Recognizing and Repairing WordPress Hacks: A Complete Guide

Best practices

If your WordPress site has been acting strange lately - loading slowly, displaying unfamiliar content, or showing suspicious admin users - you might be dealing with a hack. Modern website attacks have evolved far beyond the obvious defacements of the past, making them harder to detect but potentially more damaging to your business.

How WordPress Hacks Have Changed

Gone are the days when hackers simply replaced your homepage with a flashy message claiming credit for the attack. Today's WordPress hacks are designed to stay hidden while achieving specific goals. Modern attackers typically want to use your site's resources and reputation for their own benefit rather than destroying it outright.

Modern hack objectives include:

  • Stealing visitor information like login credentials and personal data

  • Using your site to boost another website's search rankings through hidden links

  • Mining cryptocurrency using your server's processing power

  • Distributing malware to your visitors

  • Sending spam emails through your hosting account

These subtle attacks can run for months without being noticed, causing long-term damage to your site's reputation and search rankings.

Common Signs Your WordPress Site Is Hacked

Performance Issues

Slower loading times are often the first sign something is wrong. Malicious code running in the background consumes server resources, making your site sluggish for legitimate visitors.

Unexpected downtime or frequent crashes can indicate your server is overwhelmed by malicious processes or that critical files have been corrupted.

Suspicious User Activity

Unknown admin accounts appearing in your WordPress dashboard is a clear red flag. Hackers create these accounts to maintain access even if you change your password.

Unfamiliar content or pages showing up on your site, especially pages you never created, often contain spam links or malicious code.

Search Engine Warnings

Google security warnings displayed when visitors try to access your site indicate Google has detected malicious content.

Sudden drops in search rankings can happen when search engines detect spam content or malicious links on your site.

Technical Indicators

Unexpected redirects sending visitors to other websites, particularly suspicious ones, are common in hacked sites.

New files appearing in your WordPress directories, especially with random names or in unusual locations.

Modified file dates on core WordPress files can indicate unauthorized changes.

How to Verify if Your Site Is Actually Hacked

Quick Security Checks

Scan with online tools like Sucuri SiteCheck or VirusTotal to get an immediate assessment of your site's security status.

Check Google Search Console for security issues and manual actions against your site.

Review your hosting account for unusual resource usage, bandwidth spikes, or error messages.

Manual Investigation

Examine your WordPress users and remove any accounts you don't recognize. Pay special attention to users with administrator privileges.

Check recent file modifications in your hosting control panel or through FTP to identify files changed without your knowledge.

Review your site's source code by viewing page source in your browser. Look for suspicious scripts or links you didn't add.

Step-by-Step WordPress Hack Cleanup Process

1. Create a Backup and Secure Your Access

Important: Back up your site first - even though it's infected, having a backup ensures you can restore functionality if cleanup goes wrong. Store this backup separately from your main backups and label it clearly as "infected backup - emergency use only."

Change all passwords immediately, starting with your WordPress admin account, hosting account, and FTP credentials. Use strong, unique passwords for each account.

Update everything including WordPress core, themes, and plugins to the latest versions. Outdated software is the most common entry point for hackers.

2. Identify the Infection Source

Install Wordfence Security plugin, which provides comprehensive scanning and cleanup tools specifically designed for WordPress sites. The free version includes malware scanning and basic firewall protection.

Run a deep scan to identify malicious files, backdoors, and suspicious code. Wordfence can detect many types of malware that manual inspection might miss.

Check file integrity by comparing your WordPress files to clean versions. Wordfence and similar tools can identify files that have been modified from their original state.

3. Clean Infected Files

Remove malicious files identified during scanning. Some files can be cleaned by removing malicious code, while others should be deleted entirely.

Look for base64 encoded strings in PHP files - these are often used to hide malicious code. Hackers use base64 encoding to disguise malicious scripts, making them look like harmless data to casual inspection.

What to search for:

  • Files containing base64_decode() function calls

  • Long strings of random-looking characters (typically A-Z, a-z, 0-9, +, /)

  • PHP code that looks like: <?php eval(base64_decode('aGVsbG8gd29ybGQ='));?>

  • Files with suspicious code injected at the beginning or end

Common locations for base64 malware:

  • Theme files (header.php, footer.php, functions.php)

  • Plugin files, especially in lesser-known plugins

  • WordPress core files that have been modified

  • Random PHP files in your uploads directory

Base64 encoded malware often recreates itself, so even after removal, it may reappear if you haven't found the source file that's regenerating it.

Replace corrupted core files with fresh copies from the official WordPress download. This ensures you're working with clean, unmodified code.

4. Eliminate Backdoors

Important note: Before making any file changes, create a separate backup of your current site state. This "working backup" lets you restore to this point if you accidentally break something during cleanup.

Search for backdoor files that allow hackers to regain access. These often have innocent-sounding names and may be hidden in theme folders or plugin directories.

Remove unauthorized user accounts and check that remaining accounts have appropriate permission levels.

Scan for scheduled tasks or cron jobs that might reinfect your site automatically.

5. Strengthen Security

Install a security plugin like Wordfence to monitor your site ongoing and prevent future attacks.

Enable two-factor authentication on all admin accounts to add an extra layer of protection.

Limit login attempts to prevent brute force attacks on your admin area.

Hide the WordPress admin area from unauthorized users and consider changing the default login URL.

Prevention: Protecting Your WordPress Site

Keep Everything Updated

Automatic updates for WordPress core, themes, and plugins reduce the window of vulnerability when security patches are released.

Remove unused plugins and themes as they can become security vulnerabilities even when inactive.

Use Security Best Practices

Strong passwords and two-factor authentication on all accounts with site access.

Regular backups stored offsite ensure you can restore your site quickly if an attack succeeds.

Web application firewall can block many attacks before they reach your site.

Security monitoring alerts you to suspicious activity before significant damage occurs.

When to Seek Professional Help

If you're uncomfortable with technical tasks or the infection appears complex, professional help can save time and ensure thorough cleanup. Consider getting expert assistance if:

  • Multiple cleanup attempts haven't resolved the issue

  • You're finding the same malicious code repeatedly after cleaning

  • Your hosting provider has suspended your account due to malicious activity

  • You're not confident identifying all infected files

  • Your site handles sensitive customer information

Professional security services have specialized tools and experience with the latest attack methods, making them more effective at complete cleanup and prevention.

Long-Term WordPress Security Strategy

Maintaining WordPress security is an ongoing process, not a one-time fix. Establish regular security practices including weekly backups, monthly security scans, and prompt installation of security updates.

Monitor your site's performance and search rankings for early signs of problems. Document your security measures and keep contact information for security professionals handy in case you need rapid response to future incidents.

Remember that preventing hacks is always easier and less expensive than cleaning up after them. Investing in good security practices protects your business reputation, customer trust, and search engine rankings.