Steps to fix hacked WordPress website

fix hacked wordpress

Is your WordPress site hacked? Don’t panic! I’ll guide you through the steps to fix a hacked WordPress website in this article.

First, understand that WordPress is secure. However, hacking is still possible. Various reasons could explain why your site was hacked.

We’ve assisted many website owners over the past years. We’ve helped them recover hacked sites and remove malicious code.

WordPress powers 43.1% of all websites on the internet. That makes it a tempting target for hackers.

Forbes published a report with a startling fact. Almost 30,000 websites get hacked daily. Seeing your website hacked is stressful.

A hacked site damages your reputation. It affects your customers and Google rankings. Therefore, fixing it quickly is crucial to avoid impacting your business.

Things to know before we start

No website is 100% secure. Hundreds of vulnerabilities are found daily. Hackers can exploit these to hack sites. It’s not always the WordPress core files at fault.

The PHP version on your server may be the issue. It could be anything. So, use the latest versions of both the CMS and PHP.

Google and some browsers may warn visitors about hacked sites. This warning harms your website’s reputation. Hacked websites often contain or point to inappropriate content.

Website security must be a top priority if you run an online business. It’s vital to pick a reputable hosting company.

Good hosting companies update their servers and scan hosted sites regularly. We’ve used LiquidWeb for years without compromise. Regular backups are also essential; ask your host for auto-backup.

You can use online scanners like Sucuri to check for hacks. We’ve used this site to scan client websites for malicious code.

About 40% of websites get hacked through server vulnerabilities. Good hosting, regular backups, and scanning are essential for security.

But if you’re reading this, your site might be hacked. Or you want to secure your WordPress website.

How to identify if a WordPress website is Hacked?

Using View Source

Open your website in a browser. Right-click and select “View Page Source.” Look for unfamiliar website links. Search for anything you didn’t add to your pages.

You might find HTML iframe codes. Words like Viagra or Cialis could appear on the pages. You may not see these words or links upfront.

Hackers often hide these with CSS. They set the properties to ‘hidden’ or ‘none.’ The page loads these hidden elements, but users don’t see them.

When Google crawls your website’s pages, it may mark the site as spam or hacked. This occurs because of these hidden elements.


Redirections

If you see that your website gets redirected to any different pharma, porn or weird websites, then it is a confirmation that the site has been hacked.

Keyword Autolink

Some hackers insert scripts into the WordPress site which auto links the words in your website to some other websites.

Crashing and Freezing

Upon visiting, the site loads slowly, crash and freezes. The reason behind this is the script that has been added to the site by the hacker.

Unnecessary Popups and Windows

Popups, alerts and new windows to different porn or objectionable URLs open when the site is visited.

Notices and Alert from Hosting Provider

Most of the hosting providers send you emails and alerts if any files get infected by malicious code or scripts. If you are using shared hosting, then other sites in the host generally get affected in such situations.

So, these are some of the techniques to find out if a website is hacked. Now let me tell you how you can fix the hacked WordPress website.

If you want your things to get done quickly without wasting a single minute, then you can hire a professional to fix the site for you.

Hire website security Professional

If you’re a skilled web security professional, you can handle this. Not a coder or comfortable with servers? Then hiring a WordPress Security Expert is recommended.

An expert can investigate the cause. They can find infected files, remove malicious code, and restore the website.

Hackers often inject malicious code into many files. Every file on the server must be scanned and checked precisely. Even one hacked file can ruin the site again.

As said, we have been fixing and cleaning up Malware from WordPress websites for years; so you may consider us to help you with securing your WordPress website. We charge between $99-$199 depending upon the severity.

Well, this is a secondary option. Let me first guide you the steps to remove Malware and clean up your hacked WordPress website.

Okay, let’s begin.

Step 1: Scan the computer which connects to the server

Before you start any fixes to the website, the first and foremost thing is to scan your computer, which gets connected to the server via FTP. If your computer is affected by Malware, virus and Trojans, the FTP details get stolen by the hackers. I would recommend you to use a reputed anti-virus and then connect to the server.

Step 2: Change all the passwords

After scanning your website, you should change the usernames and passwords of FTP, WordPress Admin area login details and hosting details. Use a strong password for all the three. You can also use a strong password generator and keep the password safe.

Step 3: Contact the Hosting Provider

If you are using a shared server, then ask your host to check if other sites in the host are affected. Most of the hosting providers are helpful and scan the entire server to remove the Malware and update the security settings of your files.

We had a horrible experience with our last hosting provider which hosted our site on a shared server and didn’t bother to update the server or remove Malware, so we moved our site to a VPS after cleaning the site. You may change your host or your hosting plan. Now follow the next step if your host isn’t helpful.

Step 4: Restore from Backup

If you regularly backup your WordPress website, then you won’t have any issues in deleting all the hacked files and replacing those with the backup files. Don’t delete the database as you might lose the changes you have done to the posts or pages. If you don’t have a backup, then follow the next step.

Step 5: Download WordPress from Official Website

If you don’t have a backup, then the last thing to do is downloading the version of WordPress that your website is using from the official website and UNZIP it to a folder.

Step 6: Remove Infected files

Now that you have cleaned your computer and extracted the WordPress files from the official site, you can now login to your website using FTP or web-based file manager and go to the folder where you have installed your WordPress and delete all the files except wp-config.php and the wp-content folder.

Check the wp-config.php file and other files inside the wp-content folder properly and make sure that the file doesn’t contain any malicious code. Remove additional files with weird names. You can search for a PHP function base64(); which is used by the hackers to encrypt the data. Try to remove those codes. You can also use an online base64 decoder to check and verify the encrypted infected codes.

For example, you see some data like this PGEgaHJlZj0iaHR0cHM6Ly93d3cuaW5meXdheXMuY29tIj5JbmZ5d2F5czwvYT4 . Copy the encoded contents and decode it. The decoding code shows you the following:

<a href="https://data.infyways.com/new">Infyways</a>

Check all the folders inside the wp-content thoroughly. You can also remove the WordPress plugins folder and the themes which you aren’t using. If you have a clean backup of your active theme, then you can delete all the themes. Plugins can be installed later once you complete the process.

Step 7: Re-Upload Core WordPress Files

If you have checked all the files which are there in the server, the next step is uploading the extracted WordPress files (Step 5) into the server through FTP.

Step 8: Update the site and files

Once you re-upload the core files, you can now login to the backend and install all the missing plugins and themes. Activate the theme and plugins. Your site is ready now, but it is still not secured. Follow the next step and make the site secured.

Step 9: Securing a WordPress Website

  • Download all the plugins from the official repository of WordPress.
  • Don’t’ use nulled theme or plugins. All nulled files have malicious or infected codes inside them.
  • Set the folder permission to 755 and files to 644. Avoid chmod permission 777
  • Check the list of users and see if it contains any new user with admin access. An admin has access to change the theme files directly in the wp-admin or WordPress Dashboard.
  • You can set up a firewall monitoring system by installing plugins such as Acunetix or Sucuri. These security plugins enhance security and block the attack on the website.
  • Disable file edits in the backend.
  • Limit the login attempts in the backed. This can be done by installing a plugin called Limit Login Attempts

Step 10: Remove Google Malware Warning

Site Harmful Browser Screenshot

Removing Malware warning is the last step which has to be done once your site is free from malware infection. You can submit the website to Google for review once again in order to remove the warning “This site may harm your computer”. The warning can be removed using the Google Webmaster Tools.

Conclusion

Never use nulled WordPress themes or plugins and keep your WordPress, themes and plugins updated. If you don’t, the website may get hacked and ultimately lose rank on SERPs. The recent Google algorithm impacts the hacked or spam website. So, keeping your website secured should be your utmost priority.

I hope the guide must have helped you to fix hacked WordPress website. If you are still facing issues, then feel free to contact us. We are happy to help you any time.

Frequently Asked Questions​

When your WordPress site is hacked, you can follow these steps: Scan your computer for malware, change all your passwords (FTP, WordPress admin, and hosting), contact your hosting provider, restore your website from a backup if available, remove infected files, re-upload core WordPress files, update your site and files, and secure your WordPress website. Lastly, remove the Google malware warning.

Yes, a hacked website can be restored. If you have a clean backup of your website, you can delete all the hacked files and replace them with the backup files. If you don’t have a backup, you can manually clean the infected files, re-upload the core WordPress files, and update your site.

WordPress websites can be hacked due to various reasons such as weak passwords, out-of-date software, plugin and theme backdoors, vulnerable file permissions, and insecure hosting providers. Hackers often target WordPress due to its popularity.

To remove a virus from WordPress, you need to scan your website for malware, remove the infected files, and re-upload the clean files. You can use various security plugins available for WordPress to scan and remove the malware.

You can secure your WordPress website by using strong passwords, keeping your WordPress, themes, and plugins updated, using trusted themes and plugins, limiting login attempts, implementing SSL encryption, and installing a web application firewall.

Signs that your WordPress website has been hacked include unexpected redirects, spammy on-site content, warnings from Google or web host, unexplained accessibility issues, and website behaving strangely.

If you can’t fix your hacked WordPress site on your own, you should contact a professional WordPress security service. They have the expertise to clean your website and secure it from future attacks.

To prevent your WordPress website from being hacked in the future, ensure your passwords are secure, keep everything updated, use trusted themes and plugins, delete unused plugins and themes, protect your website from malware, and find a reputable hosting company.

A nulled theme or plugin is a premium theme or plugin that has been cracked and made available for free illegally. You should avoid it because it often contains malicious or infected codes that can harm your website.

Once your site is free from malware infection, you can submit your website to Google for review to remove the warning “This site may harm your computer”. You can do this using Google Webmaster Tools.

Share the Article

Picture of Abhilash Sahoo

Abhilash Sahoo

Abhilash Sahoo, with 14 years of experience, is a Certified Joomla and WordPress Expert and the Founder & CEO of Infyways Solutions, specializing in innovative web development solutions.