| | By Nick Schäferhoff on July 17, 2025 |
How do you fix a hacked website? How can you tell if your website has been compromised? What can you do to prevent it from happening again in the future? This guide will cover each of these questions in detail. So, if you are currently dealing with a website that’s been infiltrated by a hacker, you’ll know exactly what to do about it by the end of this article. How websites get hacked How do website hacks happen in the first place? Here are some of the most common ways ill-minded individuals gain access: Poorly secured web hosting: For example, weak server configuration or a lack of separation between sites. Compromised login credentials: Typically through brute-force attacks, credentials leaked in another breach, or those obtained via phishing. Outdated WordPress core, plugins, or themes: They often contain known security flaws that hackers can easily exploit. Extensions from untrustworthy sources: Nulled or unofficial plugins or themes frequently contain hidden malware and backdoors. Injection attacks: A poorly secured site may allow hackers to execute scripts on your site to access your database, inject malicious code, or breach it. Why hackers target websites You might think your site is safe because it's small and unknown, but this is a common misconception. Most website hacks aren't personal or planned, but simply a matter of opportunity. Automated bots scan the internet for potential targets, and if your site is vulnerable, it may become subject to an attack. Why do hackers do this? For various reasons: Data theft: Hackers harvest emails, passwords, and customer info to resell or use in future attacks. Install malware: They use your site to infect your visitors' devices with harmful software. Traffic redirection: Visitors are sent to shady, scammy, or fraudulent websites. Hijack server resources: Sometimes hackers secretly use your server's processing power to mine cryptocurrency, send email spam, or carry out DDoS attacks. Phishing: Fake login or payment pages steal credentials from users. Ransom demands: Here, attackers lock you out of your site and ask for payment to get back in. Hacktivism: Some people disrupt services or deface websites to push a political or ideological message. Fun, practice, or testing: Hackers may just target you because they can, to improve their skills, or to test new attack methods in the wild. What happens when your site gets hacked? Some attacks are obvious, like finding your homepage vandalized, your site filled with spam content, redirects to other websites, or pages you didn't create. Others are more subtle: Website unavailable: Your site shows a blank page or the "white screen of death." Security warnings: Alerts from browsers, Google Search Console, or sites like Google Transparency Report, Norton Safe Web, or your hosting provider that indicate that your site is unsafe, contains malware, or has been blocked/suspended. Traffic changes: Unusual visitor patterns, like an influx from unexpected countries or a sudden drop in website traffic. Unknown admin users: Suspicious new user accounts in your dashboard or existing users whose privileges have been escalated. Strange files in your webspace: Files or scripts you don't recognize, or server files containing unusual code. Suspicious activity: Login attempts, file edits, or plugin changes you didn't make show up in your activity log. In addition to these visible problems, a hacked website can have serious, long-term consequences for your business, site, and bottom line. It can result in a loss of revenue, traffic, and search rankings, as well as harm your brand reputation. Cleanup can be time and cost-intensive; you might run into legal issues, lose important data, and have to pay higher hosting and security fees in the future. Overall, it’s a scenario best avoided, but what do you do if it’s too late for that? Fixing a hacked website — Phase 1: Check site access When dealing with a hacked website, the first step is to find out what level of access you still have to it. 1. See if you can log in Try logging in to your WordPress admin dashboard. It’s usually located under yoursite.com/wp-admin. If the login screen doesn't appear or redirects elsewhere, skip ahead to downloading and cleaning up your website files first. Otherwise, try your normal username and password. Should that not work, try the password recovery. In case neither of these steps is successful, you can access your database (e.g., via phpMyAdmin) and check the wp_users table to confirm your admin account still exists. If it does, you can reset your password directly in the database or even create a new admin user to regain access. It’s also possible to reset your password using FTP and WP-CLI. 2. Switch your site to maintenance mode Once you can access your backend, it’s best to make your site temporarily unavailable. This helps you protect your site visitors and reputation from further harm while you fix the hacked website. The best option for that is to put it into maintenance mode. You can use a maintenance mode plugin or set up an HTML file for that. Some CDN providers also let you put up a maintenance mode screen, such as Cloudflare. Phase 2: Secure the site Next, it's time to start regaining control of your site. 3. Talk to your hosting provider Your host should be one of your first ports of call and also your strongest ally in case of a website hack. For example, at WordPress.com, you can trust our security features to the point that, should a site we host become compromised, we remove the hack for you. Just contact WordPress.com support, and we'll help you right away. Even if you host your site elsewhere, you should get in touch with your provider. On some types of hosting, such as shared hosting, the hack could have originated from another website on the same server. In that case, your site would likely just become compromised again, no matter what you do. Speaking to your host will also let you know about any assistance they offer to fix your hacked website and if temporary account restrictions or suspensions are in place. They might also be able to give you an indication of when and how the hack happened via access and error logs. 4. Back up your site in its current state Save a copy of your site — even if it's compromised. It lets you preserve recent content, conserve evidence to analyze the source of the hack, and allows you to restore your site should something go wrong during recovery. Make sure to back up both your site files and database. Use your hosting control panel, SFTP, or a backup plugin. Managed hosting providers like WordPress.com usually offer automatic backups. On our Business and Commerce plans, you can restore from backup with one click and also download site backups. You can spin up your copied site in a local development environment, for example, using WordPress.com's Studio, to analyze it later or perform your cleanup there. 5. Restore from a recent clean backup (if possible) If you had the foresight to set up an automatic backup solution, restoring from a recent clean site copy is often the easiest way to fix your hacked website. Make sure the backup predates the hack or suspicious activity. If possible, first load it on a staging site to run diagnostics before restoring. Be aware that restoring doesn't remove the original vulnerability. You'll still need to investigate how the hack happened to prevent reinfection. Phase 3: Lock it down This phase is all about closing off common entry points into your site. 6. Go through your user accounts Hackers who gain access to a website frequently create an admin user account for themselves. This gives them a quick way back into the site and is often easy to disguise. Therefore, review all accounts in your WordPress User menu and/or database. Look for unfamiliar usernames, especially with admin privileges and delete or downgrade them. Document any changes you make and do the same with other accounts associated with your site, like hosting, FTP, email, CDN, and third-party tool credentials. 7. Change all passwords Next up, lock down the accounts you’ll keep by changing their passwords. On your site, you can reset passwords for all users and enforce strong passwords with plugins like Emergency Password Reset and Password Policy Manager. Another step is to implement multi-factor authentication, so users have to confirm their login with a code sent to their email address or mobile phone. Again, do the same for other accounts associated with your site. If you want to go a step further, reset your database username and password as well. Don't forget to update wp-config.php to reflect the new values; otherwise, your site won’t work. Lastly, replace the SALTs in wp-config.php. These are security keys used to encrypt login sessions and cookies, and look like this: define( 'AUTH_KEY', 'put your unique phrase here' ); define( 'SECURE_AUTH_KEY', 'put your unique phrase here' ); define( 'LOGGED_IN_KEY', 'put your unique phrase here' ); define( 'NONCE_KEY', 'put your unique phrase here' ); define( 'AUTH_SALT', 'put your unique phrase here' ); define( 'SECURE_AUTH_SALT', 'put your unique phrase here' ); define( 'LOGGED_IN_SALT', 'put your unique phrase here' ); define( 'NONCE_SALT', 'put your unique phrase here' ); Visit the official SALTs generator and copy a new set over the existing ones in your file, then save and re-upload it. This will force all users (including hackers) to be logged out immediately. The aforementioned Emergency Password Reset plugin can also do this for you. 8. Update all software Your website hack might have happened via outdated and vulnerable files. Besides that, hackers like to modify core files to make reinfection easier. That's why an important step to fix your website after it’s been hacked is to update all its software to the latest version. This means WordPress core and all plugins and themes. If you can't access the admin dashboard or the automatic update isn’t working, download the files from WordPress.org and install them manually via FTP. Be sure to preserve the wp-content folder and don't overwrite wp-config.php. In addition, remove any unused, outdated, or unsupported plugins and themes, and consider updating server software like Apache or your PHP version. By the way, WordPress.com keeps your WordPress version updated automatically, and you can activate the same for plugins and themes. Phase 4: Remove hidden threats This phase is about digging deeper to find hidden code snippets and backdoors. These are entry points hackers like to leave behind so they can regain access to your site even after you cleaned it up. 9. Check your website files Hackers can include malicious code in many parts of your website. One common hiding place is the wp-content folder. It doesn't get replaced during updates, so files added to it stay safe unless removed manually. Check it for hidden PHP files, especially in the uploads folder, child themes, inactive themes, and plugins. If you can’t access your site at all, try renaming folders, like the plugins directory. In addition, examine your current theme's files for unfamiliar code. Download a clean copy of your theme from the WordPress directory or your vendor (make sure to get the same version as your site) and use a tool like Diffchecker to see if there are any differences between files. You can also do file comparisons via SSH. Malicious code frequently appears at the top or bottom of files, often encoded or obfuscated using functions like: base64_decode() eval() gzinflate() preg_replace() str_rot13() You can use tools like Base64 Decode, UnPHP, or UnPacker to decode it. Especially pay attention to files such as: functions.php header.php footer.php index.php wp-config.php wp-load.php In addition, look for oddly named or slightly misspelled files like wp-logon.php or wp-config1.php. Additionally, open the .htaccess file and look for suspicious code and redirect rules that don't belong there. Besides that, check for additional .htaccess files in wp-content and its subdirectories. You may also want to check your file permissions. If this seems to be outside of your skill set, get professional help or use a security plugin or malware scanner like Jetpack, WordFence, MalCare, or Sucuri Security. 10. Clean up the database The WordPress database is another place you need to examine after a website hack. Cleaning it up manually is a painstaking process, especially if your database is very large. Therefore, the easiest way is usually to scan it with a plugin like those mentioned above. You can also access your database with the aforementioned phpMyAdmin or a similar tool and look for problems by hand, such as: Hidden spam content in the wp_posts table. Keywords like eval, base64, gzinflate, preg_replace, or assert. Common spam terms like “gambling.” Be sure to always back up your database before making any manual edits. If unsure, export it and compare the database to a clean version from a backup. Phase 5: Recover and relaunch After fixing your hacked website, it's time to bring it back online. 11. Reupload clean site files Upload your files and database from your local install or staging site (skip this part if you did the repairs on your live site). Test your site's main features: navigation, forms, checkout, login, etc. See if any content, including images, is missing. Visit your website in an incognito window to confirm it displays correctly for visitors. Disable maintenance mode if it's still active. Clear your site cache to ensure no cached malware or outdated pages are loading. To be completely on the safe side, rescan your live site files and database tables for remaining threats. Use a malware scanner both from inside WordPress and outside. 12. Deal with the aftermath Once the immediate problem is resolved, you need to deal with its fallout: Communicate with your customers: If the hack affected your users through downtime, strange behavior, or a potential data breach, be transparent. Let them know what happened, what you've done to fix it, and what steps you're taking to prevent the problem from occurring again. Submit requests to remove your website from Google's blocklist: If Google Search Console flagged your site as dangerous, request a review via Security & Manual Actions → Security issues after the cleanup is complete. This helps restore search visibility and remove browser warnings. Do the same for other blocklists you may have appeared on. Restore any lost content from backups: If pages, images, or posts were damaged or deleted, recover them using your most recent clean backup. Double-check everything before re-publishing to ensure you don't reintroduce malicious code. Analyze the hack: Document what happened, how your site was compromised, what actions you took, and what you plan to do going forward to strengthen future security. Keep monitoring: Set up ongoing monitoring tools, such as an activity log to track user logins, site changes, and system events. Monitor changes to files, regularly scan your site for malware, and keep an eye out for any of the signs of a website hack we discussed earlier. Prevent website hacks before you have to fix them The final step is to make sure you never have to be in this situation again. First, follow security best practices: Use strong passwords, change them regularly. Implement multi-factor authentication for all relevant accounts. Set up user roles with the minimum necessary privileges. In addition, take steps to harden your website security: Use SSL encryption. Keep WordPress Core, plugins, and themes updated. Put a backup solution in place. Set up automatic malware scans, brute force, and DDoS protection. Add a firewall to your site. On WordPress.com, all of the above is included with every plan, together with additional security features. So, if you want a simplified and effective way to prevent being hacked, move your site to WordPress.com. Move your site to WordPress.com |
