It is the notification every website owner dreads.
Maybe Google Chrome is showing a red “Deceptive Site Ahead” screen. Maybe your site is redirecting visitors to a gambling website. or perhaps you logged in and found five new “Administrator” accounts you didn’t create.
Your WordPress site has been hacked.
Panic is natural, but it won’t fix the problem. Action will. A hacked site destroys your SEO rankings, leaks customer data, and kills your brand reputation every minute it stays infected.
In this guide, we will walk you through the emergency procedures to identify, clean, and recover a hacked WordPress site.
We will also discuss why upgrading to VPSPioneer’s Dedicated Servers and using our managed Website Security can prevent this nightmare from ever happening again.
Step 0: Diagnosis (Is it really a hack?)
Before you start deleting files, confirm the infection. Common symptoms include:
- The White Screen of Death.
- Strange Redirects: Clicking a link on your site takes you somewhere else.
- New Admin Users: Check your “Users” tab for names like
admin123orsystem. - Google Warning: Search results show “This site may be hacked.”
Tool Tip: Use the free Google Safe Browsing Site Status tool to see if Google has flagged your domain.
Step 1: The “Crime Scene” Backup
This sounds counter-intuitive, but backup the hacked site immediately.
Why? Because in the process of cleaning, you might accidentally delete a critical system file and break the site completely. You need a “snapshot” of the current state, even if it is infected, just in case you need to recover a specific database entry later.
If you are a VPSPioneer client, check your automated backups in your control panel before proceeding.
Step 2: The Core File Replacement (The Surgical Strike)
Malware often hides inside core WordPress files (like wp-config.php or index.php). The safest way to fix this is to replace them with fresh, clean copies.
- Download WordPress: Go to WordPress.org and download the latest version zip file.
- Extract the Zip: Open the folder on your computer.
- Connect via FTP/SFTP: Use a client like FileZilla to connect to your server.
- The Critical Step: Upload the fresh
wp-adminandwp-includesfolders to your server, overwriting the old ones.- WARNING: Do NOT overwrite the
wp-contentfolder or yourwp-config.phpfile yet.wp-contentholds your images and themes; deleting it will erase your site’s look and media.
- WARNING: Do NOT overwrite the
Step 3: Clean the wp-content Folder
This is where hackers love to hide “Backdoors”—scripts that let them re-enter your site even after you change passwords.
- Plugins: Look inside
/wp-content/plugins/. Do you see a folder for a plugin you don’t remember installing? Delete it. In fact, the safest method is to delete all plugins and re-install them fresh from the WordPress repository. - Themes: Check
/wp-content/themes/. If you are not using a theme, delete it. Hackers often hide code in inactive themes. - Uploads: Check
/wp-content/uploads/. This folder should only contain images (jpg, png, webp) and documents (pdf). If you see a.phpor.jsfile here, it is almost certainly a virus. Delete it immediately.
Step 4: The Database Scrub
Hackers often inject malicious code into your database tables to create spam comments or redirect users.
- Cleaning: This is difficult to do manually without breaking the site. We recommend using a plugin like Wordfence or Sucuri to scan the database for suspicious strings (like
evalorbase64_decode). - Check Users: Go to your database (via phpMyAdmin) and check the
wp_userstable. Delete any administrator you do not recognize.
Step 5: The “Scorched Earth” Prevention
Once the site is clean, you must lock the doors so they can’t get back in.
- Reset All Passwords: Not just yours. Reset passwords for every user, your FTP accounts, and your database user.
- Update Everything: Outdated plugins are the #1 cause of hacks. Update WordPress core, themes, and plugins immediately.
- Change Security Keys (Salts): Go to your
wp-config.phpfile. You will see a block of random letters called “Authentication Unique Keys.” Change these. This forces every logged-in user (including the hacker) to be logged out instantly.
The Better Solution: Professional Security & Isolation
Cleaning a site manually is stressful, risky, and requires technical skill. If you miss one single hidden file, the infection will return in 24 hours.
1. Let Us Clean It (Website Security)
Don’t fight alone. VPSPioneer’s Website Security service includes:
- Automated Malware Removal: Our scanners find and fix complex infections that manual checks miss.
- Web Application Firewall (WAF): Blocks hackers before they even touch your site.
- Blacklist Removal: We help get your site unbanned from Google.
2. Isolate Your Business (Dedicated Server)
If you are on Shared Hosting, your security depends on your neighbors. If another site on the same server gets hacked, yours might be at risk (“Cross-contamination”).
For total peace of mind, upgrade to a Dedicated Server.
- Total Isolation: You are the only tenant. No neighbors.
- Hardware Firewalls: Enterprise-grade protection for your data.
- Compliance: Essential for handling customer credit card data (PCI-DSS).
Frequently Asked Questions (FAQ)
Q: How did my site get hacked?A: The most common reasons are outdated plugins, weak passwords (like “admin123”), or using “Nulled” (pirated) themes which often contain pre-installed malware.
Q: Will VPSPioneer clean my site for free?A: If the hack is due to a server-level issue, yes. However, most hacks occur inside the WordPress application layer (user error or bad plugins). For this, we recommend our Website Security add-on for professional cleanup.
Q: Why does the hack keep coming back?A: You likely missed a “Backdoor.” Hackers hide tiny files in deep folders. If you don’t find and delete the backdoor, they can re-infect the site instantly. This is why automated scanning tools are superior to manual cleaning.