A hacked WordPress site rarely announces itself politely. More often you find out because Chrome flashes a red warning screen, your host emails you about “malicious activity,” or a client calls asking why the site redirects to a pharmacy ad in Russian. Whatever the trigger, the next hour matters more than the next week — how you respond determines whether this is a bad afternoon or a months-long fight to get your domain trusted again.
In my experience, most site owners waste that first hour panicking or, worse, deleting things at random hoping the problem goes away. It rarely does — malware on WordPress tends to hide copies of itself in multiple places, so a half-finished cleanup often leaves a backdoor intact. This guide walks through recovering a breached WordPress website in the right order: contain it, understand it, clean it, and lock the door behind you.
Quick Answer
Take the site offline or into maintenance mode immediately, then restore from a clean backup taken before the compromise. If no clean backup exists, scan every file and database table for injected code, remove it completely, change every password and secret key, patch whatever vulnerability let the attacker in, and request a review from Google once the site is clean. Skipping any one of these steps is how sites get reinfected within days.
Why This Matters
A compromised site is not just an inconvenience. Search engines actively de-index or flag sites serving malware, which can wipe out months of SEO work in a single crawl. Hosting providers will suspend an infected account without much warning if it starts sending spam or attacking other sites on the same server. And if the site handles customer data or payments, a breach can carry legal and reputational consequences well beyond the technical cleanup.
The good news is that WordPress breaches follow recognisable patterns. Attackers almost always get in through an outdated plugin, a weak password, or a vulnerable theme — not some mysterious zero-day. That means recovery is methodical work, not guesswork, once you know where to look.
Step-by-Step Instructions
1. Isolate the Site Immediately
Put the site into maintenance mode or take it offline at the host level before you do anything else. This stops the malware from spreading further, stops visitors from being served malicious redirects, and buys you room to investigate without the attacker’s script actively running. Most hosts offer a one-click “suspend” or “maintenance mode” option in the control panel — use it rather than trying to edit a live, compromised site.
Change your hosting account password and your WordPress admin password from a separate, clean device at this stage too. If the breach happened through a stolen credential rather than a plugin exploit, leaving the old password in place lets the attacker straight back in while you work.
2. Assess the Scope of the Breach
Before cleaning anything, work out what actually changed. Check Users in wp-admin for any admin account you didn’t create. Look at file modification dates via FTP or your host’s file manager — a batch of files all modified at 3am on the same night is a strong signal of when the attack happened. Many hosts also keep a malware or file-change log under their security tools; check there before assuming you’re working blind.
This step matters because it tells you how far back a clean backup needs to go. Restoring a backup from the night before an attack that’s been dormant for three weeks just restores the malware along with everything else.
3. Restore From a Clean Backup, or Clean It Manually
If you have a verified backup from before the compromise, restoring it is almost always faster and more reliable than manual cleanup — a full restore replaces every infected file in one pass rather than hunting for each one individually.
Without a clean backup, you’re into manual removal: scan core files against a fresh WordPress download to spot anything altered, check every plugin and theme file for injected code, and search the database for suspicious entries in wp_options and wp_posts. I’ve written a full walkthrough of this process in how to scan and clean a hacked WordPress website — it covers the specific files and database tables attackers target most often.
4. Rotate Every Password and Secret Key
Once the site is clean, change the WordPress admin password, database password, FTP/SFTP password, and hosting control panel password — all of them, not just the one you suspect was compromised. Also regenerate the Security Keys and Salts in wp-config.php, which invalidates every existing login cookie and session, logging out anyone still holding a stolen session token.
5. Patch the Vulnerability That Let Them In
Cleaning the malware without fixing the entry point just invites a repeat visit. Update WordPress core, every plugin, and the theme to their latest versions, and remove anything inactive or abandoned — an unused plugin is still a security liability even when deactivated. If XML-RPC isn’t something the site actively needs, disabling XML-RPC closes off one of the more common brute-force entry points. The WordPress.org project maintains a detailed hardening WordPress guide worth working through once the immediate fire is out.
6. Request a Review and Confirm the Blacklist Is Cleared
If Google flagged the site as dangerous, use Search Console’s Security Issues report to request a review once you’re confident the site is clean — reviews typically take a few days. Check the site against Google Safe Browsing and any host-level blacklist directly too, since different systems clear at different times and a clean Search Console report doesn’t guarantee every browser warning has lifted yet.
Practical Tips
- Keep a dated copy of the infected files before you delete anything — if the breach turns out to be serious, having evidence helps if you need to involve your host or, in rare cases, law enforcement.
- Set up file-change monitoring after recovery so the next intrusion attempt gets caught in hours, not weeks.
- Rebuild trust gradually — expect a temporary dip in search visibility even after a clean review, and don’t panic if rankings take a couple of weeks to fully recover.
Common Mistakes
- Only removing the malware you can see, without checking for the secondary backdoor attackers often plant as insurance.
- Restoring a backup without checking how old the compromise actually is, which just reinstalls the malware from a slightly earlier date.
- Skipping the credential rotation step because “the malware is gone now” — a stolen password doesn’t expire on its own.
- Bringing the site back online before confirming every plugin and theme is fully updated.
When to Use This vs Alternatives
A manual recovery like the one above works well if you’re comfortable in a file manager and phpMyAdmin, and the breach is limited to a handful of files. For a heavily compromised site, a multi-site network, or a case where you simply can’t spare the hours to hunt through every file, a professional cleanup service (Sucuri and Wordfence both offer paid incident response) is often the faster and safer route — particularly for anyone still working through the step-by-step guide to building a WordPress website and not yet confident diagnosing server-level issues alone. The cost of a professional cleanup is usually far less than the cost of a botched DIY attempt that leaves a backdoor in place.
Conclusion
Recovering from a WordPress breach is a matter of sequence — isolate, assess, clean or restore, rotate credentials, patch the hole, then confirm you’re clear — not a single fix. Follow that order and a security incident becomes a solvable afternoon’s work rather than a recurring problem.

Etienne Basson works with website systems, SEO-driven site architecture, and technical implementation. He writes practical guides on building, structuring, and optimizing websites for long-term growth.