Is your WordPress site hacked? Don’t let the bad guys ruin your day.
Waking up to a hacked website is one of the most horrible experiences in life. One spends years on a website – publishing SEO friendly posts, designing the site, installing premium themes and plugins, etc. It hurts to find all those efforts squandered overnight.
But there’s a fix to everything.

A hacked WordPress website can be fixed and restored back to normal within a couple of hours. In this post, we are going to cover how you can clean your site, improve WordPress security and enable further protection so that it’s never compromised again. But before digging into what you need to do, we’d also like to burst a few myths surrounding manual scanning and cleaning of a hacked site. The reason we are going to do is that a lot of people still seem to believe that effective cleanup can be done manually when that’s incorrect. Another popular notion amongst WordPress users is that restoring backups will clean a site. That’s incorrect too. We’ll examine these two myths in details.

First, let’s see why manual cleanups are not recommended.

Is Manual Cleanup Even Possible?

Earlier, cleaning up a hacked website was easy. There were only a few places where hackers would hide malware or bad codes in a WordPress site. In those days malware was not as complex as they are now. One could get a list of known malware and then search for their existence in specific locations of a WP site. Scanners in the past (and even some scanners today) used this method (which is referred to as signature matching) to locate malware. It’s outdated and cannot find new and complex malware.s

Hackers today have found ways to hide malware on a site they have hacked. There are several reasons why your site was compromised. Your website can be small, it can be insignificant but hackers can use it to execute a number of misdeeds like sending spam emails, pharmaceutical hacks, cryptocurrency mining, storing files, etc. They try to hide that your site has been hacked for as long as possible. They obfuscate codes so that anyone manually looking for bad codes won’t be able to find it. For instance, the presence of base64 is a sign of a hack. To hide the code, hackers will muddle the code into something like b’.’a’.’s’.’e’.’6’.’4.’ making it impossible to manually find it using the signature matching method.

Does Restoring Backups Really Clean a Hacked Site?

One of the many reasons hackers hack a site is because they need a place to store files. It could be pirated movies, songs, videos, illegal software, etc. After breaking into a website, they’ll start storing these files that’ll take up your site’s storage space. Perhaps, they used a vulnerability in a plugin to breach your site. After seeing several WordPress users raising alarm, you check your plugins and see that you are using the plugin whose vulnerability was recently detected. In case, your site has been hacked, a simple restoration of a backup of your site will clean your site, right? Unfortunately, no.  

Restoration will only restore the files that have been backed up. But the files that hackers stored on your site’s server remain untouched. Therefore restoring will not clean your site. Moreover, your backups itself can be infected. You may not know but the website was hacked months back and your backup service only allows restoration of backups from last month (see the section Choose Your Backup Service Wisely). In this case, you are stuck with infected backup and restoring them will be of no use. The solution is to clean your site using an automatic malware cleaner and before getting one, check out these 5 things that you need to be aware of before buying a security plugin.

How to Fix a Hacked WordPress Website?

So you got your WordPress hacked?
Let’s see how can we get your WordPress site cleaned up and fixed without further delay.

Use Automatic Cleaner

WordPress is a dominant force online, powering almost 30% of all websites. With such a hold comes a vast number of security exploits and attacks. Which is why one sees a number of WP security plugin flooding the market today. Most security solutions offer cleanup for a hacked site but the procedure is long drawn. After realizing that your site has been hacked, you’d have to get in touch with a security personnel by raising a ticket or emailing them. Only when the security personnel has confirmed that your site is hacked, they’ll initiate the cleanup process. It takes time for them to get back to you and announce that your site is clean.

It’s a time-consuming process, which will affect not just your site’s organic traffic but may also get you blacklisted by Google (if you are already blacklisted, there a handy guide on how to remove Google blacklisting warning).

This is the reason, we recommend using an automatic cleaner like MalCare. MalCare’s one-click cleaner enables you to take control of your website and remove malware as soon as it is identified. This is the fasted and easiest way of cleaning a hacked website. You won’t have to wait for hours or days for someone else to clean the site nor do you need to share your site credentials with a stranger. Your site won’t just be clean but it will also be safe from unknown interventions.

Site Fixed? Don’t Rest Just Yet!

Once the compromised WordPress site has been cleaned, it’s important to find out what caused the hack in the first place. Also, to secure your website, a few more things are left to do. We’ll discuss them below:

Find the Cause of the Hack

The number one cause of compromised sites is outdated plugin and themes. When vulnerability develops in a plugin, the plugin developer creates a patch and issues an update. If the plugin isn’t updated, the site on which the plugin is installed is vulnerable to hacking attempts. Hackers usually keep a track on vulnerable plugins. Once developers deploy updates, the vulnerability becomes common knowledge. Hackers target this vulnerability in hopes of breaching websites that haven’t updated the plugin yet. Therefore, we’d suggest you update all your themes and plugins. Also make sure to check with your hosting provider, because hacks can affect more than just your site. Your hosting company might need to take few steps of their own.

Enable Site Hardening

WordPress recommends users to take certain measures to harden their websites against hackers, bots and the rest. It includes disabling file editor, enabling firewall security, and more. But the only catch here is that you’ll need a bit of technical expertise to perform site hardening measure. If you do have technical knowledge about WordPress, then we’d recommend you use backups before fiddling with the website. And for many of you who don’t have any technical expertise in WordPress, simply use a plugin like MalCare that offers Site Hardening features that can be enabled with a few clicks.

Choose Your Backup Service Wisely

Taking your WordPress backups is a core security feature and if you have done it already, pat your back. But the quality of backups differs from service to service. The market is flooded with a number of backup plugins and services. Some backup services store backups for only a few weeks while other like BlogVault store backups for up to 365 days. It’s important to choose a backup that allows you to backup your site automatically every day. Some backup services are flexible and allow users to schedule backups too. After cleaning your site with an automatic cleaner, you need to take fresh backups.


Fixing a hacked WordPress site does not guarantee the site won’t be compromised again. Taking precaution and maintaining your WordPress site is the key to your site’s safety from future hack attempts. We suggest that you take a look at this step by step guide on how to do WordPress website maintenance yourself like a pro.  You can also try using specific tools or WordPress plugins that can scan WordPress files and your website to detect malware, malicious code, infected files or hidden viruses. Removing hack and removing malicious code with MalCare is easy. Thanks for reading.