How to Clean a Hacked WordPress Website: A Beginner-Friendly Guide

Introduction

Finding out your WordPress website has been hacked can feel scary. It’s like your online home has been broken into! But don’t worry, you’re not alone, and it’s a problem that can be fixed. Many websites get hacked, but with the right steps, you can clean your site and make it safe again.

This guide is for beginners. We will use simple words to explain how to clean a hacked WordPress website step-by-step. For a complete emergency checklist, also see our WordPress hacked emergency guide. We will also show you how to protect your site so it doesn’t get hacked again. Let’s start making your website safe!

What Does a Hacked WordPress Website Look Like?

Sometimes, it’s easy to see if your website is hacked. Other times, it’s hidden. Here are some common signs:

• Strange Messages: Google might show a warning like “This site may be hacked” when people search for your site.
• Weird Content: You might see new pages or strange words (like in Japanese or about medicines) on your site that you didn’t put there.
• Redirects: When someone tries to visit your site, they are sent to a different, bad website.
• Slow Website: Your website might become very slow or stop working.
• Can’t Log In: You might not be able to log into your WordPress admin area.
• New Users: You see new user accounts in your WordPress admin that you didn’t create.

Important First Step: Backup Your Website (Even if it’s Hacked!)

Before you do anything else, make a copy of your website. This is called a backup. Even if your site is hacked, having a backup is important. It’s like having a copy of a broken toy – you might need it to see what went wrong. Many hosting companies offer backup tools, or you can use a plugin.

Step-by-Step Guide to Cleaning Your Hacked WordPress Website

This process can take some time, so be patient. If you feel stuck, it’s okay to ask for help from a professional.

Step 1: Put Your Website in Maintenance Mode

This stops people from visiting your site while you fix it. It also stops Google from seeing the hacked parts. You can use a plugin for this, or ask your hosting company.

Step 2: Change All Your Passwords

This is very important! Hackers often get in because of weak passwords. Change these passwords right away:

• Your WordPress admin password (for all users).
• Your hosting account password.
• Your FTP/SFTP password.
• Your database password (you can usually find this in your wp-config.php file).

Make sure your new passwords are long, strong, and unique. Use a mix of big letters, small letters, numbers, and symbols.

Step 3: Get Fresh WordPress Files

Malware often hides in your main WordPress files. The safest way to clean these is to replace them with fresh, clean copies.

1. Download Fresh WordPress: Go to wordpress.org and download the latest version of WordPress.
2. Connect to Your Site: Use an FTP program (like FileZilla) or your hosting company’s file manager to connect to your website.
3. Delete Old Files (Carefully!): Delete all files and folders in your main WordPress folder EXCEPT for these two:
   • wp-config.php (This file has your website’s special settings)
   • wp-content folder (This folder has your themes, plugins, and uploads)
4. Upload Fresh Files: Upload all the new WordPress files you downloaded (from the zip file) to your main WordPress folder. Do NOT upload the wp-config.php file from the new download.

Step 4: Clean Your wp-content Folder (Themes, Plugins, Uploads)

This folder is where many hacked files hide. It needs special attention.

• Themes: If you have a custom theme, download it and check it for bad code. If you use a theme from WordPress.org or a trusted company, delete it from your site and then install a fresh copy. Delete any themes you are not using.
• Plugins: Delete ALL your plugins from your site. Then, install fresh copies of only the plugins you need from WordPress.org or trusted sources. Delete any plugins you are not using.
• Uploads Folder: Look inside your wp-content/uploads folder. This folder should mostly have images. If you see any .php files or other strange files, delete them. Hackers often hide bad files here.

Step 5: Clean Your WordPress Database

Malware can also be hidden in your database. This step is a bit more advanced. You will usually use a tool called phpMyAdmin (your hosting company can help you find it).

• Check Users: Look at the wp_users table. Delete any user accounts you don’t recognize, especially if they are administrators.
• Look for Spam: In tables like wp_posts and wp_options, look for strange words, links, or code that you didn’t put there. This might be hard to do manually. If you’re unsure, a security plugin or professional help can be very useful here.

Step 6: Check wp-config.php and .htaccess Again

Even though you kept wp-config.php, hackers might have changed it. Open it and look for any strange lines of code. Also, check your .htaccess file (in your main WordPress folder) for any weird redirects or code. If you find anything suspicious, remove it. If you’re unsure, you can replace .htaccess with a fresh default WordPress .htaccess file.

Step 7: Remove Maintenance Mode and Test Your Site

Once you think your site is clean, remove the maintenance mode. Visit your website and check everything carefully. Look at all your pages, posts, and forms. Make sure everything works correctly and there are no more signs of the hack.

Step 8: Ask Google to Review Your Site (if blacklisted)

If Google blacklisted your site, go to Google Search Console (under “Security & Manual Actions”). Tell Google that you have cleaned your site and ask them to review it. They will check your site again and remove the warning if it’s clean.

How to Prevent Future Hacks

Cleaning a hacked site is hard work. Here’s how to keep your site safe in the future:

• Always Update: Keep WordPress, all themes, and all plugins updated to the newest versions.
• Strong Passwords: Use very strong and unique passwords for everything.
• Security Plugin: Install a good WordPress security plugin (like Wordfence, Sucuri, or MalCare) to help protect your site.
• Backups: Always have regular backups of your site saved in a safe place.
• Secure Hosting: Choose a hosting company that cares about security.
• Be Careful: Don’t use themes or plugins from unknown sources. Be careful about what you click.

Conclusion

Cleaning a hacked WordPress website manually can be a big job, but it’s possible. By following these steps, you can make your website safe again. Remember, keeping your website secure is an ongoing task. If you ever feel overwhelmed or need expert help, professional services like Injected.Website are always ready to assist you. They can help clean your site and set up strong defenses to keep it safe.