How to fix a hacked WordPress site?

Nothing is worse than a client’s panicked call telling you that their WordPress website was hacked.

They run a healthy business and now their customers see Viagra or Cialis links on each page. Every second you slip by is in danger of losing your customers— you need to get them back up and running fast.

WordPress can supply more than 25% of websites on the Internet, which unfortunately makes it a primary objective for hackers. Automatic, the WordPress company, does a lot with security updates to keep up with these threats.

The downside is that many of these updates are up-to-date with plugin makers (and you). However, despite your best efforts, a hacker can still compromise your site. Here are the steps you need to take to fix your WordPress instance and get things going.

Step 1: How did my website hack?

If you are a casual web developer, this task may at first appear beyond you. But taking a moment to evaluate the situation might save you a lot of time in the long term. To begin with, write down what is affected.

  1. Are weird advertisers adding links to your pages?
  2. Is the hack consistent on each page or appears randomly across the site?
  3. When was your site last time to look as it should?
  4. Can you login to your dashboard for WordPress admin?
  5. Google displays a safety alert when you attempt to view the website?
  6. Do you have updates that you haven’t installed pending with WordPress?
  7. What are the active plugins and do any of them have updates available?
  8. Are there any javascript calls you did not add when you look at the source of your pages?
  9. Now that you know where the problem is, you have the information to start solving the problem.

Step 2: Contact your hosting provider

Armed with information, so you can now contact your hosting provider for assistance. Trusted hosts (we use Digital Ocean) will be happy to take stock of your problems and help you figure out how a hacker affected your site. If you are on a shared hosting server, an attacker has accessed your website via a different website. To notify them as soon as possible can help them to tackle the problem promptly.

Their technical support may not be of much help in these situations. If you see that with your host, it’s now the perfect time to switch to a more reputable provider. You will jump over a bunch of hoops anyway, so you won’t add a hosting change to your mix too much. It will also give you some confidence that in future, you will not need to repeat all the corrections that you are about to make.

Step 3: Backup your database

Now you might think, “Why would I like to backup my WordPress site in a hacked version?”. You can edit your database to clean out the hacked content if you’re lucky. If you’re unlucky, you may have a clean backup or a fresh WordPress installation.

In either case, your hacked website may need to be referenced to find out what content you need to carry. Better to have a hacked version of this information handy than to have it all reconstructed from memory.

Step 4: Restore backup (save it if you don’t have one).

If you regularly backup your WordPress site, you’re ahead of the curve already! You only have to restore your website from the previous clean version and you’re ready to rock.

Sure, this may mean that you have to re-do some things that have changed since your last backup–but that’s much easier than rebuilding them all. Even if you can restore a clean backup, it is a good idea to go ahead at least in step 7 of this article. This will ensure that you have locked things as far as possible.

Often you don’t have a backup if you found this article and you try not to start from scratch. If that is the case, continue to read.

Step 5: Reset your passwords

Regardless of whether or not your hosting provider is worth it, you should assume that no passwords are safe. You can be re-hackedbefore you finish editing your passwords before you start editing your website.

Begin by resetting the password of your hosting control panel. Then reset your MySQL root password (if there is one) with all your user passwords in your database.

You will also want to reset any FTP passwords if those are also compromised. Some people change their database names to be completely secure, but you should update their passwords.

Make sure you use a strong password with all these changes. And don’t use the same password for any of them for the sake of heaven. There are plenty of online random password generators that you can use.

Strong passwords are difficult to remember, so find a safe place for records to store them. I use 1Password, which saves not only my login credits securely, but also includes a random password generator.

Step 6: Edit your wp-config.php file

You must tell WordPress how to get back to the database since you have modified passwords. You do this by updating the new information you created in step 5 of your wp-config.php file.

The following settings: /** MySQL Settings–This information is available on your web host ** / /** Name of the WordPress*/Define(“DDB NAME,”‘ YOUR DATABASE NAME’); / ** MYSQL Database Username* /Define(‘DB USER’,’ YOUR DATABASE USERNAME’); /** MySQL Database Password*/define(‘DB PASSWORD’,’ YOUR DATABASE PASSWORD’ These keys help WordPress to secure your password and information stored in cookies.
define(‘AUTH KEY’,”PASSPHRASE’); define(‘SECURE AUTH KEY’,’ PASSPHRACE’); define(‘LOGGED IN KEY ‘); define(‘NONCE KEY.’), define(‘LOGGED IN SALT’,” PASSPHRASE,’ definine(‘SECURE AUTH SALT’); define(‘SECURE AUTH SALT’,’PASSPHRASE’); define(‘LOGGGED IN SALT’, Just click on that link and copy and paste each key into your wp-config.php file.

Step 7: Clean up users and permissions

It is time to reset and clean up again, as you can access WordPress again. Click Users in the left sidebar of your WordPress dashboard to view all your WordPress users. Many times once hackers have access, they will create a new admin user to take control of your WordPress site. See if any user seems out of place and if you find one, delete them immediately.

WordPress Site Hacked–WordPress

User Permissions This is also a great time to validate all user permissions to ensure no one has access to something they shouldn’t. You can do this by editing a user and ensuring that they have the right role.

After that, go through every user and reset their password. This could be annoying if you have a lot of users but better than sorry to be safe.

Step 8: Take another backup of your database, so you’ll want to back up your database before moving on. It may seem like an additional step, but trust me.

Step 9: Fix your site Now that you have updated all the passwords, it’s time to roll up your sleeves and tackle the hack itself. A million things a hacker might have touched there. It is impossible to deal with them all, but we’re going to cover the bigger ones.


Many people have multiple WordPress themes, but only one. Hackers can use these outdated topics to gain access to your site, so that anything you don’t actively use can be deleted. You may also want to save your WordPress theme in Github for easy access in the event of a hack and data loss.


Plugins are one of WordPress ‘ great things. But it is also one of the easiest ways for hackers to access your site. If you’re like me, perhaps you’ve got plug-ins that you’ve tested and forgotten. Take the time to delete anything that is not essential to your website.

Then look at your plugins and make sure all of them are up-to-date. It might be time to delete it if you find that you are using a plugin which has not been updated in a long time. Use this time to find another plugin that regularly maintains and does the same thing.


Now is the time to get rid of javascript calls in your topic that you didn’t put in (see Step 1). Check your files header.php and footer.php. Work through your remaining template files to delete the rogue javascript reference.


Sometimes a hacker will add the same contents on the web. Whether a specific text link or javascript reference, find and replace all of the junk data in your.sql file. You can save your.sql file and re-import it into your database after you have removed all the junk data.

Sometimes you can not find and replace a string of common text. Unfortunately, in those cases, each page in WordPress may have to be manually edited. Find, delete the offending text and then update the page or post. This is the worst case scenario, but as it takes time, it is sometimes the only way to be certain that you have removed everything.

If you discover that your site is being redirected, your.htaccess file is likely to be compromised. To resolve this, the file should be deleted and regenerated.

If not, log in and save changes to WordPress and go to Tools > Settings > Permalinks. This regenerates the file and returns everything to normal.

Step 10: Make sure WordPress is up-to-date

Now that you are cleaning up your website, make sure that everything is backed up and triple check that you use the latest WordPress release.

Configuring automatic updates may keep you updated, but for people with custom sites, this is not always an option. If automatic updates can not be configured, try setting up a timetable to check for WordPress and plugin updates regularly. This helps to keep your website up-to-date and reduce the chances of an attack.

Step 11: Install a WordPress security plugin

You might have thought you cleaned all of it back in Step 8, but you still missed a few things. To ensure that you cover all of your foundations, and that you go forward, I recommend that you install a security plugin for WordPress.

There are many providers, but WordFence and Sucri are the most popular. Services such as this can analyze your website, identify vulnerabilities and help you to automatically clean infected areas.

Once it is all in place, make sure that your site’s automatic backup is set up via a plug-in or a hosting provider. It will be easy for you to return to a recent backup and get up and running in no time if you’ve ever hacked back.

Congratulations, you have done it!

Although it is never fun to hack your website, you can take comfort in the fact that it happens eventually to everyone. Just look at it as a chance to do some housekeeping you put away. Who knows, you can sell your customer for upgrades to make your WordPress site safer in the future. Best of luck! Best of luck!

Was this article helpful?

Leave a Reply

Your email address will not be published. Required fields are marked *