Finding out your WordPress site has been hacked is frightening — but calm, methodical action will get you back on your feet. This extended, research-driven guide walks you through detection, containment, forensics, cleanup, validation, and hardening — with practical commands, tools, and references to reputable sources you can use right away.
Quick TL;DR (read first)
- Detect the hack (unexpected content, redirects, warnings). 10Web+1
- Contain immediately: take the site offline/maintenance, change passwords, take a backup of the hacked state. NIST Computer Security Resource Center
- Triage & scan with trusted scanners (Sucuri, Wordfence); use WP-CLI and server logs to find changed files. Sucuri+1
- Clean: restore from a known-good backup or replace core/plugins/themes, remove backdoors, clean database. Sucuri
- Validate & request Google review (if blacklisted). Google Help
- Harden and monitor (2FA, WAF, updates, backups). WordPress Developer Resources+1
1) How to know your WordPress site is hacked — common signs
Look for these signals — many sites show multiple signs at once:
- You can’t log in or admin accounts are changed. 10Web
- Unexpected content/posts/pages (spammy links or pornographic content). Sucuri
- Redirects — your site redirects visitors to other (malicious) domains.10Web
- Browser/Google warnings like “This site may be hacked” or “Deceptive site” for search results.10Web+1
- Unusual outgoing emails (mailer used to send spam).Sucuri
- Unusual CPU / traffic spikes or large unexplained files in
wp-content/uploadsSucuri
If you see any of the above: assume compromise and act immediately.
2) Immediate emergency steps (containment) — what to do first
Start with containment — stop further damage, preserve evidence.
- Put the site in maintenance mode / soft offline (show a static page).
- Quick: rename
index.phpand put a staticmaintenance.html, or use a hosting/maintenance plugin.
- Quick: rename
- Take a complete backup of the hacked site now (files + DB). Keep it offline for forensics. Sucuri
- Change ALL credentials: WordPress admin users, hosting/cPanel, FTP/SFTP, DB password, email accounts. Use app passwords if MFA is on. Sucuri
- Notify your host — ask for logs, snapshots, or temporary isolation. Many hosts can help block attacker IPs or suspend accounts to stop further abuse. Server support blog
- Record a timeline: when you first noticed, steps taken, and any system changes. Follow an incident lifecycle (Detect → Contain → Eradicate → Recover → Post-incident) recommended by NIST.NIST Computer Security Resource Center
3) Triage & forensic checks — what to scan and how
Use automated scanners and manual checks. Scanners find known signatures; manual checks locate unusual logic/backdoors.
Recommended scans/tools
- Sucuri SiteCheck to identify malware / blacklist status. Sucuri
- Wordfence Scanner (if you can access WP admin or run offline) to detect changed files and backdoors. Wordfence
- WP-CLI for many fast checks (server shell). Example: verify core checksums. WordPress Developer Resources
Useful WP-CLI & server commands
Run these from your site root (or ask your host to run them):
# Export DB (save offline) wp db export /tmp/site-hacked-$(date +%F).sql # List WP users & plugins wp user list wp plugin list --status=active wp theme list # Verify WordPress core files against checksums wp core verify-checksums # Find recently changed PHP files (last 30 days) find . -type f -name '*.php' -mtime -30 -print # Grep for suspicious PHP patterns (backdoors) grep -R --include="*.php" -nE "base64_decode|eval\\(|gzinflate|str_rot13|shell_exec|preg_replace\\(.*/e" .
Why: verify-checksums verifies if core files match WordPress originals (quick indicator of core tampering). Grep looks for common backdoor patterns. WordPress Developer Resources+1
Check database for injected content
Run read-only queries to find scripts in post content or options:
-- suspicious scripts in posts SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%<script%' OR post_content LIKE '%eval(%' LIMIT 50; -- suspicious options SELECT option_name, option_value FROM wp_options WHERE option_value LIKE '%<script%' OR option_value LIKE '%base64_%' LIMIT 50;
Export these query results as part of your log for forensic review.
4) Cleanup & eradication — step-by-step (safe approach)
Best-case: restore from a known clean backup taken before the compromise. If no clean backup exists, follow the steps below.
Option A — Restore from a clean backup (recommended)
- Verify the backup is clean (scan it offline).
- Replace site files and DB with the backup.
- Rotate all passwords and keys (see below).Sucuri
- Replace core files with fresh copies: download WordPress core, overwrite all core files except
wp-config.phpandwp-content. Usewp core download --force(or FTP).Sucuri - Remove unused plugins/themes. Reinstall latest versions from official repos for those you keep. Nulled / pirated plugins are common compromise vectors — delete them. Sucuri
- Scan & remove backdoors in
wp-content/uploads, plugin and theme folders (PHP files insideuploadsare suspicious). Grep for backdoor signatures (examples above). Sucuri - Clean DB: remove injected spam posts, malicious options, or admin users you don’t recognize — but export the DB first and work on a copy. Search for suspicious
<script>injections inwp_postsandwp_options.Sucuri - Regenerate WordPress salts & keys in
wp-config.php(this logs out all users and invalidates attacker cookies). Get fresh keys at WordPress.org secret key generator. WordPress Developer Resources - Rotate all credentials again: WP admins, hosting, DB user, FTP/SFTP, API keys, mailing service credentials.Sucuri
5) Validate cleanup — testing & proving it’s clean
- Re-scan with Sucuri and Wordfence after cleanup. Sucuri+1
- Run
wp core verify-checksumsagain to ensure core is clean. WordPress Developer Resources - Check Google Search Console → Security Issues. If Google flagged the site and you cleaned everything, Request a Review inside Search Console — Google’s review may take days. Provide details on what you cleaned.Google Help+1
- Test from multiple browsers & devices; check logs for suspicious cron jobs or scheduled tasks. Look for outgoing spam volume in hosting mail logs.
6) Post-recovery hardening — make it hard to re-hack
Follow defense-in-depth. Key measures:
- Keep core, plugins, and themes updated. Use staging or test updates first. WordPress Developer Resources
- Remove unused plugins/themes and delete old installs. Sucuri
- Use a reputable Security plugin & WAF (Wordfence, Sucuri, Cloudflare WAF).Wordfence+1
- Enforce 2-factor authentication (2FA) for all admin users.Wordfence
- Limit login attempts and change default admin username. WordPress Developer Resources
- Disable PHP file editing in the dashboard:
define('DISALLOW_FILE_EDIT', true);inwp-config.php. WordPress Developer Resources - Harden file permissions: directories
755, files644; web server user ownership; avoid777.WordPress Developer Resources - Use SFTP/SSH (no FTP) and remove legacy protocols. WordPress Developer Resources
- Implement regular backups (offsite) and test restores.Sucuri
7) Incident response & governance (research-backed approach)
Use a documented incident process. NIST SP 800-61 recommends phases: Preparation → Detection & Analysis → Containment/Eradication/Recovery → Post-Incident Activity. Keep logs, evidence, and a postmortem. This helps prevent repeat incidents and supports any legal obligations.NIST Computer Security Resource Center
Document:
- What happened and when (timeline).
- Which accounts were used/created.
- Which files changed.
- Root cause and mitigation.
- Lessons learned & schedule for fixes.
8) When to call a professional
Hire a specialist if:
- You don’t have a clean backup and the infection is deep (multiple backdoors).
- Sensitive user data / payment info may be exposed (legal/PR risk).
- Your hosting provider recommends a paid cleanup (they may offer it).
Companies that do cleanup: Sucuri, Wordfence Response, and managed hosts with security teams. Use reputable vendors and ask for a cleanup report.
9) Forensics quick-commands & checklist (copy/paste)
Non-destructive checks:
# Save current DB (important)
wp db export /tmp/broken-site-$(date +%F).sql
# Find suspicious php files (recently changed)
find /var/www/html/ -type f -name "*.php" -mtime -30 -print
# Grep for typical obfuscation/backdoor strings
grep -R --include="*.php" -nE "base64_decode|eval\\(|gzinflate|str_rot13|preg_replace\\(.*/e|shell_exec|passthru|system\\(" /var/www/html/
# Verify WP core
wp core verify-checksums
DB queries to locate injected content (read-only):
SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%<script%' OR post_content LIKE '%eval(%' LIMIT 200; SELECT option_name FROM wp_options WHERE option_value LIKE '%base64_%' OR option_value LIKE '%<script%' LIMIT 200;
10) Useful references & tools (read these)
- 10Web — “Is Your WordPress Site Hacked? Key signs & recovery” (good high-level checklist).10Web
- Sucuri — How to remove malware & clean a hacked WordPress site (detailed cleanup steps & best practices). Sucuri
- Wordfence — How to clean a hacked WordPress site & hardening advice. Wordfence+1
- Google Search Console — Security Issues & Request a Review procedure.Google Help+1
- WordPress.org — Hardening WordPress guide (official hardening checklist). WordPress Developer Resources
- WP-CLI —
wp core verify-checksumsdocs (verify core integrity). WordPress Developer Resources - NIST SP 800-61 — Incident response lifecycle & recommendations.NIST Computer Security Resource Center
Final Checklist (copyable)
- Put site in maintenance / take a snapshot.
- Full backup (files + DB) of hacked site.
- Rotate all passwords & secrets.
- Run Sucuri & Wordfence scans.
-
wp core verify-checksums→ investigate mismatches. WordPress Developer Resources - Replace core, theme, plugin files from official sources. Sucuri
- Clean DB (search & remove injected scripts).
- Remove unknown admin users.
- Regenerate salts & log out all sessions. WordPress Developer Resources
- Harden site: WAF, 2FA, backups, updates. Wordfence+1
- Request Google Search Console review if flagged. Google Help
