Discovering that your WordPress site has been hacked is gut-wrenching — especially when it’s your business on the line. Take a breath: most WordPress infections are cleanable, and with a methodical approach you can remove the malware, get any blacklist warnings lifted, and lock the door behind the attacker. Here’s the step-by-step process.
Signs your WordPress site is hacked
- Unexpected redirects to spam, gambling, or adult sites
- Pharmaceutical or SEO spam injected into your pages or Google results
- A “Deceptive site ahead” warning or an antivirus/blacklist flag
- New admin accounts, unknown files, or files changed at strange times
- Your host suspended the site or emailed you about malware
- Sudden slowdowns or unexplained traffic spikes
If only one scanner flags you and nothing actually misbehaves, you may be dealing with a false positive rather than a real hack — worth ruling out before you start tearing things apart.
Before you start: back up and stay calm
Even though the site is compromised, make a full backup of the current files and database first. You want a snapshot to investigate — and to restore from if a cleanup step goes sideways. Work on a staging copy if you can.
Step 1: Confirm the infection
Run a reputable malware scan and check Google Search Console → Security Issues for the sample URLs Google flagged. Note what the malware is doing — redirects, spam, defacement — because it tells you where to look.
Step 2: Scan every layer
WordPress malware hides in more than one place. Check all of them:
- Core files — compare against a fresh copy of the same WordPress version
- Themes and plugins — especially nulled or abandoned ones
- The uploads folder — PHP files have no business living in
/wp-content/uploads/ - The database — injected scripts, spam links, and rogue admin users
- wp-config.php and .htaccess — favorite spots for backdoors and redirects
Step 3: Remove the malicious code
Delete backdoors, injected code, and any files you can’t account for. Look for telltale signs: eval(, base64_decode(, long obfuscated strings, and recently-modified timestamps. Remove unknown admin users under Users in wp-admin. Be thorough — a single leftover backdoor lets the attacker walk right back in.
Step 4: Replace core, themes, and plugins from clean sources
The safest way to clean core and reputable plugins or themes is to replace them entirely with fresh copies from WordPress.org or the official developer. Reinstall — don’t just “update” — so any modified files are overwritten.
Step 5: Clean the database
Remove injected <script> tags, spam links, and suspicious entries from your posts, options, and user meta. Drop any unfamiliar tables the malware may have created.
Step 6: Reset all the keys to the kingdom
- Change every password: WordPress admins, hosting/cPanel, FTP/SFTP, and the database user
- Regenerate your WordPress secret keys/salts to force every session to log out
- Review and remove unused FTP and admin accounts
Step 7: Harden the site so it doesn’t happen again
- Keep everything updated and delete what you don’t use
- Enforce strong passwords and two-factor authentication
- Limit login attempts and consider hiding the login URL
- Set correct file permissions and disable file editing in wp-admin
- Run a firewall or security plugin
Step 8: Request blacklist and Safe Browsing removal
Once the site is verifiably clean, ask the services that flagged you to re-check it. In Google Search Console, request a review under Security Issues. For antivirus and blacklist vendors, submit through their official channels — my blacklist removal links directory has the report forms for 100+ of them.
When to call in a professional
If the infection keeps coming back, you can’t find the backdoor, your host suspended the account, or you simply can’t afford the downtime, it’s worth handing the job to a specialist. DrGlenn provides fast, accountable WordPress malware removal — full cleanup, blacklist removal, and hardening, done by one expert who keeps you in the loop the whole way. Get in touch or order a cleanup and get back online with confidence.