Migrating from Classic Editor to Gutenberg: the complete guide
Gutenberg has been WordPress's default editor since 2018, yet millions of sites still rely on Classic Editor. Comparison, drawbacks, and step-by-step migration guide.
Read more →
Your WordPress site has been hacked. Don't panic. We know how stressful this is, especially when you discover it on a Monday morning and your homepage has been replaced by an online pharmacy or your visitors are being redirected to some dodgy casino site. Unfortunately, we see this at least once a month. The good news is that it's fixable. Here's a concrete action plan, step by step.
Recognizing the signs of a hack
Sometimes it's obvious: your homepage has been replaced with a message in a foreign language, or your visitors are getting redirected to a shady website. But more often than not, the hack is subtler than that.
Your site can be compromised without you noticing at all. Hackers don't always want to be seen. A compromised site that keeps working normally on the surface is a site they can exploit longer to send spam or host phishing pages.
Here's what should raise red flags: pages you never created showing up in Google (type site:yoursite.com to check), Google Search Console sending you security alerts, your host contacting you about suspicious activity, PHP files you don't recognize sitting in your directories, or your site suddenly becoming very slow for no reason. If you've been blacklisted by Google, a red warning screen appears before anyone can access your site. That's the most visible sign for your visitors, and the most damaging for your business.
First emergency steps
In our experience, the first thing we do when we step in on a hacked site is to stabilize the situation before starting the actual cleanup.
Change all access passwords immediately: your WordPress admin panel, FTP, database, and hosting panel. Do this from a computer you're confident isn't compromised itself.
Put your site into maintenance mode. A simple plugin like WP Maintenance Mode will do, or if you've lost access to the admin, create a .maintenance file at the root. The point is to stop your visitors from seeing malicious content while you clean up.
Notify your host. They may have already spotted the suspicious activity and can give you useful information (access logs, recently modified files).
And this is the part people skip: make a backup of the current state, even though it's infected. Yes, it sounds counterintuitive, but this copy will help you analyze the vulnerability after the fact. Without it, you're cleaning blind and you risk missing the attacker's way in.
Cleaning WordPress files
This is the bulk of the work. The approach we recommend is aggressive but safe: replace everything that can be replaced with clean files.
The WordPress core
The wp-includes/ and wp-admin/ directories contain zero custom files. None. You can delete them entirely and replace them with fresh copies downloaded from wordpress.org. Do the same for files at the root (except wp-config.php and .htaccess, which we'll handle separately). This is the most reliable way to make sure the core is clean.
wp-config.php
Open this file and inspect it line by line. Verify that the database credentials are correct and haven't been tampered with. Look for suspicious code, particularly eval(), base64_decode(), or include statements pointing to files you don't recognize. Regenerate the security keys (the famous salt keys) by going to api.wordpress.org/secret-key and pasting the new values into your file.
The wp-content directory
This is where things get tricky, because wp-content/ holds your themes, plugins, and media. You can't just swap everything out as easily.
For plugins: delete them all via FTP and reinstall them one by one from the official WordPress repository. Yes, it's tedious. But it's the only way to be sure. Take this as an opportunity to only reinstall the ones you actually use. Inactive plugins that have been sitting around for months are a classic attack vector.
For your theme: if you're using a theme from the official repository, replace it with a fresh copy. If it's a custom theme, you'll need to inspect every file. Pay particular attention to functions.php — that's where malicious code loves to hide.
For the uploads directory: this folder should normally only contain images, PDFs, and media files. If you find .php files in there, it's almost always malicious code. Delete them. You can find all PHP files in uploads with a simple find wp-content/uploads -name "*.php" on the command line.
Cleaning the database
The hack doesn't always stop at the files. The database can be compromised too.
Start by checking the wp_users table. Admin accounts you didn't create? Delete them immediately. Then look at the wp_options table: verify that the siteurl and home values match your actual domain. An attacker can modify these to redirect all your traffic.
The nastiest part is injected content. Search wp_options for entries containing eval( or base64_decode(. You can run this SQL query:
SELECT option_name, option_value FROM wp_options WHERE option_value LIKE '%eval(%' OR option_value LIKE '%base64_decode(%';Check wp_posts and wp_postmeta too for injected content — hidden spam links buried in your articles. Honestly, if you're not comfortable with phpMyAdmin or SQL queries, this is the time to ask for help. A bad move in the database can do more damage than the hack itself.
Tools to scan your site
Several tools can help you identify compromised files.
Wordfence is probably the best known. Its free scanner compares your files against the official WordPress repository and flags any differences. It's extremely effective at spotting injected code in the core or plugins. Sucuri SiteCheck does an external scan of your site, which is useful to see what visitors and Google actually see.
For the more technically inclined, WP-CLI offers a very handy command:
wp core verify-checksumsThis command compares every core WordPress file against the official checksums. If a file has been modified, you'll know right away. There are also command-line tools like php-malware-finder that scan your PHP files for known malicious patterns (obfuscation, shells, backdoors).
You can also use an AI agent like Claude Code to go through suspicious files one by one. It doesn't replace a proper security audit, but it can help spot patterns in obfuscated code, especially when you have dozens of files to review and you're not sure where to start anymore.
Securing after cleanup
Cleaning is good, but if you don't lock things down afterwards, the attacker (or another one) will be back. That's a certainty.
Change ALL your passwords. Yes, again. Even the ones you changed at the beginning. This time, use strong, unique passwords generated by a password manager. And when we say all, we mean WordPress admin, FTP/SFTP, database, hosting panel, and associated email accounts.
Regenerate the security keys in wp-config.php if you haven't already. This invalidates all existing sessions and forces every user to log out — including an attacker who might still be logged in.
Update WordPress, all your themes, and all your plugins. A hacked site was often compromised through a known vulnerability in an outdated plugin version. Delete suspicious admin accounts and accounts nobody uses anymore. Enable two-factor authentication (2FA) on all administrator accounts — it's the single action with the best effort-to-security ratio.
Install a web application firewall. Wordfence, Sucuri, or Cloudflare, your pick. It blocks a large portion of automated attacks before they even reach your site.
Finally, set up regular automated backups. That's the safety net that will save you from starting over from scratch if it ever happens again. You can also duplicate your WordPress site to a staging environment to test updates before applying them to production.
Checking with Google
If your site has been blacklisted by Google (red warning screen when people try to access it), you need to request a review.
Log in to Google Search Console. Under the "Security Issues" section, you'll see the alerts Google has detected. Once the cleanup is done, click "Request Review" and describe the actions you've taken. Google typically re-evaluates within a few days.
Also check your site's indexation with site:yoursite.com in Google. If spam pages are still indexed, request their removal via the URL Removal tool in Search Console. Submit a fresh sitemap to help Google recrawl your clean site.
It's hard to say without seeing the specific site, but generally, expect between a few days and two weeks for Google to fully remove the warnings and for your SEO to get back to normal. Sometimes longer if the hack went undetected for a while.
When to call a professional
Everything we described above works in the majority of cases. But sometimes it's not enough.
If the hack comes back after cleanup, it means the entry point wasn't identified. There might be a backdoor hidden somewhere, in an innocuous-looking file or even in the database. That's a case where you need someone who's used to tracking these things down.
If customer data has leaked, you have legal obligations under GDPR. Notification to the relevant authority within 72 hours, informing affected individuals... This is not the time to wing it.
If you simply can't figure out how the attacker got in, bringing in a professional will save you considerable time. A full security audit will identify the vulnerability and fix it for good.
Is your site hacked and you can't sort it out on your own? Get in touch for a quick intervention. We'll figure it out together.
Preventing it from happening again
A hack is always a symptom of an underlying problem: a plugin that wasn't updated, a weak password, cheap hosting, or simply the absence of regular maintenance.
The first thing is to accept that maintenance is non-negotiable. A WordPress site that isn't maintained is a site that will get hacked eventually. It's just a matter of time. Regular updates patch known security vulnerabilities. Without them, your site is an easy target for automated scripts that scan the web around the clock.
Your choice of hosting matters too. A good host isolates accounts, detects suspicious activity, and offers built-in security tools. It's worth choosing solid web hosting from the start rather than saving a few bucks a month and paying the price when something goes wrong.
And if you want to go further with security, there are architectures that significantly reduce the attack surface. A headless WordPress setup, for instance, separates the public-facing interface from the back office. The WordPress instance managing your content is no longer directly exposed to the internet. Along the same lines, the Jamstack approach generates static pages that don't depend on a database accessible in real time. Fewer exposed components, fewer risks.
Look, if your site is still using an admin password like "admin123", let's be real: that's an open invitation. Take an hour, change your passwords, enable 2FA, check your updates. That's the bare minimum.
Prefer not to deal with this again? Check out our WordPress maintenance plans and sleep easy.
