Running a WordPress site is exciting — until you find out it’s been hacked. It can be a stressful situation, but the good news is you can recover a hacked WordPress site if you act quickly and follow the right steps.
In this guide, you’ll learn exactly how to fix a hacked WordPress site, remove malware, restore it safely, and secure it against future attacks — even if you have little technical experience.
Table of Contents
Signs Your WordPress Site Has Been Hacked
Sometimes the hack is obvious; other times, it’s hidden. Here are some warning signs:
- Unfamiliar changes in your site’s content or design.
- Redirects send visitors to strange websites.
- New admin accounts you didn’t create.
- Google Safe Browsing warnings about malicious content.
- Drop in traffic or suspicious spikes from unknown sources.
If you notice any of these, it’s time to take action immediately.
Immediate Steps to Take
When your WordPress site is hacked, every minute counts.
Step 1: Backup the hacked site
Even though it’s compromised, keep a copy for investigation or partial recovery.
🔗 Recommended read: How to Backup a WordPress Website
Step 2: Put the site in maintenance mode
Use a plugin like WP Maintenance Mode to prevent visitors from being exposed to malware.
Step 3: Change all passwords
Update WordPress admin, hosting, FTP, and database passwords. Use a password manager like LastPass or Bitwarden to create strong ones.
Scan for Malware & Remove Infections
The easiest way to find and remove malicious files is with a WordPress security plugin:
- Wordfence Security – Real-time firewall and malware scanner.
- Sucuri Security – Great for deep server-level scanning.
- MalCare – One-click malware removal.
Steps:
- Install one of these plugins.
- Run a full site scan.
- Review the infected files list.
- Remove or replace compromised files.
For manual cleaning (advanced users):
- Access your site via FTP or cPanel.
- Compare core WordPress files with fresh copies from WordPress.org.
- Remove suspicious scripts.
Restore from Backup (If Available)
If you have a recent clean backup, restoring it can be the fastest way to recover.
- Use your hosting control panel or a backup plugin like UpdraftPlus or BlogVault.
- Always scan the backup before restoring.
- Avoid old backups that may contain the same malware.
🔗 Pro tip: If you don’t have a backup system yet, check out Best WordPress Backup Plugins.
Update & Secure WordPress
After cleaning your site, close the security holes that allowed the hack:
- Update WordPress core to the latest version.
- Update all themes and plugins.
- Delete unused or outdated plugins/themes.
- Install a WordPress firewall (Wordfence, Sucuri).
Contact Your Hosting Provider
Most hosting companies offer malware cleanup assistance.
Ask them to:
- Scan the server for additional infections.
- Provide security logs.
- Patch vulnerabilities.
Some hosts like SiteGround and Kinsta include free malware removal in their plans.
Prevent Future Hacks
The best recovery is prevention. Here’s how to protect your WordPress site:
- Use strong passwords and enable two-factor authentication with Google Authenticator.
- Regularly back up your site with UpdraftPlus or VaultPress.
- Keep WordPress, plugins, and themes updated.
- Limit login attempts with Limit Login Attempts Reloaded.
- Install a security plugin with real-time monitoring.
Frequently Asked Questions about recover a hacked WordPress site
Q1: How do I know if my WordPress site is hacked?
Look for unusual redirects, new administrator accounts, Google Search Console security warnings, or sudden traffic fluctuations.
Q2: Can I fix a hacked WordPress site without coding knowledge?
Yes — by using security plugins like Wordfence or Sucuri, you can clean most infections without coding.
Q3: How much does it cost to recover a hacked WordPress site?
It can be free if you do it yourself, or $50–$500+ if you hire professionals, such as the 79mplus team, which offers cleanup packages.
Q4: What’s the best WordPress security plugin?
Wordfence, Sucuri, and MalCare are excellent options depending on your needs.
Final Thoughts
Recovering a hacked WordPress site may seem overwhelming, but by acting quickly and following the steps above, you can remove the hack, restore your site, and protect it from future attacks.
If you need professional help to recover a hacked wordpress site, you can always hire an experienced WordPress security expert to speed up the process.