How to Fix a Hacked WordPress Site (Before It Comes Back)

By Mohammad HumzaJune 2, 202612 min readSecurity
On this page

Most hacked WordPress sites get "cleaned" twice. The first cleanup removes what the scanner can see; the malware returns within days through a backdoor the scanner can't. This is the sequence that actually ends infections, the one I use on recovery jobs every week.

Step 0: Don't panic-delete anything

The infected files are also your forensic evidence. Before touching anything, snapshot the site, files and database, so you can trace the entry point later. Cleanups that skip forensics are the ones that repeat.

Step 1: Contain

  • Change every credential: WordPress admins, database, SFTP, hosting panel.
  • Check wp_users for admin accounts you didn't create, attackers add their own.
  • If Google is already flagging the site, put up a maintenance page that keeps your phone number visible. Don't go fully dark.

Step 2: Hunt beyond the scanner

Scanners find known signatures. Infections hide in:

  • Fake plugin folders with plausible names (wp-cache-tools, seo-optimizer-pro) containing a single loader file.
  • The database: base64 payloads in wp_options, injected scripts in post content.
  • Cron jobs: wp_get_schedules() and server crontabs re-downloading the payload nightly, the classic reinfection engine.
  • Legitimate files: a single appended line in wp-config.php or the theme's functions.php.

Step 3: Find the door they used

Cross-reference file modification times with access logs. In my recovery work the entry point is almost always one of: an abandoned plugin with a public CVE, a nulled theme, credentials reused from a breached service, or hosting with outdated PHP. If you skip this step, you've done a cosmetic cleanup.

Step 4: Rebuild trust

  • Reinstall core, themes and plugins from official sources, never trust existing files post-infection.
  • Request review in Search Console; Safe Browsing warnings typically clear in 24–72 hours after approval.
  • Harden: WAF, 2FA on all admins, file integrity monitoring, staged updates, off-site backups you've actually test-restored.

When to call someone

If the infection has returned once already, or the site takes payments or patient/client data, get professional help, repeat infections mean live backdoors, and each recurrence costs more trust with Google. My malware removal service is fixed-price with same-day triage, and includes the post-mortem that explains exactly how it happened.