Originally published on the WP Buffs blog: https://wpbuffs.com/wordpress-website-hacked/

Your security scans have come back positive and it’s confirmed: your website has been successfully infiltrated. What do you do? Let’s walk you through the process of what next steps you should take to recover from a hacked WordPress site.

We all know, WordPress is the most popular platform. Because of sheer volume and the number of WordPress websites online, it’s the most hacked CMS on the web. That’s one of many reasons why it’s so important to learn to keep your site secure.

But even if you have basic security implemented on your website, people with malicious intent can still find access points through numerous tricks and loopholes in your website’s code.

Suppose we find ourselves in a worst-case scenario and someone has gained access to your WordPress website. What now?


1. Stay Calm

Take a deep breath. All is not lost. Being stressed or angry will do you no good and it takes your concentration away from recovering your website. Let’s put our energy into finding solutions.

2. Locate The Hack

Go through this quick list of questions. Ask yourself:

  • Are you able to log in to your WordPress Admin Panel (yourwebsite.com/wp-admin)?
  • Is your website redirecting you to some other website?
  • Does your WordPress website contain any illegal links?
  • Has Google already marked your website as insecure?


Record your answers to each question and make sure that you’ve noted everything for the next step below.

3. Contact Your Hosting Company

Many of the good hosting companies are very helpful in these kinds of situations. The ones with experienced staff have faced these kinds of a problem before, so they should be well-equipped to help. That’s why before doing anything yourself, get in touch with your hosting provider and follow their advice.

If your website is hosted on a shared server, this is also how you can see if the hacker gain access to your website through another site on your server. In this scenario, your hosting provider can provide you with answers like how the hack was starts and spread. Also, there’s a good chance they can tell you where the backdoor to your website is from where the hackers found their way in.

Hopefully, your hosting company is responsible enough to help you clean up your site after a hack (or not let it happen in the first place). If not, you have other options.

4. Hire A Professional

If your website has experienced a bad attack or you just need it to be cleaned quickly, hiring professional help might be the way to go. A vulnerable website only gets worse as time goes on, so the faster you can get your issues fixed, the safe your website will be.

This is most likely the best solution for you if you don’t consider yourself tech-savvy, or you just don’t want to mess anything up while you’re trying to clean your site. It’s easy to make things worse instead of better in these situations, so if you’re not comfortable making significant changes to the backend of your site, it may be time to ask for support.

Jim over at hackrepair.com is one of our partners and a highly trusted resources when it comes to cleaning hacked websites. They don’t call him The Hack Repair Guy for nothing.

But if you’re not interested in bringing on help or want to tackle this problem yourself, the next steps are below.

5. Restore A Previous Version

If you’ve made a habit of backing up your site, this could be the golden moment for you. You must restore a version of your website from before the hack.


When you restore an old backup of your site, always remember that your entire website will revert back to that version. Any content that you published, images you added to a gallery or general changes you made to the website will be lost. But, that’s most likely worth gaining a clean website back.

After you successfully restore the old version of your website, remember that it’s still vulnerable to attack! Time to add some serious security features to your site to avoid any malicious activity going forward.

If restoring your website will remove too many valuable changes, it’s possible to do a manual clean of your code as well.

6. Scanning & Removal of Malware

If any plugins or themes are not updated regularly, then there’s a chance that hackers could use outdated files to access your WordPress website. Once they’re in, they can then create a backdoor to more easily access your website in the future.


A backdoor refers to a method of bypassing normal authentication and gaining the ability to remotely access the server while remaining undetected.

The first work for a smart hacker is to establish a backdoor so that he can regain the access after you locate and remote the first point of entry (usually a vulnerability in an outdated plugin or theme). That’s why it’s so important to have a WordPress security audit log plugin installed on your website so you can track any changes made to your website in real-time.

One of the best way to avoid hackers accessing your website through outdated plugin or theme files is simply to keep everything up-to-date! Many plugin updates become available specifically because an older version had a security flaw, to updating will help you avoid this altogether.

To help you pinpoint any backdoors or malicious code installed on your website without your permission, always install and activate a WordPress security plugin that will regularly scan your website. Plugins like iThemes Security, Sucuri and Wordfence will easily find the location of the backdoor and then you can remove it manually.

7. Check Your User Permissions

Check your User’s Permission

You must check the user permissions of all your WordPress users. Double check that only you and your team members have access to admin accounts and that the permissions of other users haven’t been tampered with.

If you find any suspicious new users, remove them immediately.

8. Change Passwords and Secret Keys

Be sure to change all the passwords related to your WordPress site. That includes the password to access your WP dashboard, cPanel, MySQL database, FTP and any others that could help someone access your website.

If a password generator is available, be sure to use it to ensure your password is strong, unique and not easy for a hacker to guess.

strong password

Then, change your secret keys and salts to reassure that your WordPress website is safe and secure. The iThemes security plugin makes this extremely easy!

After taking these steps, the hack has been cleaned and your WordPress website is secure. But that doesn’t mean that they won’t try it again. WordPress security has to be a continuous effort because those with malicious intent will never stop trying to gain access to your site.

In addition to maintaining your own WordPress site, it’s time to take security into your own hands and learn what it takes to keep your site safe.


The post What To Do If Your WordPress Website Is Hacked (Step-By-Step Guide) appeared first on WP Buffs.

Powered by WPeMatico