WordPress Hacked: What to Do If Your WordPress Website Is Hacked?

Mar 4, 2020

WordPress Hacked: What to Do If Your WordPress Website Is Hacked?

Mar 4, 2020

Big or small, about 90,000 WordPress sites are hacked every day! Once hackers gain access, they can use WordPress websites for all sorts of malicious activities including illegal ones. They can deface your home page and promote their own propaganda, launch attacks on bigger sites, sell illegal drugs/products, and redirect visitors to their own site, among a long list of other things. Once you know you’re hacked, you need to fix it immediately.

However, detecting and cleaning it is not always easy since there are different kinds of hacks and each one has its own complexities. In this article, we’ll guide you on how to check if your site is hacked, what steps to take to fix it, and how to prevent it in the future.


If you’ve been hacked and need to get your website fixed immediately, you can use our WordPress Malware Removal Tool. No matter what kind of malware you have on your website, MalCare will remove every last bit of it. You can be 100% hack-free instantly and be shielded from future attacks.

WordPress Hacked: Signs of a Hacked Site

Before we show you how to clean your website, let’s ensure that your website is really hacked. We’ll look at some of the signs of a hacked WordPress website –

1. Can’t Log Into Website

When you are unable to login to your site, it’s usually because you’ve forgotten your password. In case you are unable to reset your password or are sure your login credentials are correct, your site is very likely hacked. When a hacker takes control of your site, one of the first things that they do is they delete admin accounts. That way only they will have access to your website.

2. Website is Slow or Unresponsive

If your website becomes slow all of a sudden, that naturally raises a red flag.

Your website uses resources from your hosting server to perform regular processes such as displaying content to your visitors or sending emails.

Once they gain access to your site, hackers use your site to execute malicious activities like sending spam emails and displaying malicious ads. Such activities will burden your site’s server and bring down the speed of your site.

These activities slow your website down because your site server is taking on the burden of executing those malicious activities, on top of performing regular processes. You can check why your website is slow here.

3. Unknown User Accounts

How often do you check the user accounts of your WordPress site? Are you aware of all the users added to your dashboard?

Hackers would ideally want to go undetected for as long as they can. So when hackers gain access to your site, they create new user accounts. It allows them to log into your site and quietly exploit it.

The new malicious accounts can go undetected for a long while because website owners generally don’t check their accounts.

If you find new user profiles that you cannot recognize or are sure you didn’t add, it’s very likely created by a hacker.

4. Website Redirecting to Another Site

Have you received complaints from your visitors that they are being redirected to another site? Or are you seeing a sudden drop in traffic for no reason?

There are classic signs of a hacked website.

In this type of hack attacks, hackers steal your traffic by redirecting them to a malicious website. Hackers could be selling illegal products or even duping your visitors into sharing sensitive information.

5. PC Antivirus Flagging Website as Unsafe

Computer antiviruses are designed to protect computer systems from malware infection. Hacked websites can trick visitors to download malicious software onto their computers. To prevent this, computer antiviruses raise an alarm when you are visiting a hacked website.

So if you have a computer virus flagging your website as safe, then your site is hacked.

6. Search Engines Blacklists Site

Search engines (such as Google, Bing, and Yahoo) are committed to making the internet safe for their users. We mentioned earlier that hacked websites try to exploit visitors by stealing sensitive information or duping them into downloading infected software. As a result, search engines blacklist hacked sites and prevent their users from accessing the site.

To learn if your website has been blacklisted, follow our Google blacklist warning guide.


google blacklist when wordpress is hacked


7. Google Showing “This Site May Be Hacked” Message

When you Google search your website, the results show your website along with a “This Site May Be Hacked” message. In this way, search engines deter users from visiting your infected website.

8. Hosting Provider Suspends Your Site

You may have received an email from your hosting provider saying that they have detected malicious activities on your WordPress website.

In most cases, site owners find out that their website is hacked.

Sometimes hosting providers may even suspend your site. If your site is hosted on a shared hosting environment then there are multiple websites on the same server. Your infected website may affect other sites on the same server. To protect websites on the same server, hosting providers will suspend your website and inform you about it.

9. Site Ranking For Illegal Pharmaceutical Drugs

Pharma hacking is a common type of hack attack where your website is stuffed with information on illegal pharmaceutical drugs. Soon your website starts ranking for keywords like Viagra, Cialis, Nexium, etc.

To learn if your website is experiencing a pharma hack, you can check your Google Search. From your console dashboard, select the option Search Results and the console will show you a number of queries that your website ranks for.

If you find illegal drugs like Viagra, Cialis, Nexium, etc, you can be sure that your site is hacked.

If you find that your website is showing any of the signs that we have mentioned above, then it’s time to fix your hacked site.

How to Fix a Hacked WordPress Website?

In order to fix your hacked site, you can take the following steps –

    1. Scan your site to find malware infecting your site
    2. After that, you can proceed to clean it
    3. Finally, take measures to fix the vulnerability that caused the hack

There are two ways of scanning a website – using a security plugin or manually. We’ll show you the plugin way first because that’s the easiest! However, if you’re looking to do it manually, jump to this section.

Scan & Clean Your Website Using a Security Plugin

Scanning and cleaning up a hacked website is a complex and time-consuming task. WordPress security plugins make it easy for you by automating the complications and fixing your site for you. By using such plugins, you can clean up the malware in no time and get back to business.

Step 1: Choose a Security Plugin

There are plenty of WordPress security plugins available in the market that will scan and clean your site.

Note: Not all of them are the same. While only a few do a thorough scan, others rely on outdated methods such as signature matching where they try to detect code that is malicious.

Many times, new malicious code goes undetected so you may think your site is clean when it really is not. Considering the difficulties faced in trying to find the hack, you need one that does a deep and thorough scan and you should consider this when choosing the right malware removal plugin.

We recommend you use MalCare to scan your site because it uses over 100 signals to detect malware – even those smartly disguised or hidden. Simply sign up and the automated scanner will run through your website and detect malware in under 60 seconds.

Further, many plugins require you to contact their personnel and request for a cleanup. They will then proceed to fix your site and this process may take hours or sometimes even days. MalCare is the only plugin available that allows you to auto-clean your site. You don’t have to wait for anyone else to do it. Your site will be hack-free in a few minutes.

Step 2: Take a Backup

Before you proceed to fix your site, we strongly recommend that you take a backup of your website. This will ensure you don’t lose any data while cleaning up your hacked website. When you sign up for MalCare, you also get access to WordPress backups by BlogVault. So the same tool will take a backup for you.

Step 3: Download & Install the Plugin

To illustrate the process of using a plugin, we’re going to show you how to use MalCare on your website to be hack-free immediately! Visit malcare.com, create an account, and install the plugin.

Step 4: Scan Your WordPress Site

    • Visit the MalCare dashboard and add your site. The scan will automatically run.
    • When the scan is complete and if your site is hacked, you’ll see a notification that tells you how many hacked files have been detected.


malcare malware scan report when wordpress is hacked


Step 5: Clean Your Hacked WordPress Site

    • Cleaning up your site with MalCare is simple. Click on ‘Auto-Clean’, and you’ll be directed to enter your site’s FTP/SFTP credentials.
    • You need your host/server name, FTP type, username and password. If you don’t know these details, take a look at how to find your FTP credentials.
    • In the next screen, you will need to select the folder that contains the WP installation. You can usually find this under ‘public_html’ or look for a folder with the name of your website.


malcare public html folder


    • After you click on ‘Apply Fix’, the automated cleaning process will begin. This takes a few minutes. You can exit the page if you like and be notified by email once it’s complete.
    • After it’s done, you’ll see that your site is cleaned! That’s it.

You can visit your site and see that the hack is removed and your site is back to normal. That said, your website is not fixed yet.

Step 6: Remove Vulnerabilities & Take Security Measures

Hackers use vulnerabilities present on your site to hack into it. Cleaning the site alone will not remove the vulnerabilities. Moreover, if you remove the vulnerabilities chances are you’ll be hacked again.

Vulnerabilities on the WordPress website are generally found in an outdated theme or a plugin. Hence, update your website to the latest WordPress version. Here’s a guide on how to update WordPress websites safely.

A few more things we suggest you do to fix your WordPress website –

    1. Run a scan again to double-check that your site is completely hack-free.
    2. Take a fresh backup. This will ensure your cleaned site is copied and saved safely.
    3. Activate the plugins and themes that you need.
    4. After that, delete unused plugins and themes.
    5. Change all your passwords and replace those passwords with strong credentials.
    6. Run updates for WordPress core, theme and plugins if they are available.
    7. If your site was blacklisted by Google, you need to submit it for review to get it back on the whitelist.
    8. In case your web host suspended your site, you can contact them to get it back online.
    9. If you don’t have one already, install an audit or activity log to keep track of changes on your site.

Scan & Clean Your Website Manually

If you’d like to attempt a manual scan and clean up, we’ve entailed the process below.

But to be honest, the process takes up a lot of time. Even if you’re an experienced tech-savvy person, a small slip up can break your website.

We strongly advise you to try this on a test staging site first. You can check our top 5 WordPress staging plugins. If you don’t know what you’re doing, you can simply make matters worse. First, always take a backup before you attempt a manual scan and clean.

Step 1: Get an FTP Client

To start, you need to download an FTP client like FileZilla. Open FileZilla, enter your FTP credentials and connect to your site.

Step 2: Find Hacked Files

Now, we need to find the hack. You can do this in the following ways:

    • Check for recently modified files by looking at the last modified date column. Usually, these files are never changed. So, if you see files have been altered in the last few days, you can be sure that’s the hacked file. You can use the following command in your website’s directoryFind .mtime -5 -lsThis will show you the files with modified times in the last five days.Now, this method is not foolproof. Hackers can change the modified date and disguise their hack. They could’ve also hacked your site months ago without you knowing it.
    • Look for known malicious code and delete them. Usually, hacks have signature codes such as eval, base64_decode, and gzuncompress. Note, some of these codes are used in legitimate plugins. So you might bust a component of your site by deleting them.
    • Download a fresh WordPress installation and compare the files to spot discrepancies. Ensure you download the same version as the one your site is running on.
    • If you use an audit log, you can inspect it to identify suspicious behavior. Look out for change in passwords, newly created admin users, any modifications made to files, etc.
    • You can also check the log files of your web server or FTP server to see if you received unusual traffic from a particular IP address.

Step 3: Cleaning Malicious Code or Hacked Files

    • Once you find the infected files, you can delete the malicious code.
    • Download a fresh installation of WordPress. Using FTP, drag and drop your fresh install from your local site (on the left) to your website’s folder on the remote site (on the right). This will overwrite any hacks in the core files.


public html folder in filezilla


    • You can try restoring your backup to a state before the hack happened. However, you still need to find the vulnerability and fix it.

How to Prevent Your Site from Being Hacked in Future

Getting hacked once is stressful enough! Nobody wants to face such an ordeal a second time around. To make sure this never happens again, we recommend you take the following steps:

1. Update WordPress Regularly

Updates not only carry new features and enhancements, but they also carry security patches. If a flaw is found in the software, it is patched up immediately and an update is rolled out. If you choose to stay on the same, you choose to use software that has a known vulnerability making it easy for hackers to exploit it. Consequently, this is one of the most common WordPress hacking techniques.

2. Use Only Trusted Themes & Plugins

Plugins and themes are often exploited by hackers to enter WordPress sites as they are developed by third-parties and not all have good security measures in place. Free/cracked versions of themes and plugins usually have pre-installed malware. Installing such pirated software on your site is basically opening the door for hackers to enter. Therefore, use only trusted plugins and themes that receive updates regularly.

3. Delete Inactive Themes & Plugins

Site owners tend to install themes and plugins and forget about them. This is a bad habit that is rampant among WordPress users. It’s best practice to keep only the active theme and any plugins you are using. The rest should be deactivated and uninstalled.

4. Switch to a Reliable Host

This option is only for those who faced a security issue with hosting providers. Research the market and find a reliable host that meets your requirements. It’s best to have one that offers 24/7 support and has good reviews.

5. Install a Security Plugin

This will ensure you are proactively shielding your site against hackers. If you used the MalCare plugin to scan and clean your site, rest assured, your site is protected for a full year. The plugin puts up a WordPress firewall that defends your site against malicious traffic. It provides round-the-clock protection and regularly scans your site. Moreover, you get access to website hardening features – in which you can disable file editor, protect the uploads folder, change security keys and more.

6. Implement Website Hardening

WordPress recommends you take certain measures to harden your website’s security. You should regularly change all passwords and secret keys, set up alerts for when there are suspicious logins, limit login attempts, disable the file editor, protect your uploads folder and/or disable plugin installations. It may seem like a lot to do, but not to worry, if you’ve installed MalCare, you can completely harden your site with just a few clicks.


malcare site hardening

Final Thoughts

To sum up, running a hacked website is quite dangerous as it has severe consequences that come with it. You could be roped into selling illegal drugs or promoting propaganda. You could also be pulled into a bigger DDOS scheme wherein hackers attack big companies and brands. Therefore, you need to take care of your security immediately. Here’s what we suggest –

    • It’s extremely important to know reasons for being hacked in the first place. This will give you a good understanding of what happened, how to seal all entry points and make sure it doesn’t happen in the future.
    • Always keep your site protected by installing MalCare. You’ll never have to worry about getting your WordPress hacked again!
    • Also, take site hardening measures to ensure that it remains protected from future hack attempts.

We sincerely hope that with the article you found the help you needed. If you have any questions, you can reach out to us by clicking on the chat button on the right.

Get complete peace of mind.
Try MalCare Now

WordPress hacked
Share via
Copy link