Table of contents

What NOT to do when your WordPress site gets hacked8 Steps to fixHow to preventSigns your site has been hackedHow a site gets hackedFAQsGetting startedAdditional resources

Get the industry’s fastest hosting for WordPress◦ 100% network uptime
◦ Comprehensive security
◦ 24/7 support

WordPress Guide → Security → Hacked

WordPress hacked? Fix it quickly

Finding out your WordPress site has been hacked can be a stressful experience. Acting quickly can help you minimize damage and get your site back to normal as soon as possible. In this guide, we’ll cover how to recognize if your site has been compromised, the steps to take to fix it, and how to prevent future breaches. With this knowledge, you’ll be well-prepared to manage your website’s security effectively.

Get fast, reliable hosting for WordPress

Power your site with the industry’s fastest, most optimized WordPress hosting

WordPress.org hosting

What NOT to do when your WordPress site gets hacked

When panic sets in, many site owners make mistakes that make recovery harder. Avoid these common missteps:

Don’t ignore the problem. Hoping it goes away only gives hackers more time to exploit your site.
Don’t keep your site online if it poses risks. If malware is spreading or users are being redirected, temporarily take it offline.
Don’t restore from a backup without checking it. If your backup contains malware, restoring it will just reinfect your site.
Don’t assume your host will fix it. Some hosts offer help, but many only provide basic cleanup—full responsibility falls on you.

8 steps to fix your hacked WordPress site

Recovering a hacked site takes a careful, step-by-step approach. Follow these actions to clean your site and regain control.

1. Put your site into maintenance mode

You don’t want visitors running into malware or spam while you clean up, so go straight to maintenance mode. Use a maintenance mode plugin or temporarily disable the site at the server level. This prevents search engines and users from interacting with harmful content.

2. Reset all passwords

Change your WordPress admin, FTP, hosting control panel, and database passwords. Hackers often create hidden accounts or reuse compromised credentials. Make sure every password is unique and strong.

3. Scan your site for malware

Install a security plugin like Wordfence or Sucuri to scan your files and database for malicious code. These scans help you identify suspicious changes, like injected scripts or unfamiliar user accounts.

See: 11 best malware scanner plugins for WordPress →

4. Remove malicious code and files

Delete or repair compromised files flagged by the scan. If you’re unsure what’s safe to remove, compare your site files with a fresh WordPress download. Replace any core files that look altered.

5. Reinstall themes and plugins

Hackers often hide backdoors inside themes and plugins. Delete and reinstall them from trusted sources to ensure you’re running clean copies. Avoid reinstalling anything outdated or no longer supported.

Details: How to install a WordPress theme →

6. Restore from a clean backup

If you have a backup from before the hack, restore it after confirming it’s free of malware. This can be faster than manually cleaning up everything, but only if you’re certain the backup is safe.

Steps: How to restore a WordPress site from a backup →

7. Reconnect with your hosting provider

Let your host know your site was hacked. They may help by checking logs, restoring backups, or securing server-level vulnerabilities.

8. Test your site before going live

After cleanup, test thoroughly. Make sure pages load, plugins work, and that no suspicious redirects or scripts remain. Use Google Safe Browsing to confirm your site isn’t flagged for malware.

How to prevent WordPress hacks in the future

Once your site is clean, you’ll want to strengthen its defenses to avoid repeat attacks.

1. Keep WordPress updated

Updates patch security vulnerabilities that hackers exploit. Always update WordPress core, themes, and plugins as soon as new versions are available.

More: How to do a WordPress plugin update →

2. Use strong login security

Set long, unique passwords and enable two-factor authentication (2FA). This helps protect against brute force attempts.

3. Limit user permissions

Not every user needs admin access. Assign the lowest role necessary for each user to reduce the risk of compromised accounts.

Read: How to limit WordPress admin access →

4. Install a security plugin

Tools like Wordfence or iThemes Security add firewalls, malware scanning, and brute force protection. They act as a guardrail against common attack methods.

Faves: Best WordPress security plugins →

5. Regularly back up your site

Schedule automatic backups and store them offsite. If you get hacked again, you’ll be able to restore a clean version quickly.

6. Use SSL and secure hosting

An SSL certificate encrypts traffic between your site and visitors. Pair that with a reliable host that emphasizes security features, like firewalls and malware monitoring, for stronger protection.

Signs your WordPress site has been hacked

Hackers don’t always make their presence obvious. Watch for these red flags:

Unexpected redirects to spammy or malicious sites
New admin users you didn’t create
Strange content or pop-ups appearing on your site
Unusually long load times or site crashes
Warnings from Google or browsers that your site is unsafe
Email deliverability problems, like your messages being marked as spam

How a WordPress site gets hacked

Hackers exploit weak points like outdated plugins, weak passwords, insecure hosting, and vulnerable themes. They may inject malicious scripts, create backdoors, or hijack accounts to gain control.

Often, a hack happens not because WordPress itself is insecure, but because of poor site maintenance or third-party software.

Hacked WordPress FAQs

Yes, but not because WordPress is inherently unsafe. Most hacks happen due to weak passwords, outdated plugins, or vulnerable hosting environments.

Use a security plugin like Wordfence or Sucuri to scan your files. You can also check with Google Safe Browsing or ask your hosting provider to run a server-level scan.

A site may be “not secure” if it lacks an SSL certificate, has outdated software, or if malware is present. Fixing these issues helps restore trust and security.

Yes, when maintained properly. WordPress releases frequent updates to patch vulnerabilities, but it’s up to site owners to apply them and follow security best practices.

If the hack is severe or you don’t feel confident cleaning it yourself, hiring a professional is the fastest way to get your site back online safely.

Securing your WordPress site with better hosting

Choosing the right hosting provider is critical for managing a WordPress site securely. A reliable and secure hosting provider not only improves performance but also acts as a frontline defense against cyber threats. Managed WordPress hosting offers automated security updates, daily backups, and proactive monitoring to safeguard your site against vulnerabilities.

If your WordPress site has been compromised, evaluate your current hosting situation. Consider switching to a provider that specializes in WordPress security. Look for features like built-in firewalls, malware scanning, and expert support to quickly resolve issues. Managed WordPress hosting includes these essential features, ensuring your site is secure and optimized for speed and reliability.

Looking for a secure hosting provider for your WordPress website? Then check out managed WordPress hosting from Liquid Web.