plans or as an hourly service.

If you don’t have a vendor like WP Turned UP providing monthly website maintenance and/or support, we highly recommend that you consider it. It’s nice to have someone you trust, so you don’t feel alone in the fight.

We include Threat Protection with most of our plans. For those that sign up for our Professional Maintenance Plan, we offer Enhanced Threat Protection. This particular plan is ideal for those running an eCommerce or Membership website.

We have partnered with the folks at MalCare, adding their solution/services to our Enhanced Threat Protection offering. While this protection is proactive, things do happen, and because of that, we provide 1-Click Malware Removal.

Website Hosting Companies

Kinsta is our recommended vendor for website hosting. They provide a Security Guarantee as well as Malware Removal, that could save you money in the long run, as well as a lot of headaches.

Before you go out and spend money, it’s a good idea to first see what your website hosting vendor can do for you.

Note: If you do contact your website host, pay close attention to what they are recommending. Ideally, the support staff should work with you, communicating what they are doing each step of the way.

Malware Removal Companies

MalCare provides a premium WordPress security plugin, as well as an Emergency Malware Cleanup service.

If you are not covered under our maintenance, you can work directly with MalCare or use our MalCare Affiliate Link to engage us in the fight. In short, if you use our link, we’ll help by acting as a liaison between you and MalCare.

Let's empower others. Share the knowledge.

Share on twitter
Share on facebook
Share on linkedin
Scroll to Top