I’ve cleaned up dozens of hacked WordPress sites, and here’s what actually works: I lock down access immediately, change every password, and scan logs for strange IPs or login bursts. I nuke suspicious admin accounts—names like “admin2” are dead giveaways—and replace core files from a clean source. Backups? I only restore from verified, pre-hack ones, tested first. Then I harden permissions, disable file editing, and enforce 2FA. Ongoing updates and real-time monitoring keep things safe. You’ll see exactly how this unfolds step by step.
TLDR
- Immediately change all passwords and enable 2FA to lock down access after detecting a compromise.
- Scan for malware and backdoors using trusted security tools like Wordfence or MalCare.
- Remove suspicious users, plugins, themes, and files that could serve as entry points or backdoors.
- Restore the site from a clean, tested backup and replace any modified core files with official versions.
- Harden security by updating software, rotating keys, and maintaining regular backups and monitoring.
Take Immediate Action to Secure the Site
When you spot signs your WordPress site’s been compromised, the first thing I do—and what you should too—is lock things down before the damage spreads.
I change all passwords immediately: admin, hosting, FTP, database, email. Strong, unique ones. No “admin123.” I enable MFA because relying on passwords alone is like locking your front door but leaving the windows wide open. I also enforce Two-Factor Authentication (2FA) to add a critical second layer of security during login. I also verify and harden site settings like site speed and caching to prevent further exploits that can stem from misconfigured performance plugins.
Analyze Access Logs for Suspicious Activity
After I’ve locked down the passwords and turned on multi-factor authentication, the next move is opening the hood and checking the logs—because the breach left tracks, and they’re usually in the access logs.
I look for failed login bursts, odd locations, or sudden user changes. Spotting these tells me where they entered, how long they were in, and what they touched—so I can close those gaps fast. This is where an activity log becomes critical for forensic analysis and recovery. Regularly performing a site audit helps uncover overlooked vulnerabilities and harden the site against repeat intrusions.
Identify and Remove Unauthorized User Accounts
I’ve seen hackers hide rogue admin accounts like “adminbackup” or “wp-system” right inside WordPress, where they won’t show up in your user list—don’t assume what you see is all there is.
Check your database directly or run a security scan, because these shadow users often slip past the dashboard thanks to sneaky code tweaks.
If you find any suspicious accounts, especially with odd emails or created at odd hours, delete them immediately and reassign their content to a trusted admin.
When choosing tools to help with cleanup, prefer trusted AI plugins that have clear security practices, good reviews, and regular updates.
Check for Suspicious Admin Users
More often than not, I find hidden admin accounts lurking in compromised WordPress sites—silent backdoors disguised as legitimate users, patiently waiting for the next opportunity to strike.
Check user lists for odd names like “admin2” or emails from suspicious domains. Cross-reference database entries and use WPScan to uncover hidden ones. If an account reappears after deletion, you’ve got persistent malware—time to dig deeper.
Remove Unauthorized Access Accounts
Let’s clean house—because leaving unauthorized admin accounts in your WordPress site is like changing the locks but handing the spare key to the burglar.
I check the Users list, spot red flags like “AdminZaxHH34” or hotmail.com emails, then delete them immediately.
I always reassign their content first.
If I’m unsure, I change the password instead—better safe than sorry.
Scan for Malware Using Trusted Security Tools
While you might be tempted to plunge into cleanup right away, scanning for malware with a trusted security tool is the smarter first move—because you can’t fix what you can’t see.
I rely on Wordfence or MalCare: they scan deeply, spot hidden threats, and save hours. Free versions work fine for basics, but premium? Worth it. You’ll get real-time protection, not just a 30-day delay on new threats.
If your site’s visibility could be affected, also check for issues that might lead to profile suspension and address them promptly.
Eliminate Malicious Code and Backdoors
Once you’ve confirmed the infection with a solid scan, it’s time to roll up your sleeves and start cutting out the bad code—because leaving even a single backdoor open is like handing the hacker a spare key to your site.
I replace compromised core files using WP-CLI or a clean download, always avoiding wp-config.php and wp-content. I compare files with diff or Wordfence, then manually delete suspicious scripts in wp-admin or wp-includes—new files there are almost never legitimate.
I clean the database via phpMyAdmin, stripping malicious SQL and post content. Finally, I remove rogue plugins and themes entirely, not just deactivate them, and check for sneaky admin users. It’s surgical work—precision matters more than speed.
Reset All Critical Passwords and Access Keys
I’ve reset hacked sites dozens of times, and skipping password changes is the fastest way to get reinfected—change your admin passwords now, using strong, unique ones, not that “password123” you’ve been avoiding fixing.
While you’re at it, update your hosting, FTP, and database credentials too, because hackers often grab those for backdoor access.
And don’t forget API keys; rotating them isn’t glamorous, but it stops silent breaches most people don’t even see coming.
Change Admin Passwords Immediately
You’d be surprised how often I find the default *admin* username still active on hacked WordPress sites—it’s like leaving your front door open with a sign saying “Rob me.”
Right after a breach, I always change every admin password and access key immediately, not just because it’s standard procedure, but because hackers often walk in through reused or weak credentials.
Update Hosting and FTP Credentials
While securing your WordPress login is essential, skipping the hosting and FTP credentials leaves the back door wide open—because if hackers still have server-level access, resetting just the admin password is like rekeying your front door while handing them a spare garage remote.
I reset my hosting password, enable 2FA, and rotate all FTP and SSH keys immediately. I switch to SFTP, restrict access by IP, and prune unused accounts—because convenience means nothing if they’re back in by Tuesday.
Rotate Database and API Keys
Change your database and API keys now—because leaving old credentials intact after a hack is like handing the burglar a map to your new house.
I reset wp-config.php passwords and MySQL users, then update the file with fresh credentials.
I regenerate WordPress salts using the official API and nuke old API keys.
I restrict database access to localhost only—no remote loopholes.
I set wp-config.php permissions to 600 so only the owner can read it.
I verify the site still runs, then double-check for backdoors in user tables.
Skipping this step? That’s a reroute to “Hacked Again” town.
Restore From a Clean and Verified Backup
Restoring from a clean and verified backup is where the real work begins—and where most people accidentally reinfect their site.
I scan the ZIP locally, confirm it predates the hack, and load it on staging first. I check for malware, make certain the database and wp-content are complete, then wipe everything compromised before restoring verified files and SQL.
Harden Site Security Settings and Permissions
Once you’ve cleaned up the mess, I lock down the site like I’m sealing a vault—because the same gaps that let hackers in will just invite them back if left open.
I set file permissions to 644, directories to 755, and disable PHP execution in uploads. I add DISALLOW_FILE_EDIT, force SSL, and block XML-RPC—simple, proven steps most overlook.
Implement Two-Factor Authentication for Logins
I almost always make two-factor authentication (2FA) the next move after cleaning and locking down a compromised WordPress site—because let’s be honest, strong passwords alone are like locking your front door but leaving the windows wide open.
I use WP 2FA or Wordfence, enable app-based codes, and enforce it for admins. You’ll scan a QR code, enter a six-digit token at login, and stash recovery codes safely—non-negotiable steps that actually work.
Maintain Ongoing Protection With Updates and Monitoring
Honestly, I treat updates and monitoring like routine maintenance on a high-mileage vehicle—skip them, and you’re not just risking a breakdown, you’re practically inviting one.
I patch vulnerabilities fast, test updates in staging, and run real-time scans. I clear caches after updates, nuke abandoned plugins, and back everything up first—because skipping these isn’t saving time, it’s just prepping for an outage.
And Finally
I’ve cleaned up more hacked WordPress sites than I care to count, and the fix always starts with urgency, not panic. You don’t need magic—just method: secure access, purge malware, restore clean backups, then lock things down. Skipping steps? That’s how backdoors survive. I enforce 2FA and strict permissions because “it’s fine” is what hackers love to hear. Stay updated, stay vigilant, and treat security like maintenance, not a crisis drill.
