What to do if Your WordPress Site is Hacked

Websites are being hacked more often every day.

Not only do you owe it to yourself to take every precaution you can to keep the hackers out, you owe it to your customers, friends and everyone who visits your sites.

It’s your responsibility to the web as a whole, not just protection for yourself.

I’ve had malware dumped on my computer when visiting a compromised site. It took me an age to clean it up and, however good that site was, I wouldn’t dream of visiting it again unless I knew the owner, and completely trusted that it had been cleaned up.

Not only that, the search engines know when your site has been compromised and they immediately remove it from their indices, thereby stopping your search engine traffic dead in its tracks.

The first rule of protection

So the first rule in protecting yourself is to ensure you always have a clean version of your site fully backed up.

I carry the last two full site backups (for every site) on my computer, and every other backup ever done is on my external storage.

At a minimum I do a full site backup once a week, and a database backup after every article is published. If I make any changes to the sites, other than new or updated articles, I do an additional full site backup.

If you’re not familiar with the options for backing up WordPress, there are more details here.

To fail to backup is to ask for trouble.

How do I know my site has been compromised?

Many times it will be obvious, because your site will be defaced, you’ll get a warning from your Internet security application when you view it in your browser, or it will re-direct visitors to another site. But a lot of times it won’t be.

On this site I have iThemes Security Pro installed.

iThemes Security Pro scans this site every day for malware, SQL injections, XSS scripting and viruses. It also scans all outgoing links from this site to see if any of them lead to compromised sites.

But there’s another way to check your sites: visit your own sites each day.

If your site has been compromised your browser will alert you with a big red box and lots of exclamation marks.

And, of course, you can set up a Google Search Console account and check the Malware link each day.

So what do I do if my site has been compromised?

If you have a good backup routine the answer is simple:

Delete your entire site and database. Then re-install it from the most recent clean backup, and you’ll know which one that is as long as you’ve been checking your sites each day.

If you’re using BackupBuddy you just need to create a new database, upload the backup file and  importbuddy.php  to the server, navigate to it in your browser (yourdomain.com/importbuddy.php) and follow the on-screen instructions.

More details here.

That’s both the quickest method of cleaning up your site (you can be up and running again in an hour or so) and the most thorough.

This site contains over 2,000 files. Going through that lot to find the ones that have been compromised and cleaning them individually is just not practical.

Deleting everything and re-installing it is the quickest and surest way of cleaning everything up.

If you’ve not been doing regular backups the best way to restore your site is to ask your hosting provider to restore it from their most recent backup.

They should be doing regular backups as part of their service, and it would be worth finding out what their backup schedule is.

The difficulty with this option is that you can’t be sure whether the last backup they did was of the clean site – especially if you’re not checking your sites each day.

A third option is to install a clean copy of WordPress, link it to your database and then upload the latest version of the wp-content folder to restore your media, themes and plugins.

More details here.

If you don’t have that option then you’re left with trying to hunt down the corrupted files and cleaning them individually – and for that you will probably need a professional service such as Sucuri.

There are others, of course, and a Google search for something like ‘clean up a hacked website’ will bring you some results to check out.

Finally, once your site is clean again, you should ask Google to review it, because it will almost certainly have been flagged as compromised. You can do that through your Google Search Console account.

How do I prevent my site from being compromised again?

The first step is to change all your login details

Log in to your re-installed WordPress site and create a new user with administrator privileges, giving it a different user name and password from what you used before. You can use letters, numbers and symbols for your username, just as you can for your password.

Log out and check that the new login works OK, and then delete the user you previously logged in as.

Be sure to go to your profile and change the Nickname to something different from your Username. If you don’t, your username will be publicly visible on all your posts.

Change your cPanel and FTP passwords

Some hosting providers use the same password for cPanel access and FTP. While this is not the greatest it does at least mean you only need to change one password.

If you have separate logins for your hosting control panel and FTP accounts, be sure to change the passwords on both.

Switch from using FTP to SFTP

FileZilla handles SFTP as well as it does FTP, so if your current FTP client doesn’t do SFTP then switch to FileZilla.

Check your computer for malware

If you have keyloggers or other malware on your computer it could be passing your FTP (and every other) login details back to miscreants. Malwarebytes is a great solution for this.

Ensure all your software applications are up to date

Check that any forms you’re using on your site are running on the latest version of their software. Opt in forms and contact forms both offer ways in for hackers, and the form providers should (and generally do) release updates as soon as vulnerabilities are discovered.

Of course, it goes without saying that all software applications, meaning themes, plugins, WordPress core, shopping cart applications and anything else, are always fully updated.

Check and correct your file and folder permissions

The iThemes Security Pro plugin is a good and easy way to do that.

Further reading

I’ve written a detailed post on how to set up a disaster recovery plan (it’s on my WordPress Security Basics site).

Stay safe!


Martin Malden

Martin Malden
Owner – WealthyDragon

Website owner: Martin has been working online since 2006 and focuses on two areas: 1) affiliate marketing and 2) designing and building websites based on WordPress. He has his own WordPress agency, and serves clients in Hong Kong, Australia and the UK.