How to recover a hacked WordPress site

There is a myth that WordPress sites are generally not secure. It may be one of the reasons why government agencies usually steer clear of the WordPress platform. However, WordPress core security is good and kept so by consistent upgrades and security patches on a regular basis (one might say that WordPress runs their software updates more often than any other open source CMS developer out there). It is the casual attitude (or outright unawareness) of site owners towards security that is making the WordPress security problem so prominent.

If you look at the stats and previous security disasters in WordPress history, you will see a pattern. By 2013 WordPress websites had been hacked through one or a combination of the following:

  • weak passwords
  • server level breach
  • dodgy plugins/themes and their vulnerabilities
  • or simply running a vastly outdated version of WordPress (which, by the way, is heavily discouraged by every sane techie in the community).

How to recover a hacked WordPress site

Image credit:

Three years later we are still seeing the same patterns.

Have you been hacked? Look for tell-tale signs…

Your website may be compromised with you being none the wiser about it.

“50% site owners admitted they only discovered the hack when they attempted to visit their own site and received a browser or search engine warning.”

“Over 90 percent didn’t notice any strange activity, despite the fact that their sites were being abused to send spam, host phishing pages, or distribute malware.”

– Zero Day Security Blog

So apart from losing everything you’ve worked for, you now have to contend with the fact that your website is probably being used for nefarious purposes: hosting (and spreading) malware and spam, automatic redirects, phishing, displaying vulgar content, etc… some of these will be obvious, but others (like injected links or spam) will continue to fester without drawing your attention and will get your website banned (by Google) if left unattended.

To prevent this, keep an eye out for unusual activity on your site like:

  • Modal (popups) that you didn’t add
  • Unknown links or text in your content, footer or source
  • Immediate redirect to an unknown URL when you try to visit your website
  • Sudden spikes in traffic or server bandwidth usage

You can also use simple, everyday tools to look out for any security breaches. For instance, Google Webmaster Tools will send you (the site owner) an email alert to notify you of bad activity. Similarly, tools like Stop Badware Clearinghouse or Sucuri’s SiteCheck scanner will search your website for infection.

Use them to confirm that your site is compromised and then recover your hacked WordPress website using one of the steps below:

1. Restore from backup

This is the time when a ‘constant vigilance’ pays off. If you’ve maintained your WordPress website properly and stuck by a consistent backup schedule, you’ll have a backup file which you can use to restore your website. Make sure to use a backup copy before the hack took hold of your website.

Bonus tip: remember to make separate backups for database, core files, and wp-content directory.

Our recommended hosting for WordPress sites

If you are building a WordPress site, WpEngine web hosting has proven to be a great option for WordPress, as it provides a good security, excellent backup functionality as well as good technical support. And you are welcome to use the promo below to get 2 months free:

WordPress web hosting provider

2. Re-install WordPress

It’s the simplest, shortest route to replace the core files, which might have been the point of breach, especially if you were running an outdated version of WordPress.

Go to and download the latest stable version available.

Re-install WordPress

It is also a good idea to delete all plugins, widgets, and themes (except the default ones of course) before re-installing WordPress. Once that’s done, check your installation directory (especially wp-content) for any leftover files. Make sure it’s empty before re-installing plugins and themes.

Bonus tip: update your plugins and themes at the first opportunity, and get them from your trusted sources only!

3. Change all login credentials… ALL of them

This isn’t just about your wp-admin login anymore. If the breach originated in the server, you need to change those passwords too.

This time, do it right. Create new passwords for every login/access point you can think of: server management, SSH, FTP/cPanel wp-admin users, etc.

Now go to this online generator, copy-paste the random sequences you see there. These are called salts or security keys. They are for encryption. Open wp-config.php and paste these as directed here.

Change all login credentials… ALL of them

Bonus tip: create good, strong usernames and passwords AND DON’T WORRY ABOUT NOT REMEMBERING THEM. Use a password manager tool and relax.

4. Enforce SSL security

That little ‘s’ after ‘http’ you may have noticed in some websites’ URLs stands for ‘secure’. SSL protects data during a transmission (to-and-from) between a user and server.

You can go online, buy an SSL certificate, and ask your hosting provider to implement it. You will also have to enforce this via WordPress as directed here.

Bonus tip: if you are not on a secure server already, consider switching your WordPress web hosting provider.


That’s it. You’ve recovered your website. Now all you have to do is keep it safe!

Switch to a good quality, reputed web host, install a powerful WordPress security plugin (WordFence premium or Sucuri are really good ones) and commit yourself to maintaining your website and hardening your WordPress security on a regular basis. Stay on the latest WordPress core, themes and plugins’ versions and spend as much time as you can learning as much as possible about the platform.

Finally, if you have some spare time and are serious about your WordPress security, check out the post below:

Need a hand with securing or restoring your WordPress site? We can help – contact us.

This post has been contributed by Catherrine Garcia, an experienced Web Developer for 8theme Ltd., a leading WooCommerce Theme development company.

Author: John Miller

John oftentimes takes the lead as the Agile Project Manager and SEO expert, which allows him to be hands-on with the latest trends.