What to do if Your WordPress Site is Hacked

Breaking in. Websites are being hacked more often every day.

Not only do you owe it to yourself to take every precaution you can to keep the hackers out, you owe it to your customers, friends and everyone who visits your sites.

It’s your responsibility to the web as a whole, not just protection for yourself.

I’ve had malware dumped on my machine when visiting a compromised site. It took me an age to clean up my machine and, however good that site was, I wouldn’t dream of visiting it again unless I knew the owner, and completely trusted that it had been cleaned up.

Not only that, the search engines know when your site has been compromised and they immediately remove it from their indices, thereby stopping your search engine traffic dead in its tracks.

The first rule of protection

So the first rule in protecting yourself is to ensure you always have a clean version of your site fully backed up.

I carry the last two full site backups (for every site) on my machine, and every other backup ever done is on my external storage.

At a minimum I do a full site backup once a week, and a database backup after every article is published. If I make any changes to the sites, other than new or updated articles, I do an additional full site backup.

If you’re not familiar with the options for backing up WordPress, there are more details here.

To fail to backup is to ask for trouble.

How do I know my site has been compromised?

Many times it will be obvious, because your site will be defaced, you’ll get a warning from your Internet security application when you view it in your browser, or it will re-direct visitors to another site. But a lot of times it won’t be.

On this site I have SiteLock installed.

SiteLock scans this site every day for malware, SQL injections, XSS scripting and viruses. It also scans all outgoing links from this site to see if any of them lead to compromised sites, based on data that it gets from Google and StopBadWare.org.

If it finds any vulnerabilities, including in sites that I’ve linked to, I’m alerted and given 72 hours to sort out the problem.

It’s a fabulous service and allows me to display that badge at the top right, immediately under the opt-in box.

But there’s a cheaper way to check your sites, assuming you have a full Internet Security protection suite on your machine (such as AVG Internet Security): visit your own sites each day.

If your site has been compromised your Internet Security application will alert you with a big red box and lots of exclamation marks.

And, of course, you can set up a Google Webmaster Tools account and check the Malware link each day.

So what do I do if my site has been compromised?

If you have a good backup routine the answer is simple:

Delete your entire site and empty all the tables in your database. Then re-install it from the most recent clean backup, and you’ll know which one that is as long as you’ve been checking your sites each day.

That’s both the quickest method of cleaning up your site (you can be up and running again in an hour or so) and the most thorough.

This site contains over 2,000 files. Going through that lot to find the ones that have been compromised and cleaning them individually is just not practical.

Deleting everything and re-installing it is the surest way of cleaning everything up.

If you’ve not been doing regular backups the best way to restore your site is to ask your hosting provider to restore it from their most recent backup.

They should be doing regular backups as part of their service, and it would be worth finding out what their backup schedule is.

The difficulty with this option is that you can’t be sure whether the last backup they did was of the clean site – especially if you’re not checking your sites each day.

If you don’t have that option then you’re left with trying to hunt down the corrupted files and cleaning them individually – and for that you will probably need a professional service such as SiteLock.

There are others, of course, and a Google search for something like ‘clean up a hacked website’ will bring you some results to check out.

Finally, once your site is clean again, you should ask Google to review it, because it will almost certainly have been flagged as compromised. You can do that through your Google Webmaster Tools account

How do I prevent my site from being compromised again?

The first step is to change all your login details

Log in to your re-installed WordPress site and create a new user with administrator privileges, giving it a different user name and password from what you used before. You can use letters, numbers and symbols for your username, just as you can for your password.

Log out and check that the new login works OK, and then delete the user you previously logged in as.

Be sure to go to your profile and change the Nickname to something different from your Username. If you don’t, your username will be publicly visible on all your posts.

Change your cPanel and FTP passwords

Some hosting providers use the same password for cPanel access and FTP. While this is not the greatest it does at least mean you only need to change one password.

If you have separate logins for your hosting control panel and FTP accounts, be sure to change the passwords on both.

Switch from using FTP to SFTP

FileZilla handles SFTP as well as it does FTP, so if your current FTP client doesn’t do SFTP then switch to FileZilla.

Check your machine for malware

If you have keyloggers or other malware on your machine it could be passing your FTP (and every other) login details back to miscreants. Malwarebytes is a great solution for this.

Ensure all your software applications are up to date

Check that any forms you’re using on your site are running on the latest version of their software. Opt in forms and contact forms both offer ways in for hackers, and the form providers should (and generally do) release updates as soon as vulnerabilities are discovered.

Of course, it goes without saying that all software applications, meaning themes, plugins, WordPress core, shopping cart applications and anything else, are always fully updated.

Check and correct your file and folder permissions

The WP-Security-Scan plugin is a good and easy way to do that.

Further reading

There’s some more reading on WordPress security here.

Just a word of caution: if the database tables on your existing WordPress site have the wp_ prefix, changing it to something else (as suggested by the WP-Security-Scan plugin and referred to in that article on setting up a new site) is high risk.

Setting up a new WordPress site with a different table prefix is very smart, but if your existing site already has the wp_ prefix you’re probably safer leaving it as it is, unless you’re a wiz with MySQL databases.

What other options are there for fixing a compromised site and what other security steps do you follow? Leave a comment!


Martin Malden.

What do you think?

Comments on this entry are closed.

  • Lydia Sep 13, 2011 @ 17:31


    Great general “heads up” article, although I have been following your security tips series for my WP blogs. The best I’ve seen and easy to follow. Although I have some points to finish I feel a lot more protected from hackers. Thanks a bunch.

    • Martin Sep 13, 2011 @ 20:06

      Hi Lydia,

      Thanks – glad you’re feeling more protected 🙂

      Do remember, though, that no one can ever guarantee you won’t be hacked.

      All we can do is make it as hard as possible, but if someone is determined to get in they will, so be sure to get that backup routine going!



  • juice Sep 22, 2011 @ 13:53

    thanks for the post, but I have to tell you, I have sitelock on my site too, and it has utterly failed to decode, alert or stop an ongoing hack to my site that continually adds users to my WP admin/dashboard and then publishes spam content from my site as blog posts. My site is down now and a mess. cant get rid of the backdoors or code. I have no faith in their services now.

    • Martin Sep 22, 2011 @ 14:44

      Hi Juice,

      I’m really sorry to hear that – I can very well understand how angry that makes you.

      I would say, though, that SiteLock doesn’t claim to protect your site – only to scan it and let you know when there’s some bad stuff on there.

      Getting rid of the backdoors and nonsense code is a painstaking task, for sure. But if you don’t have a clean backup to restore then there’s not much else you can do other than to find the malicious code and clean it.

      As a first step I’d definitely delete all the user accounts on your site and set up just one new one for yourself with Administrator privileges. Then change your FTP and cPanel passwords (if you’re with a cPanel host) and switch to using SFTP. Also check and clean your local machine in case they’ve installed readers on it to pick up your login details.

      Once you’ve stopped them creating new user accounts you’ll have a stable situation and you can then set about looking for the malicious code.

      One plugin that may help is WordPress Exploit Scanner. It’s designed to scan your site for suspicious code. It doesn’t actually clean the code – you will need to do that. But at least it may help you to find it.

      It may also help to install WP-Security-Scan, which is now maintained by Website Defender. You can register your site with Website Defender and they will also scan it and highlight malicious code. Again, they won’t clean it – you have to do that, but at least it will tell you where it is.

      Again – I’m really sorry to hear of the troubles you’ve had and I hope you’re able to get it sorted out soon.



  • Anders Vinther May 31, 2012 @ 5:27

    This is a great list of things to do to secure your WordPress site…

    I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

    I have now written up my experiences in a comprehensive checklist which can be downloaded for free on my site.

    My checklist has a few more items and detailed steps for how to get the job done.

    Hopefully it can help other people securing their WordPress sites…

    • Martin May 31, 2012 @ 7:03

      Thanks Anders,