Fixing WordPress hacked websites

Your WordPress was hacked? The essential guide

Realizing that your WordPress site was hacked is sad.

If it can do you any good, know that it’s a predictable outcome, especially if you were careless about security. WordPress fuels 80% of hacked website (source: Sucuri). Yeah, you didn’t sign up for that when you started using this platform.

WordPress is indeed the reason why you got hacked, but the cause remains you, solely. Its widespread use makes it a high priority target for hackers waiting for your first mistake to take over your website.

Hack signs

Spotting an infection can be an obvious thing or a challenging task depending on your level. Fortunately, some signs might help ring your bells when something fishy is going on your site. The following is a list of symptoms that most hacked websites have in common:

Slow website / response time

Speed is one of the red flags you get on an early stage of a hack attempt.

Generally speaking, hacks aim to exchange information and diffuse messages. Both processes involve eating up your server’s bandwidth compared to your regular use.

The slowness symptom is very hard to spot on shared hosting plans. Knowing that most shared hosting servers are overcrowded, you naturally assume that the server is saturated and therefore, you are unlikely to investigate the cause of any experienced drastic drop of speed.

Monitoring tools help a lot to spot unusual spikes on bandwidth usage, but you still need to check them regularly.

Errors and messy style

Hacks are codes injected within your WordPress installation. Each visit to your website helps the malicious code execute itself and perform its duty.

Like any program, it is likely to conflict with the regular functions of your WordPress website resulting of:

  • Blank, broken and incomplete pages.
  • PHP warning messages.
  • Commands not executing as they should. Creating, editing and deleting posts, for example, might give you an unsuspected outcome.

Anything unusual from your regular use is to be suspected.

Strange codes and files

As you probably know by now, hacking, spamming and all the nasty things that could happen to your WordPress website live through codes. Sometimes, you’ll find the code on core files like the wp-config.php, other times you’ll find distinctive files full of scrambled codes.

Hackers try to hide that by creating files in places that you will unlikely check, and even if you do, they use names and extensions close to what you can find on a regular WordPress website. For example:

  • .php files into your wp-content/uploads folder.
  • Fragments of code starting with “eval(base64_decode” with a long unreadable content.

The number of those codes and files will vary depending on the type and the extent of the infection.

Questionable content will show up

At this stage, the hack is fully functional and becomes explicit. It will add unwanted contents to your WordPress front end. It could be posts, pages or anything reachable through URL.

These types of contents are commonly enabled through hacks:

  • Controversial medicines and pills (Viagra and similar).
  • Porn and sexual content, implicit and explicit.
  • Risky money transactions’ websites, it could be a store, a gambling website or anything similar.
  • Chinese merchandise.
  • Torrents, illegal downloads websites.

The content is either posted as regular pages/posts on your database or injected dynamically from a 3rd party server.

Be very careful, because the additional content usually shows up when you are not logged in. That’s why in most cases, victims of hacks spend a long time before seeing any explicit signs, and only understand the situation when someone visiting the website sees the abnormal content and bother to report it.

On that subject, I cleaned up a WordPress blog which had 100k pages from a Chinese online store. And I’m not exaggerating. It was a hundred of thousands products worth of pages (yes, +100k page) with a fully operational checkout system.

Search results unrelated to your content

Things start to get nasty at this stage. Search engines started indexing the injected/unwanted content.

Usually, search engines will index anything from your website after building trust. Hackers take advantage of this automatic behavior to get their content to show on search results.

That alone will profoundly harm your business reputation. Even if the infection if fully cleared, search results will still show the unwanted content. A manual process needs to take place to ask search engines to remove unwanted and compromised web pages permanently. This bad links removal process is done per individual link basis.

If you have a handful of pages indexed that would be relatively easy, but when you have hundreds or thousands of pages, it will take time and a lot of money to get rid of those.

I have seen businesses drop a domain name because of that.

Web browsers will start warning users

At this point, it will directly start to hurt your business and reputation. Standard web browsers like Google Chrome will show a full red or white page with a clear warning that your website is a threat to the visitors’ security.

The warning screen is not straight forward about how to regain access to the website. Not only your reputation is harmed, but you also lose most of your traffic.

When you see this kind of warnings, the malicious script is now a contamination agent that might pass the infection to other computers and possibly infect other sites within the same server.

Google says you are a threat

Google indexes millions of websites. When their algorithm observes any suspect behaviors, it sends warning messages through their Google Search Console, but most importantly, they show two additional lines on your search results saying:

  • This website may harm your computer.
  • This site may be hacked.

Unfortunately, most people learn that their web property was hacked that way.

Your hosting company disables your website

Hosting companies may spot infections and take off your site without your consent.

Companies like Godaddy, Bluehost, 1&1 run random and frequent scans on shared hostings plans. Because of the linked structure of those kinds of hosting environments, they can’t afford large scale infections and therefore disable automatically anything suspicious about your website’s files or behavior.

Fixing hacked WordPress websites

Regaining access, cleaning up, and fixing hacked WordPress doesn’t have a particular protocol. It is more of a case by case recovery process. Depending on the observed signs, the type of the hack, the stage reached and its spread.

In most cases, it can’t be done by a regular user. It doesn’t hurt to try, though.

Consider hiring experienced individuals or services for efficiency.

Experience helps a lot to interpret signs, know where to look for compromised files, fix them without breaking the website, and lock the threat source to prevent future hacks.

A typical process should involve the following:

Open your website in a private window without logging in

Most hacks will only show for non-logged in used. It’s a smart way operate under the radar and delay the site’s own reaction.

Checking explicit hacks live helps to find what type of hacking you are dealing with, and eventually, helps you locate where the compromised files are and how to fix and protect your WordPress website from that specific hack.

A full scan, both automatic and manual

Scanning tools help identify what type of infection and locate files with malicious codes.

Wordfence and Sucuri are equality good for that purpose. I have a personal preference for Wordfence as they have a fair per year paid plan.

Don’t fully rely on tools only. Hacking is getting more and more sophisticated. Sometimes the scanning tools won’t reveal any clue or detect any hack sign. A manual check is then necessary to try and find the compromised files and malicious codes injected.

If you are comfortable with Linux and use a VPS to host your WordPress website, the following bash script will save you a huge amount of time by scanning all files for malicious codes in a snap.

If you are using Windows, you can upload a full copy of your website through FTP on your computer, and use a file editor like Sublime Text to perform the search.

At this stage, you have a full list of your compromised files ready to be processed.

Identifying, cleaning and eventually deleting the corrupted files

This is where qualified professionals become handy. The malware compromises several types of files. Some can be fully deleted; others will need to be properly cleaned up.

If done carelessly, deleting a core file, a theme’s file or a plugin’s file might break the website.

Looking for the source of the infection to lock it up at once

It is useless to clean up a website without fixing the breach that caused the hack initially. And that is another task that involves experience and full knowledge of WordPress.

There isn’t a specific way to find it. It can be:

  • A file that gives access to your website if requested in a certain way
  • A fragment of code that infects files and eventually recreated a new set of compromised files on each website visit
  • A subtle vulnerability injected and used to reenter your website and reapply the hacking

If you still have this infecting agent, you will be hacked again and again until you get rid of it.

Post Recovery

Make WordPress hack proof

So, you fully recovered from the hack and sealed the breach. It’s time now to secure your WordPress files and environment fully.

Generally speaking, this is what needs to be done to help your WordPress resist future hacks:

  • Fully update WordPress. Core files, themes, and plugins.
  • Get rid of any non-maintained theme or plugin.
  • Get rid of any unofficial theme or plugin or downloaded paid plugins for free also referred to as nulled.
  • Use a monitoring tool like Wordfence to keep an eye on your website.

But it’s just superficial. You need a more in-depth security to make your WordPress almost hackproof.

Check out my full guide to fully secure your site on the lights of the latest practices and information available to date.

Go to Securing WordPress the right way

Fix your reputation

As we seen on the hack signs above, hacks will eventually tarnish your reputation towards browsers, search engines, and your visitors.

Removing spammy links from search engines is the worst part, especially when it involves cleaning hundreds or thousands of undesirable URLs.

It’s a long and laborious process.

For that to happen, you need to:

The process needs to be done manually and has a limit of 500 entries per day.

Rebuilding trust from your visitors is another story.

Try to be as honest as possible and reassure your audience that all protective measures are enabled, and your website is unlikely to fall to hacks any soon. A couple of freebies and discount do help considerably.

That's pretty much it!


Never take your website’s security lightly or assume that you are hack proof without being geared accordingly.

Invest heavily in security. It can be a maintenance contract, rigorous updates, and upgrades as they go live, buy plugins to strengthen your setup, invest on better, standalone servers.

Better safe than sorry! Especially if your website works and gets you a nice and steady income.

Need professional help to handle your WordPress website security? Check out my WP security services!

ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
Do NOT follow this link or you will be banned from the site!