Hacked WordPress: what to do?
Is your WordPress site hacked? Here's the complete playbook to keep your cool, clean the infection without breaking anything, and close the hole for good.
You just found out your WordPress site is hacked: pages you never wrote, a redirect to a casino, or that red warning from Google. First thing to know: it’s almost always fixable, and your real content isn’t lost. This guide walks you through the steps in order, from your first move to locking the site down for good.
First moves (and the mistakes to avoid)
Before you touch anything, stay calm and resist two temptations.
Don’t delete your whole site. Panic makes people want to “start over from scratch.” You’d lose your legitimate content and your search rankings, when a surgical cleanup is more than enough in most cases.
Don’t just delete the spam pages you can see. The fake casino articles are only the tip of the iceberg. The real problem is the injected code and the backdoors that let the attacker reinject everything a few hours later. If you clean the surface without closing the door, the infection comes right back.
What you can do right now, on the other hand:
- Change the password for your hosting account and your FTP/SFTP account. That’s often how the attacker got in, or how they keep their access.
- Put the site in maintenance mode if you can, while you work, so visitors aren’t exposed to malicious redirects.
- Write down what you see (strange pages, redirects, modification dates of changed files). It will help you gauge how far the infection goes.
Identify the type of hack
Not all WordPress hacks are the same. The symptom you’re seeing tells you a lot about what’s happening under the hood, and therefore about how to clean it.
| What you see | Type of hack | Where to dig |
|---|---|---|
| Casino or betting posts and pages indexed under your name | SEO spam (content injection) | Remove casino spam posts |
| From Google, your site sends visitors to a casino | Redirect / cloaking | WordPress redirecting to a casino |
| ”This site may harm your computer” in Google | Safe Browsing blacklist | Remove the Google warning |
| An admin account you didn’t create | Attacker’s persistent access | See the account cleanup section below |
Not sure you’re actually hacked? Start by spotting the 10 signs of a hacked WordPress, so you don’t end up cleaning a healthy site.
Back up before you touch anything
Even an infected site should be backed up before cleanup. For two reasons: if something you do breaks the display, you can roll back; and the infected copy keeps a record of the malicious code, which is useful for understanding how the attacker got in.
Back up the files (via FTP/SFTP or your host’s file manager) and the database (SQL export from phpMyAdmin). Set that copy aside, off the server, and never put it back online as-is.
Clean the site, step by step
Cleanup always follows the same order. The goal: replace everything that can be replaced with clean versions, then hunt down whatever remains.
1. Reinstall the WordPress core
The files in wp-admin and wp-includes, along with the files in the root (except wp-config.php and your wp-content folder), need to be replaced with a fresh copy at the same version as yours. From the command line: wp core download --force. Without SSH access, delete those folders over FTP and re-upload them from an official archive on wordpress.org.
2. Start fresh with official plugins and themes
Delete the contents of wp-content/plugins and reinstall each extension you need from the official repository. Same logic for the active theme. It’s drastic, but it’s what removes the code injected into extensions, one of attackers’ favorite hiding spots. While you’re at it, permanently delete inactive plugins and themes: a default theme that’s deactivated but infected is still a way in.
3. Clean the database
Spam and redirects often live in the database. Pay particular attention to:
wp_usersandwp_usermeta: delete any unknown admin account, and check that no subscriber has been promoted to admin.wp_posts: find the posts and pages you didn’t write, along with injected<script>and<iframe>tags.wp_options: this is where redirect scripts often hide (thesiteurlandhomefields, and options with random names).
4. Inspect .htaccess and the uploads folder
The .htaccess file in the root is a classic spot for redirects: if you find RewriteRule rules pointing to an unknown domain, that’s where it’s happening. As for wp-content/uploads, it should only contain media. A .php file sitting in there is almost always a backdoor. To go further: find and remove a WordPress backdoor.
5. Reset all access
Change every password: WordPress admins, the database (in wp-config.php), FTP/SFTP, and hosting. Also regenerate the security keys (salts) in wp-config.php to log out every session that’s still open, including the attacker’s.
Check that the site is really clean
A site that “displays normally” isn’t necessarily a clean site. Many infections are invisible to visitors and only show up to Google. To check properly:
- Type
site:yourdomain.comin Google and scan the results: spam pages still indexed point to a leftover infection. - Check the Security Issues report in Google Search Console.
- Run the site through an online malware scanner and review the modification dates of your files: a
corefile that was changed recently, when you touched nothing, should set off alarm bells.
Remove the Google warning
If Google has shown “This site may harm your computer” or “This site may have been hacked,” cleaning things up technically won’t make the warning disappear on its own. Once the site is clean, you need to request a review from Search Console. Google usually lifts the alert within 24 to 72 hours. The detailed steps are here: remove the hacked-site warning.
Secure it so it doesn’t happen again
A site that’s cleaned but not hardened often gets reinfected within weeks, through the same hole. Securing the site isn’t optional, it’s the last step of the cleanup: updates, hiding the login page, limiting login attempts, correct file permissions. The full checklist: secure WordPress after a hack.
Do it yourself or hand it off?
If you’re comfortable with FTP, phpMyAdmin, and the command line, this guide will get you through it. Plan on two to four hours for a standard-sized site, and a bit of discipline so you don’t let a backdoor slip past.
If you’re not technical, or if the site matters to your business and every hour of downtime counts, handing it off makes sense. That’s exactly what WP-Detox does: we remove the hack, recover your content, and secure the site in about 30 minutes, for €149 all-in, with a backup taken first and a refund if we can’t fix it. The scan itself is free: it already shows you what’s been detected.
Frequently asked questions
Will I lose my content? No, if the cleanup is done properly. We only remove what’s malicious; your legitimate posts, pages, and settings stay in place.
How long does it take to fix? Two to four hours on your own for a standard site. A specialist job runs closer to 30 minutes once we have the access details.
Can my site be reinfected right after? Yes, if the entry point isn’t closed. That’s why securing the site is part of the cleanup itself, not a “later” step.