Written from live project work
How to Fix a Hacked WordPress Site (Before It Comes Back)
On this page
Most hacked WordPress sites get "cleaned" twice. The first cleanup removes what the scanner can see; the malware returns within days through a backdoor the scanner can't. This is the sequence that actually ends infections, the one I use on recovery jobs every week.
Step 0: Don't panic-delete anything
The infected files are also your forensic evidence. Before touching anything, snapshot the site, files and database, so you can trace the entry point later. Cleanups that skip forensics are the ones that repeat.
Step 1: Contain
- Change every credential: WordPress admins, database, SFTP, hosting panel.
- Check
wp_usersfor admin accounts you didn't create, attackers add their own. - If Google is already flagging the site, put up a maintenance page that keeps your phone number visible. Don't go fully dark.
Step 2: Hunt beyond the scanner
Scanners find known signatures. Infections hide in:
- Fake plugin folders with plausible names (
wp-cache-tools,seo-optimizer-pro) containing a single loader file. - The database: base64 payloads in
wp_options, injected scripts in post content. - Cron jobs:
wp_get_schedules()and server crontabs re-downloading the payload nightly, the classic reinfection engine. - Legitimate files: a single appended line in
wp-config.phpor the theme'sfunctions.php.
Step 3: Find the door they used
Cross-reference file modification times with access logs. In my recovery work the entry point is almost always one of: an abandoned plugin with a public CVE, a nulled theme, credentials reused from a breached service, or hosting with outdated PHP. If you skip this step, you've done a cosmetic cleanup.
Step 4: Rebuild trust
- Reinstall core, themes and plugins from official sources, never trust existing files post-infection.
- Request review in Search Console; Safe Browsing warnings typically clear in 24–72 hours after approval.
- Harden: WAF, 2FA on all admins, file integrity monitoring, staged updates, off-site backups you've actually test-restored.
When to call someone
If the infection has returned once already, or the site takes payments or patient/client data, get professional help, repeat infections mean live backdoors, and each recurrence costs more trust with Google. My malware removal service is fixed-price with same-day triage, and includes the post-mortem that explains exactly how it happened.