Security Operations

WordPress hacked: step-by-step recovery guide.

If your site is redirecting visitors to spam sites, displaying Google blacklist warnings, or showing Japanese search listings, you are active target of a malware breach. Here is our step-by-step technical recovery guide.

Triage steps Immediate Actions Required:
  • 1. Isolate the server traffic
  • 2. Diff core files against clean repositories
  • 3. Clean options tables & database columns
  • 4. Submit Google review requests

Security protocol

The Step-by-Step Remediation Pathway

Automated malware cleanups frequently fail because hackers hide backdoors (often simple, obfuscated single-line PHP eval commands) inside legitimate theme folders. Unless you follow a rigorous, manual cleanup protocol, the infection will auto-replicate and re-appear within 48 hours.

Step 1: Isolation & Maintenance Mode

Before doing forensic work, prevent active database insertions. Put your website in maintenance mode and restrict access via your `.htaccess` to only your own IP address. This stops visitors from seeing spam redirects and prevents the hacker's scripts from triggering further database writes.

Step 2: Core File Replacement

Do not attempt to read every core WordPress file to find malware scripts. Instead, download a fresh copy of your exact WordPress core version from the official repository, rename your existing `wp-admin` and `wp-includes` folders, and overwrite them with the clean directory downloads. Do the same for your core root files (like `index.php` and `wp-activate.php`), keeping only your custom `wp-config.php` file.

wp-config.php Check

Obfuscated code is frequently appended to the top of `wp-config.php`. Carefully open the file and look for long base64 strings or variables containing odd characters. Re-key your salt codes completely inside the file to invalidate all active login sessions.

Step 3: Forensic Plugin & Theme Overwrite

Hackers target themes and plugins because they survive core updates. Rename your `wp-content/plugins` folder to temporarily disable all code. Re-download clean zip archives of all active plugins from their official repositories and upload them fresh. Open your active theme and look for recently modified files using SSH: `find . -mtime -3 -type f` to see any files edited in the last 72 hours.

Step 4: Database Scrubbing

Malware injections commonly write custom options, posts, or script blocks to your database. Access your database via phpMyAdmin or command-line SQL queries:

  • Search the `wp_options` table for auto-load values containing script payloads.
  • Search the `wp_users` table for hidden administrative roles you didn't create.
  • Search database posts for injected iframe tags or hidden display divs.

Step 5: Google Search Console Submission

Once you verify the site is clean (using external scanning tools), update your sitemap and log into Google Search Console. Go to the "Security & Manual Actions" tab, select "Request Review," and provide a brief list of the actions you took (e.g. "Overwrote core files, deleted compromised administrator account, purged database injections"). Reviews are typically processed in 72 hours.

Let our security engineers clean your site.

Don't risk leaving hidden backdoors. We manually scan, patch the entrance vulnerability, and set up continuous web application firewalls to block future hacks.

Get My Free Site Assessment View Security Services