WordPress Site Hacked Can’t Login – What To Do Step By Step Guide

Your security scans have returned positive and it is confirmed that your website has infiltrated successfully. “Hacked” is never a word you want to hear when it comes to WordPress. What do you do? What do you do? Let’s go through the process of cleaning up a hacked WordPress site and the next steps to recover.

We all know WordPress is the most popular platform. The volume and number of online WordPress sites make it the web’s most hacked CMS. This is one of many reasons why learning to safeguard your website is so important.

But even if the fundamental security of your website is in place, people with malicious intentions can still find access points through numerous tricks and gaps in the code of your site.

Suppose we’re in a worst situation and someone has access to your WordPress website. What now?

1. Stay Calm

How do you clean a WordPress site that’s hacked?

Well, the first step is to breathe deeply. Hacking WordPress is not the end of the world and not everything is lost. You will not be stressed or angry, and it removes your concentration from your website recovery. Let us put our energy in the search for solutions.

2. Locate The Hack Go through this quick questions list.

Ask yourself: can you login to your WordPress Admin Panel (wp-admin)?

  • Does your website redirect you to another website?
  • Is there any illegal links on your WordPress site?
  • Has Google already identified your website as uncertain?

Caution Malware Record your answers to each question and make sure you have all noted for the next step.

3. Contact your hosting company

In these situations many good hosting companies are very helpful. Those with experienced personnel previously faced such a problem so they should be well-equipped to help. That is why contact your hosting provider before doing anything yourself and follow their advice.

If your website is hosted on a shared server, you can also see if the hacker can access your site via a different site on your server. In this scenario, your hosting provider can answer you how the hack started and spread. There’s also a good chance that they can tell you from where the backdoor to your site is.

4.Hire A Expert

If you have had a bad attack on your website or just need it cleaned up quickly, recruiting professional support could be the way to go. A vulnerable website gets worse with time, so that the faster you can solve your problems, the safer your website is.

This is probably the best solution for you if you don’t feel technology expert or just don’t want to mess up anything while you try to clean up your website. It is easy to make things worse rather than better in such situations, so if you do not make major changes to your site’s back end, it may be time to ask for assistance.

Malcare is an excellent option for this. They are a complete security solution for WordPress to protect your online identity. It has been developed from the ground up following the analysis of more than 240,000 websites in more than 2 years. MalCare ensures that your company is always safe and accessible to your visitors.

It comes with a powerful scanner that never slows down your site and goes beyond just matching signatures to find new and complex malware, which is not usually detected in other popular scanners.


MalCare scans come with an automatic malware removal feature with a one-click operating system, which permanently removes all traces of malware from the website. They also have a smart plugin-based firewall which protects your website against bad traffic using the collective intelligence of its site network.

Finally they have an intuitive site management module that allows you to manage themes, plug-ins, users and WordPress core for improved website security.

And then the great reviews left Malcare online! If your website has been hacked, it is definitely one of the best solutions.

5. Restore A Previous Version

If you have become used to supporting your site, this could be the right time for you. Before the hack you have to restore a version of your website.

Restore When you restore your old site backup, always remember that the whole site will return to that version. You will lose any content you publish, pictures you added to a gallery, or general changes to the site. However, it is most likely worth a clean website.

After restoring your website’s old version, remember that it is still vulnerable to attack! Time to add some serious security features to your website to prevent further malicious activity.

If your website is restored and you remove too many valuable changes, you can also clean your code manually.

6. Malware Scan and Removal

If any plugins or themes are not regularly updated, hackers may use outdated files to access your WordPress site. They can then create a backdoor to access your website more easily in the future.

Vulnerability A backdoor refers to the way to bypass normal authentication and get the ability to access the server remotely while it is not detected.

The first work for a smart hacker is to establish a backdoor so that the first entry point can be retrieved after you have found and removed it (usually an obsolete plugin or topic vulnerability). This is why it is so important to have your website have a WordPress security audit plugin installed so that you can track changes to your website in real time.

One of the best ways to prevent hackers using an outdated plugin or theme files to access your website is to keep it all up to date! Many plugin updates are especially available because an older version had a security flaw, which will help you avoid this entirely.

To help you identify any backdoors or malicious code without your permission installed in your website, always install and activate a security plugin from WordPress that scans your website regularly. Plugins such as iThemes Security can easily find and manually delete the backdoor location.

7. Check your permissions

You must check the permissions of all your WordPress users to check the user permissions. Double check that only you and your team members have access to administration accounts and that other users ‘ permissions are not affected.

If you find suspect new users, immediately delete them.

8. Change passwords and secret keys

Make sure you change all your WordPress passwords. This includes a password that can allow anyone accessing your WP dashboard, cPanel, MySQL database, FTP and other devices.

If you have a password generator available, make sure that it is used to ensure that your password is strong, unique and not easy to guess.

Then change your secret keys and salts to make sure your WordPress website is safe and secure.

After these steps, the hack was cleaned and your WordPress site is safe. But they’re not going to try it again, that doesn’t mean. WordPress security must be an ongoing effort because the malicious will never stop trying to access your website.

Besides keeping your own WordPress site, it’s time to take your own security in your own hands and learn how to keep your site safe.

Was this article helpful?

Leave a Reply

Your email address will not be published. Required fields are marked *