Recovering Your WordPress Site After a Hack

Confirming the Hack

Before starting recovery, confirm your site has actually been compromised. Common signs include unexpected redirects, defaced pages, new admin users, spam content appearing, hosting provider suspension notices, or Google blacklist warnings.

Immediate Actions

Stay Calm

Panic leads to mistakes. A methodical approach is essential for complete recovery.

Document Everything

Take screenshots and notes of symptoms, changed files, and timeline. This helps identify the attack vector.

Take the Site Offline

Prevent further damage and protect visitors:

# Add to .htaccess
order deny,allow
deny from all
allow from YOUR.IP.ADDRESS

Assess the Damage

Identify Compromised Areas

• Check for new admin users
• Review recently modified files
• Look for unfamiliar files
• Check database for injected content
• Review server access logs

Determine Attack Vector

Understanding how attackers got in helps prevent future attacks:

• Outdated plugins or themes
• Compromised admin credentials
• Server vulnerabilities
• File upload exploits

Create Backups

Backup Infected Site

Before cleaning, backup the current infected state. This preserves evidence and allows analysis.

Locate Clean Backup

Find the most recent backup from before the compromise. Verify it is clean before restoring.

Cleaning Process

Reset All Passwords

Change passwords immediately:

• All WordPress admin accounts
• Database password
• FTP/SFTP credentials
• Hosting account password
• Any connected services

Update Security Keys

Generate new keys from WordPress salt generator and update wp-config.php. This invalidates all sessions.

Clean or Replace WordPress Core

Replace core files with fresh copies:

1. Download fresh WordPress from wordpress.org
2. Delete existing wp-admin and wp-includes directories
3. Upload clean copies
4. Replace core files in root directory

Review and Clean wp-content

For themes and plugins:

• Delete all inactive themes and plugins
• Replace active plugins with fresh copies from WordPress.org
• Replace active theme with fresh copy
• Carefully review custom code

Clean Uploads Directory

Scan uploads for PHP files and remove any found:

find wp-content/uploads -name "*.php" -delete

Database Cleanup

Remove Malicious Users

Delete any admin accounts you did not create.

Clean Injected Content

Search database for common malware patterns:

• eval() and base64_decode()
• Unusual iframe tags
• Suspicious script sources
• Spam links

Verify Options Table

Check wp_options for unusual entries, especially siteurl and home values.

Restore from Backup

If Clean Backup Available

1. Restore database from clean backup
2. Restore files from clean backup
3. Update WordPress and all plugins to latest versions
4. Change all passwords anyway

Verify Restoration

After restoring, scan again to confirm the site is clean.

Post-Recovery Security

Update Everything

• WordPress core
• All plugins
• All themes
• PHP version if outdated

Install Security Plugin

Implement comprehensive protection with a security plugin like WP Folder Shield.

Enable Two-Factor Authentication

Require 2FA for all admin accounts.

Implement Firewall

Block common attack patterns with a web application firewall.

Request Review

Google Search Console

If blacklisted, request security review after cleaning.

Hosting Provider

If suspended, contact host to verify cleanup and request reactivation.

Antivirus Vendors

Request removal from malware blacklists.

Prevent Future Attacks

Regular Updates

Keep WordPress, themes, and plugins updated.

Strong Authentication

Use strong passwords and two-factor authentication.

Regular Backups

Maintain automated backups stored securely off-server.

Security Monitoring

Enable file integrity monitoring and intrusion detection.

Conclusion

Recovering from a hack requires systematic cleaning, security improvements, and monitoring. The goal is not just to clean the current infection but to prevent future compromises. Take this as an opportunity to implement comprehensive security measures.