Back to blog
WordPress Hacked: Complete Cleanup Guide in 10 Steps
SEO

WordPress Hacked: Complete Cleanup Guide in 10 Steps

Bastien AllainMarch 11, 202611 min read
wordpressmalwarecleanuphackingsecuritywp-cli

Your WordPress site has been hacked? Do not panic. This guide details the exact 10 steps to clean your site, remove malware, and restore your search rankings. Whether you handle it yourself or hire a professional, this process covers the entire cleanup from detection to final hardening.

How to clean a hacked WordPress site (8 etapes)
  1. 1

    Confirm the infectionCheck for redirects, spam content, and Google warnings to verify the hack.

  2. 2

    Isolate the sitePut the site in maintenance mode to stop malware from spreading.

  3. 3

    Back up the infected siteCreate a full backup of files and database before making changes.

  4. 4

    Scan and remove malwareUse WP-CLI and security scanners to find and delete malicious code.

  5. 5

    Reinstall core and pluginsReplace WordPress core files, themes, and plugins with fresh copies.

  6. 6

    Clean the databaseRemove rogue admin accounts, spam content, and injected scripts.

  7. 7

    Harden security settingsUpdate all passwords, add 2FA, and configure a firewall.

  8. 8

    Request Google re-reviewSubmit a reconsideration request through Google Search Console.

Step 1: Confirm the Infection and Diagnose

Before any intervention, confirm that your site is compromised and identify the nature of the attack.

Telltale Signs

The most common symptoms of a hacked WordPress site include:

  • Redirects to third-party sites (pharmacy, phishing, adult content)
  • Injected spam content: Japanese pages, pharmaceutical links, unsolicited ads
  • Admin access blocked: password changed, account deleted
  • Google alerts: "This site may be hacked" in search results
  • Extreme slowdown with no apparent reason

For a detailed diagnosis of each symptom, check our guide to 18 signs of a hacked WordPress.

Identify the Attack Vector

Understanding how the hacker got in prevents reinfection:

  • Outdated plugins or themes: 97% of WordPress vulnerabilities come from unpatched extensions (WPScan)
  • Weak passwords: brute force attacks on /wp-login.php or xmlrpc.php
  • Compromised FTP/cPanel access: credentials stolen through phishing or local malware
  • Shared hosting: cross-contamination between sites on the same server

Step 2: Isolate the Site Immediately

Put your site in maintenance mode to prevent malware from spreading to visitors and stop Google from indexing infected pages.

Via the WordPress Dashboard

If you still have admin access, install an extension like Coming Soon Page & Maintenance to display a temporary page.

Via .htaccess (If Admin Access Is Blocked)

If the admin panel is inaccessible, add these lines at the top of your .htaccess file via FTP:

Order Deny,Allow
Deny from all
Allow from YOUR_IP

Replace YOUR_IP with your public IP address (findable at whatismyip.com). Only you will be able to access the site during cleanup.

Notify Your Host

Contact your hosting provider to inform them of the infection. Hosts can typically:

  • Provide access and error logs from the server
  • Restore a backup prior to the infection
  • Scan the server with tools like Imunify360 or ClamAV

Step 3: Back Up Before Cleaning

Create a complete backup of the infected site before any changes. Even compromised, this backup serves as a reference for forensic analysis.

Manual Backup via phpMyAdmin

  1. Log into phpMyAdmin from cPanel
  2. Select your WordPress database
  3. Click Export > SQL Format > Execute
  4. Also download all files via FTP (compress /wp-content/ as priority)

Backup via WP-CLI

If you have SSH access, use WP-CLI for a quick backup:

wp db export backup-infected-$(date +%Y%m%d).sql
tar -czf wp-content-backup.tar.gz wp-content/

Important: Store this backup in a separate directory, never in the site's public folder.

Step 4: Scan for Infected Files

Scan with WP-CLI

The wp core verify-checksums command compares your WordPress core files with the originals from wordpress.org:

wp core verify-checksums

Any difference in the output signals a modified file. Core files should never be manually modified.

Scan with a Security Plugin

Install Wordfence or Sucuri Security and run a full scan:

  • Wordfence: Wordfence > Scan > Start New Scan (detects modified files, backdoors, known malware)
  • Sucuri Security: Sucuri > Dashboard > Scan (server scan + blacklist verification)

Manual File Scan

Search for dangerous PHP functions in your files:

grep -r "eval\|base64_decode\|gzinflate\|str_rot13\|assert" wp-content/ --include="*.php"

Results indicate potentially infected files. Any PHP file in /wp-content/uploads/ is suspicious by default.

Step 5: Reinstall WordPress Core Files

Replace core files with a fresh copy from wordpress.org. This step eliminates all malicious code injected into system files.

wp core download --force --skip-content

This command downloads and replaces all core files without touching the wp-content/ folder.

Via FTP (Manual Method)

  1. Download the latest WordPress version from wordpress.org
  2. Delete the wp-admin/ and wp-includes/ folders from your server
  3. Upload the wp-admin/ and wp-includes/ folders from the fresh copy
  4. Replace all root PHP files except wp-config.php

Never delete the wp-content/ folder which contains your themes, plugins, and media.

Step 6: Clean Themes and Plugins

Remove and Reinstall Plugins

For each plugin:

  1. Deactivate the plugin
  2. Delete the plugin folder entirely from /wp-content/plugins/
  3. Reinstall the latest version from the official WordPress repository

Via WP-CLI, this operation takes a single command:

wp plugin deactivate --all
wp plugin delete suspect-plugin
wp plugin install plugin-name --activate

Clean the Active Theme

  1. Check your theme's functions.php file: look for base64-encoded code or illegitimate eval() calls
  2. If the theme is from the official repository, delete and reinstall it
  3. If it is a premium theme, download a fresh copy from the vendor's site

Remove Unused Extensions

Every installed plugin, even deactivated, is a potential attack vector. Delete everything not actively used:

wp plugin list --status=inactive --format=csv | tail -n +2 | cut -d',' -f1 | xargs -I {} wp plugin delete {}

Step 7: Clean the Database

MySQL database cleanup is the most critical step because backdoors and injections often hide there.

Remove Suspicious Users

SELECT * FROM wp_users WHERE user_registered > '2026-01-01' ORDER BY user_registered DESC;

Any administrator account you did not create must be deleted:

wp user delete SUSPECT_ID --reassign=1

Clean the wp_options Table

Search for injections in WordPress options:

SELECT option_name, LEFT(option_value, 200) FROM wp_options
WHERE option_value LIKE '%eval(%'
OR option_value LIKE '%base64_decode(%'
OR option_value LIKE '%<script%'
OR option_value LIKE '%<iframe%';

Also verify that siteurl and home point to your legitimate domain:

SELECT option_name, option_value FROM wp_options WHERE option_name IN ('siteurl', 'home');

Clean the wp_posts Table

Search for malicious content injected into your posts:

SELECT ID, post_title, LEFT(post_content, 100) FROM wp_posts
WHERE post_content LIKE '%<iframe%'
OR post_content LIKE '%<script%'
OR post_content LIKE '%display:none%'
OR post_content LIKE '%viagra%'
OR post_content LIKE '%casino%';

Clean Suspicious Cron Tasks

Hackers schedule cron tasks to regenerate backdoors after cleanup:

wp cron event list

Delete any task that does not correspond to an installed plugin:

wp cron event delete suspicious_task_name

Step 8: Secure Critical Files

The wp-config.php File

  1. Regenerate security keys: copy new keys from the WordPress API and replace the old ones in wp-config.php
  2. Change the database password in cPanel, then update DB_PASSWORD in wp-config.php
  3. Disable the file editor by adding: define('DISALLOW_FILE_EDIT', true);
  4. Set permissions: chmod 400 wp-config.php (owner read-only)

The .htaccess File

Replace the content with a clean .htaccess:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
 
# Block PHP execution in uploads
<Directory "/wp-content/uploads/">
  <Files "*.php">
    Deny from all
  </Files>
</Directory>
 
# Protect wp-config.php
<Files wp-config.php>
  Order Allow,Deny
  Deny from all
</Files>
 
# Disable directory listing
Options -Indexes

File and Folder Permissions

Set correct permissions across the entire site:

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod 400 wp-config.php

Step 9: Change All Passwords and Access

After file cleanup, renew all credentials without exception:

  • WordPress administrator: use a 16+ character randomly generated password
  • MySQL database: change in cPanel > MySQL Databases, then update wp-config.php
  • FTP/SFTP: change in cPanel > FTP Accounts
  • cPanel: change the main hosting account password
  • WordPress security keys: regenerate via WordPress API (see Step 8)

Enable two-factor authentication (2FA) on all administrator accounts with Wordfence Login Security or Google Authenticator.

Step 10: SEO Recovery and Google Review Request

A hack directly impacts your search engine rankings. If Google has blacklisted your site, see our guide on removing your site from Google's blacklist. Here is how to recover your positioning.

Check Google Search Console

  1. Log into Google Search Console
  2. Go to Security & Manual Actions > Security Issues
  3. If an alert is present, follow the review instructions

Submit a Review Request

Once cleanup is complete:

  1. In Search Console, click "Request a Review" in the Security Issues section
  2. Describe the actions taken (files cleaned, database purged, hardening applied)
  3. Average response time is 2 to 4 weeks

Remove Spam URLs from the Index

If spam pages (Japanese, pharmaceutical) have been indexed:

  1. Delete the offending pages from WordPress
  2. Use the Removals tool in Search Console to request temporary removal
  3. Submit an updated sitemap to force recrawl of legitimate pages

Monitor the Recovery

Return to initial rankings takes an average of 4 to 12 weeks after cleanup. Monitor:

  • Organic traffic in Google Analytics (compare with previous period)
  • Impressions and clicks in Search Console (Performance)
  • Any new security alerts

For complete WordPress security and to prevent recurrence, strengthen your site with a WAF, automatic backups, and continuous monitoring.

Post-Cleanup Checklist

Before putting your site back online, verify these points:

  • WordPress core files reinstalled from a fresh copy
  • All plugins and themes deleted and reinstalled
  • Database scanned and cleaned (users, options, posts)
  • wp-config.php and .htaccess files secured
  • All passwords changed (WP, MySQL, FTP, cPanel)
  • WordPress security keys regenerated
  • 2FA authentication enabled on all admin accounts
  • Security plugin installed and configured (Wordfence or Sucuri)
  • Automatic backup configured (daily, offsite)
  • Google Search Console checked and review request submitted
  • Sitemap updated and submitted

Frequently Asked Questions

How to identify the source file of an SQL injection in the database?

Search for entries containing encoded code (eval(), base64_decode()) in the wp_options, wp_posts, and wp_postmeta tables using the SQL queries provided in Step 7. Cross-reference results with server access logs to identify the time and IP of the injection. The wp_options table is the most frequent target, particularly transient fields and widget options.

What WP-CLI commands to use in emergency to isolate a hacked site?

Three essential commands:

  • wp maintenance-mode activate: enables maintenance mode
  • wp plugin deactivate --all: deactivates all plugins to stop malicious code execution
  • wp user list --role=administrator --format=table: lists administrators to identify suspect accounts

Follow up with wp core verify-checksums to detect modified core files.

How long does it take to fully clean a hacked WordPress site?

Time depends on the severity of the infection:

  • Surface infection (redirect hack, defacement): 2 to 4 hours for an experienced technician
  • Deep infection (multiple backdoors, compromised DB, SEO spam): 8 to 24 hours
  • Old infection (malware present for months, repeated reinfections): 1 to 3 days

A professional WordPress cleanup service guarantees intervention within 48 hours and a 90-day warranty against reinfection.

How to analyze server logs to trace the source of the hack?

Apache/Nginx access logs contain the history of all requests:

grep "POST" /var/log/apache2/access.log | grep "wp-content" | tail -100

Look for suspicious POST requests to files in /wp-content/uploads/ or /wp-includes/. Request timestamps indicate the moment of intrusion. Cross-reference with modification dates of malicious files identified during the scan.

Conclusion

Cleaning a hacked WordPress site is a methodical 10-step process: from initial diagnosis to SEO recovery. The keys to success are thoroughness (skip no step), speed (every hour of inaction worsens the damage), and prevention (secure to avoid recurrence).

If the scope of the infection exceeds your technical skills, a professional WordPress malware removal guarantees a clean site within 48 hours with a 90-day warranty.

Also discover the most common WordPress malware in 2026 to better understand the threats your site faces.

Related posts