Finding out your WordPress website has been hacked is not a pleasant experience. Your first instinct might be to panic or start deleting things. Do not. Random deletions can make the cleanup harder or remove evidence that helps identify how the hack happened.
Here is a clear process for dealing with a hacked WordPress site — what to do first, how to clean it, and how to prevent it from happening again.
Step 1 — Confirm It Is Actually Hacked
Before starting cleanup, confirm what you are dealing with. Common signs of a hacked WordPress site:
- Visitors are being redirected to unfamiliar websites
- Google Search shows a “This site may be hacked” warning
- Your hosting provider has suspended the account citing malware
- You see admin users in your WordPress dashboard that you did not create
- Spam pages or links have appeared on your site
- Your site has been defaced — content replaced with a message from the hacker
- Google Search Console shows unusual URLs or crawl errors
Sometimes what looks like a hack is actually a plugin conflict or a rogue update. Run a proper scan before assuming the worst.
Step 2 — Take the Site Offline or Into Maintenance Mode
If your site is actively serving malware or redirecting visitors, take it offline while you clean it. This protects your visitors and prevents further damage to your search engine reputation.
Most hosting control panels let you create a temporary maintenance page or put the site in a holding state. Alternatively, rename your .htaccess file to temporarily block front-end access.
Step 3 — Change All Passwords Immediately
Change passwords for:
- All WordPress admin accounts
- Your hosting control panel
- Your database (via phpMyAdmin or your hosting panel)
- Your FTP/SFTP access
- Your domain registrar account
- Any email accounts connected to the website
Use strong unique passwords for each. A password manager like Bitwarden makes this manageable.
Step 4 — Restore from a Clean Backup (If Available)
If you have a recent backup from before the hack, restoring it is often the fastest path to a clean site. Confirm the backup is clean — if the hack happened weeks ago and went undetected, your most recent backup may also be compromised.
After restoring, still follow the remaining steps to close the entry point. Restoring without addressing the vulnerability means you will be hacked again.
Step 5 — Scan for Malware
If you do not have a clean backup, or you want to verify what was affected, run a malware scan. Options:
- Wordfence — free version includes a malware scanner that compares your files against the known clean versions
- MalCare — good automated detection, works well on Indian hosting
- Sucuri SiteCheck — free external scanner that checks for known malware signatures
The scan will identify infected files. Do not just delete them — understand what they are first. Some malware inserts itself into legitimate plugin or theme files. Simply deleting those files may break functionality. Replacing them with clean versions is safer.
Step 6 — Remove the Malware
For most common WordPress hacks, the cleanup involves:
- Removing unfamiliar admin user accounts
- Replacing core WordPress files with clean versions (download from wordpress.org)
- Replacing infected plugin and theme files with clean versions
- Scanning and cleaning the database for injected scripts or spam content
- Removing any backdoor files the attacker left (often hidden in obscure directories)
This is where professional help is often worth the cost. Missing a single backdoor means the attacker can re-enter your site even after cleanup.
Step 7 — Update Everything and Harden Security
After cleanup, close the door the attacker used:
- Update WordPress core, all plugins, and all themes to current versions
- Delete any plugins or themes you are not using
- Install a security plugin (Wordfence, Solid Security) if not already active
- Enable login attempt limiting
- Set file permissions correctly (files: 644, folders: 755, wp-config.php: 640)
- Check that your hosting PHP version is current and supported
Step 8 — Request Google Review
If Google has flagged your site with a warning (“This site may be hacked” or “Dangerous site”), submit a reconsideration request through Google Search Console after cleanup is complete. This is done under Security Issues in Search Console. Google typically reviews and removes the warning within a few days of the site being clean.
How Long Does It Take?
A straightforward cleanup on a basic WordPress site takes 2 to 6 hours for someone experienced. Complex hacks involving persistent backdoors, database injections, or multiple infection points take longer. Google’s warning removal adds another 1 to 3 days after the site is clean.
What Does It Cost to Get a Professional to Fix a Hacked Site?
Professional WordPress malware removal in India typically costs Rs 2,000 to Rs 8,000 depending on severity. This is often comparable to the cost of a few months of prevention. The value is not just the cleanup — it is identifying and closing the entry point so it does not happen again.
Website hacked and need professional cleanup? Our website security maintenance service covers malware removal, hardening, and Google reconsideration. For bugs and errors caused by a hack, our WordPress bug fixing service handles recovery. Get in touch immediately.