How to Clean Up a Hacked WordPress Website

Guide Overview:

At this point, we assume that there are known threats that need remediation, so we’ll get right to it. If you don’t have a vendor like WP Turned UP providing website maintenance and support, contact your website hosting provider to see what, if anything, they are willing or able to do for you.

Note: If you do contact your website host, pay close attention to what they are recommending. Ideally, the support staff should work with you, communicating what they are doing each step of the way.

If you decide to go at the cleanup on your own, perform each of the steps below until all threats are remediated.

Immediate Threat Remediation
Close the Door
Install Core WordPress Files Using FTP

Immediate Threat Remediation

  1. Change the passwords for any and all accounts that have admin access for your WordPress install.
  2. Establish a threat baseline by using FREE online scanners like Sucuri SiteCheck, Web Inspector, and VirusTotal. (Note: We recommend that you run tests from all of the listed scanners, as some have different strengths.)
  3. Create a brand new backup of your website to salvage what you have left at the latest point in time, being sure to label the backup as “compromised”.  (Note: If you have a backup from your web hosting provider or a 3rd party service like ManageWP, that may suffice in terms of freshness of the backup.)
  4. Restore your website from a backup. (Note: While this is the simplest solution, it’s also not a likely solution unless your website is primarily a static website where the data and content rarely changes.)
  5. If threats are found in any of the files on your site, a simple fix is to delete and replace them with clean versions by going to your WordPress Dashboard > Updates >Re-install Now. (Note: If your WordPress Dashboard is not available, you can install core WordPress files via FTP.)

Close the Door

All of these steps should be considered mandatory as part of good security practices, but especially after threats have been discovered.

  1. Since threats can originate from your workstation, ensure that your workstation is clean prior to continuing the following remediations from that same workstation.  (Note:  If you’re on a Windows-based workstation, update the virus definitions by going to Settings > Updates and Security > Windows Update > Check for Updates and then run an offline virus scan by going to Settings > Windows Security > Virus & Threat Protection > Run a new advanced scan > Windows Defender Offline Scan.).
  2. Change the passwords for the Web Hosting backend, FTP accounts, MySQL/MariaDB Database.
  3. Review all WordPress user accounts to see if anything looks suspicious, like unknown administrative level accounts.
  4. Visit the Keys & Salts Generator, edit your wp-config.php file via FTP or using your cPanel, replace your current Keys & Salts with the ones from the generator, and then save your wp-config.php file.
  5. Take a hard look at your website’s security measures to figure out what went wrong and how to prevent things from going wrong in the future.

Install Core WordPress File Using FTP

  1. Download the latest version of WordPress.
  2. Extract the full contents of the downloaded .zip file to your workstation.
  3. Delete the wp-content folder.
  4. Connect to your website via FTP and browse to the folder that corresponds to your website install. (Note: Typically, this is the folder named public_html.).
  5. Upload the remaining files to the folder. (Note: Your FTP program should prompt you with a “Target file already exists” message. Select Overwrite, Always use this action, and Apply to current queue only.).

Since the wp-content folder was deleted prior to uploading, this will overwrite all of the core WordPress files without affecting any of your themes or plugins. Once the upload finishes, you should have a freshly installed copy of the WordPress core files and things are hopefully running smoothly.

Let's empower others. Share the knowledge.

Share on twitter
Share on facebook
Share on linkedin