{"id":4959,"date":"2026-04-01T11:04:47","date_gmt":"2026-04-01T11:04:47","guid":{"rendered":"https:\/\/www.codecaste.com\/blog\/?p=4959"},"modified":"2026-04-02T08:21:53","modified_gmt":"2026-04-02T08:21:53","slug":"wordpress-hacked-fix-guide-2026","status":"publish","type":"post","link":"https:\/\/www.codecaste.com\/blog\/wordpress-hacked-fix-guide-2026\/","title":{"rendered":"WordPress Hacked Fix: Step-by-Step Guide to Remove Malware &amp; Secure Your Site (2026)"},"content":{"rendered":"\n<p>You type in your URL, expecting your site, but what you see stops you cold. A browser warning. Strange content where your homepage used to be. <\/p>\n\n\n\n<p>You try to log in, but your password fails. In that moment, you realise something\u2019s very wrong.<\/p>\n\n\n\n<p>It&#8217;s a gut-wrenching moment. We know.<\/p>\n\n\n\n<p>Before anything else, know this: your situation is 100% fixable.<\/p>\n\n\n\n<p>If your <strong>WordPress site got hacked<\/strong>, you are far from alone. WordPress powers over <strong>43% of all websites on the internet,<\/strong> which makes it the single most targeted platform by hackers worldwide.<\/p>\n\n\n\n<p> Approximately <strong>13,000 WordPress sites<\/strong> are compromised every single day. Not because the owners were reckless, but because automated bots constantly scan millions of sites looking for any known weakness.<\/p>\n\n\n\n<p>This guide is your step-by-step <strong>WordPress hacked fix<\/strong> from the moment you discover the breach all the way to locking your site down so it doesn&#8217;t happen again. <\/p>\n\n\n\n<p>We&#8217;ll cover both the path for non-technical site owners and the deeper technical steps for developers.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Before you start:&nbsp; <\/strong>If your site handles customer payments or personal data and you believe sensitive information may have been exposed, contact your payment processor and hosting provider before taking any other steps.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 1: <\/strong>How to Detect a Hack? <\/h2>\n\n\n\n<p>Not every strange website behaviour is a hack. <\/p>\n\n\n\n<p>A broken plugin or a failed update can cause your site to act up, too. So before you spiral, take a moment to confirm what you&#8217;re actually dealing with.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-site-hacked-warning-in-Google-search-results-1024x683.png\" alt=\"WordPress hacked fix warning screen\" class=\"wp-image-4979\" srcset=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-site-hacked-warning-in-Google-search-results-1024x683.png 1024w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-site-hacked-warning-in-Google-search-results-300x200.png 300w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-site-hacked-warning-in-Google-search-results-768x512.png 768w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-site-hacked-warning-in-Google-search-results-600x400.png 600w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-site-hacked-warning-in-Google-search-results-900x600.png 900w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-site-hacked-warning-in-Google-search-results.png 1536w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Here are the most common signs of a genuine security breach:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your browser or Google Search Console is showing a malware warning when visitors try to open your site<\/li>\n\n\n\n<li>Your homepage has been replaced or modified with content you didn&#8217;t write. Often spam, gambling links, or foreign language text<\/li>\n\n\n\n<li>You&#8217;re being automatically redirected to a completely different website when you visit your site<\/li>\n\n\n\n<li>You&#8217;re locked out of the WordPress admin area even though you&#8217;re sure your password is correct<\/li>\n\n\n\n<li>There are new admin user accounts in your dashboard that you never created<\/li>\n\n\n\n<li>Your hosting provider sent a warning email or suspended your site<\/li>\n\n\n\n<li>Google Search Console flagged your site under Security Issues<\/li>\n\n\n\n<li>Visitors are complaining about being taken to spam pages or seeing unexpected pop-ups<\/li>\n<\/ul>\n\n\n\n<p>If you&#8217;re seeing any combination of these, treat it as a confirmed breach and move to the next step.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Quick Check:&nbsp; <\/strong>Run your URL through Sucuri SiteCheck (<a href=\"https:\/\/sitecheck.sucuri.net\/\" target=\"_blank\" rel=\"noopener\">sitecheck.sucuri.net<\/a>) or Google Safe Browsing (<a href=\"https:\/\/transparencyreport.google.com\/safe-browsing\/search\" target=\"_blank\" rel=\"noopener\">transparencyreport.google.com\/safe-browsing\/search<\/a>). Both are free and will tell you instantly if your site has been blacklisted or flagged for malware.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 2: Limit the Damage First<\/strong><\/h2>\n\n\n\n<p>The moment you confirm a hack, your priority is stopping it from spreading too far. <\/p>\n\n\n\n<p>The longer a compromised site stays online, the more it can infect visitors with malware, send spam, or slip further into Google\u2019s blacklist.<\/p>\n\n\n\n<p>This step is essential for any WordPress site to stop further damage.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-1a9f0fabfaa02d90492441bbc4344124\">1. <strong>Put Your Site Into Maintenance Mode<\/strong><\/h3>\n\n\n\n<p><\/p>\n\n\n\n<p>If you can still log into your WordPress admin, install a maintenance mode plugin like <strong><a href=\"https:\/\/wordpress.org\/plugins\/wp-maintenance\/\" target=\"_blank\" rel=\"noopener\">WP Maintenance Mode<\/a><\/strong> or Coming Soon page by<strong> <a href=\"https:\/\/www.seedprod.com\/\" target=\"_blank\" rel=\"noopener\">SeedProd<\/a><\/strong>, and activate it immediately. This takes your site offline for visitors while you work behind the scenes.<\/p>\n\n\n\n<p>If you can&#8217;t access the dashboard, contact your hosting provider immediately and ask them to restrict public access or redirect traffic temporarily. Most hosts can do this within minutes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-77fd157b30aebcb69614a05e19243d37\">2. <strong>Back Up the Hacked Site Before Doing Anything Else<\/strong><\/h3>\n\n\n\n<p>This sounds counterintuitive, but it&#8217;s important. Take a full backup of everything, even in its current compromised state.<\/p>\n\n\n\n<p>If you accidentally delete something during cleanup and need to go back, this is your safety net. <\/p>\n\n\n\n<p>Label it clearly, something like &#8216;<strong>HACKED_BACKUP_[DATE]<\/strong>&#8216; so you never accidentally restore it to a live environment.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"683\" height=\"1024\" src=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/Backup-management-interfaces-in-action-683x1024.png\" alt=\"WordPress hacked fix backup dashboard\" class=\"wp-image-4987\" srcset=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/Backup-management-interfaces-in-action-683x1024.png 683w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/Backup-management-interfaces-in-action-200x300.png 200w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/Backup-management-interfaces-in-action-768x1152.png 768w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/Backup-management-interfaces-in-action-400x600.png 400w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/Backup-management-interfaces-in-action.png 1024w\" sizes=\"auto, (max-width: 683px) 100vw, 683px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-c9ff6cd5bdb598e08914603326297f6c\">3. <strong>Check If Your Host Has a Backup.<\/strong><\/h3>\n\n\n\n<p>Before you dive into technical cleanup, contact your hosting provider first. Many managed hosts keep daily or weekly server-level backups for 7 to 30 days. <\/p>\n\n\n\n<p>Ask them: &#8220;Do you have a backup from before [date]?&#8221;<\/p>\n\n\n\n<p>&#8220;Can you restore it to a staging environment first so I can verify it&#8217;s clean?&#8221;<\/p>\n\n\n\n<p>If they have a clean backup from before the hack, restoring from that can save hours of manual work.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 3: Lock Down Your Accounts<\/strong><\/h2>\n\n\n\n<p>Before touching a single file, assume the hackers may have your login credentials. <\/p>\n\n\n\n<p>Change every password associated with the site, not just your WordPress login.<\/p>\n\n\n\n<p>Change the passwords for the following: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WordPress admin password for every account with admin access<\/li>\n\n\n\n<li>Hosting control panel password<\/li>\n\n\n\n<li>FTP and SFTP account passwords<\/li>\n\n\n\n<li>The database password you will need to update this in wp-config.php afterwards<\/li>\n\n\n\n<li>Email address and password linked to your admin account<\/li>\n\n\n\n<li>Any connected third-party tools like <a href=\"https:\/\/developers.google.com\/analytics\" target=\"_blank\" rel=\"noopener\">Google Analytics<\/a>, <a href=\"https:\/\/mailchimp.com\/\" target=\"_blank\" rel=\"noopener\">Mailchimp<\/a>, or <a href=\"https:\/\/www.cloudflare.com\/\" target=\"_blank\" rel=\"noopener\">Cloudflare<\/a><\/li>\n<\/ul>\n\n\n\n<p>Use a password manager like <a href=\"https:\/\/bitwarden.com\/\" target=\"_blank\" rel=\"noopener\">Bitwarden<\/a> or <a href=\"https:\/\/1password.com\/\" target=\"_blank\" rel=\"noopener\">1Password<\/a> to generate strong, unique passwords of at least 16 characters for every account. Do not reuse passwords across accounts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-dcf1efa4e261fa12aeffbde10cc745e9\"><strong>Remove Unknown Admin Users<\/strong><\/h3>\n\n\n\n<p>Go to your WordPress dashboard, navigate to Users, and look for any accounts you don&#8217;t recognise, particularly those with Administrator-level access. Delete them immediately.<\/p>\n\n\n\n<p>Hackers routinely create a hidden admin account as a backdoor so they can get back in even after you change your password. This is one of the most commonly missed steps during a recovery, and it&#8217;s why some sites get re-infected within days.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Document everything:&nbsp; <\/strong>Keep a record of every account you delete and every password you change. If this incident escalates legally or requires insurance involvement, this log will matter.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 4: WordPress Hacked Fix \u2013 Malware Removal Process<\/strong><\/h2>\n\n\n\n<p>Now it&#8217;s time to find exactly what was planted and where. This is the core of your recovery process.<\/p>\n\n\n\n<p>The <strong>WordPress malware removal<\/strong> process can be done in two ways: using a security plugin that automates most of it, or manually reviewing files.\u00a0<\/p>\n\n\n\n<p>For most site owners, start with the plugin route.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"632\" src=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/WordPress-hacked-fix-Wordfence-scan-1024x632.png\" alt=\"WordPress hacked fix Wordfence scan\" class=\"wp-image-5032\" srcset=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/WordPress-hacked-fix-Wordfence-scan-1024x632.png 1024w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/WordPress-hacked-fix-Wordfence-scan-300x185.png 300w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/WordPress-hacked-fix-Wordfence-scan-768x474.png 768w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/WordPress-hacked-fix-Wordfence-scan-1536x948.png 1536w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/WordPress-hacked-fix-Wordfence-scan-2048x1264.png 2048w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/WordPress-hacked-fix-Wordfence-scan-600x370.png 600w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/WordPress-hacked-fix-Wordfence-scan-972x600.png 972w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-de9c9451485cedeb75d7e681000f62dc\">1. <strong>Using a Security Plugin (Recommended for Most Users)<\/strong><\/h3>\n\n\n\n<p>Install one of the following trusted plugins and run a full site scan immediately:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/www.wordfence.com\/\" target=\"_blank\" rel=\"noopener\">Wordfence Security:<\/a><\/strong> Compares every file on your site against the clean versions in the official WordPress repository. It flags anything that was modified, added, or doesn&#8217;t belong there. The free version handles most infection scenarios well.<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/wordpress.org\/plugins\/malcare-security\/\" target=\"_blank\" rel=\"noopener\">MalCare<\/a>:<\/strong> Known for catching deeply hidden malware that other scanners miss. Good for stubborn or complex infections where Wordfence may return a clean result, but something still feels off.<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/wordpress.org\/plugins\/sucuri-scanner\/\" target=\"_blank\" rel=\"noopener\">Sucuri Security<\/a>:<\/strong> Offers both a site scanner and a web application firewall, making it a strong choice for cleanup plus ongoing protection.<\/li>\n<\/ul>\n\n\n\n<p>When the scan finishes, you&#8217;ll see a list of infected or suspicious files. <\/p>\n\n\n\n<p>Review each one before taking action. Do not click &#8216;Fix All&#8217; without reading what&#8217;s being changed. Some flagged files may be legitimate customisations to your theme or child theme.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-e61c1a44365218aa88cd541cb9449679\">2. <strong>What to Look for in Your Files? (For Developers)<\/strong><\/h3>\n\n\n\n<p>If you have FTP or File Manager access through your hosting panel, sort all files by the &#8216;Date Modified&#8217; column. Anything recently changed that you didn&#8217;t touch is a red flag.<\/p>\n\n\n\n<p>Pay close attention to these locations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>wp-config.php:<\/strong> Contains your database credentials. Any unauthorised modification here is serious.<\/li>\n\n\n\n<li><strong>index.php<\/strong> in the root folder and inside \/wp-includes\/<\/li>\n\n\n\n<li><strong>Theme files:<\/strong> Particularly functions.php, header.php, and footer.php<\/li>\n\n\n\n<li><strong>\/wp-content\/uploads\/:<\/strong> Hackers often hide PHP scripts here, disguised as image files. Look for &#8216;.php&#8217; files where there should only be images<\/li>\n<\/ul>\n\n\n\n<p>A common injection signature looks like a single line of scrambled text starting with <strong>eval(base64_decode)<\/strong>. If you see that anywhere in a PHP file, that&#8217;s malware. Remove the entire line.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Developer tip:&nbsp; <\/strong>When you find a corrupted core WordPress file, don&#8217;t manually edit it unless you&#8217;re confident about what you&#8217;re removing. Download a fresh copy of the same WordPress version from WordPress.org and replace the file entirely.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-1aa746e85580768c76814bb0c57b109c\">3. <strong>Clean the Database<\/strong> (For Developers)<\/h3>\n\n\n\n<p>Malware doesn&#8217;t only hide in files. Hackers can inject harmful code directly into your WordPress database, particularly in post content, widget settings, or theme option fields.<\/p>\n\n\n\n<p>Use a plugin like <a href=\"https:\/\/wordpress.org\/plugins\/wp-optimize\/\" target=\"_blank\" rel=\"noopener\">WP-Optimise<\/a> to clean the database after your scan safely. Also, open <strong>phpMyAdmin<\/strong> and check the <strong>wp_options<\/strong> table for any suspicious redirect URLs or unfamiliar settings that were recently added. Look through <strong>wp_posts<\/strong> for content containing <strong>&lt;script> <\/strong>tags you didn&#8217;t write.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 5: Update Everything to Close the Door on Future WordPress Security Recovery Issues<\/strong><\/h2>\n\n\n\n<p>Once infected files are cleaned, the next important action is closing the vulnerability that lets hackers in. <\/p>\n\n\n\n<p>This is how you avoid having to go through a <strong>WordPress security recovery<\/strong> all over again next month.<\/p>\n\n\n\n<p>Over 91% of WordPress vulnerabilities in 2025 were found in plugins and themes, not in WordPress core. <\/p>\n\n\n\n<p><a href=\"https:\/\/www.codecaste.com\/blog\/wordpress-plugins-slowing-site-fix\/\" data-type=\"link\" data-id=\"https:\/\/www.codecaste.com\/blog\/wordpress-plugins-slowing-site-fix\/\">Outdated plugins are the single biggest door hackers<\/a> walk through.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"912\" src=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-hacked-fix-updates-screen-1024x912.png\" alt=\"WordPress hacked fix updates screen\" class=\"wp-image-5025\" srcset=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-hacked-fix-updates-screen-1024x912.png 1024w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-hacked-fix-updates-screen-300x267.png 300w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-hacked-fix-updates-screen-768x684.png 768w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-hacked-fix-updates-screen-600x534.png 600w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-hacked-fix-updates-screen-674x600.png 674w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/03\/WordPress-hacked-fix-updates-screen.png 1385w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Update the following right now:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"has-black-color has-text-color has-link-color wp-elements-d4e51d2ea7ffb6126a852a2085029bd1\">WordPress is core to the latest version<\/li>\n\n\n\n<li class=\"has-black-color has-text-color has-link-color wp-elements-df4cfc193dae07b99eb0565b2470b39a\">Every installed plugin, including ones you rarely open<\/li>\n\n\n\n<li class=\"has-black-color has-text-color has-link-color wp-elements-d7e10ef91dd646a99b9bc896cda2737f\">Every installed theme, including inactive ones<\/li>\n\n\n\n<li class=\"has-black-color has-text-color has-link-color wp-elements-9ef9b572c2e2a33a52a3884bea60202f\">Your PHP version, if your hosting panel allows it (check with your host if unsure)<\/li>\n<\/ol>\n\n\n\n<p>After updating, go through your plugin and theme list and delete anything you are not actively using. <\/p>\n\n\n\n<p>An inactive plugin that hasn&#8217;t been updated in two years is just as vulnerable as an active one, and there&#8217;s zero reason to keep it installed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 6: Verify Your Site Is Actually Clean<\/strong><\/h2>\n\n\n\n<p>Many site owners stop after a plugin scan says &#8216;no threats found&#8217; and call it done. That&#8217;s a mistake. Some malware is specifically designed to hide from single-tool scans.<\/p>\n\n\n\n<p>Run at least two different scanners after the cleanup. Wordfence and Sucuri SiteCheck together are a reliable combination. I<\/p>\n\n\n\n<p>f both come back clean, you&#8217;re in good shape to bring the site back live. This is what properly cleaning a hacked WordPress site looks like\u2014verification isn\u2019t optional. <\/p>\n\n\n\n<p>Also, do these manual checks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open your site in an incognito browser window as a regular visitor would. Does it load normally? Any unexpected redirects or popups?<\/li>\n\n\n\n<li>Check <a href=\"https:\/\/search.google.com\/search-console\/about\" target=\"_blank\" rel=\"noopener\">Google Search Console<\/a> under Security and Manual Actions. Are there any active alerts?<\/li>\n\n\n\n<li>Ask someone on a different device and network to open the site. Some hacks are designed to show malicious content only to visitors arriving from Google search, not to the logged-in admin, so your own browser may show a clean site while visitors see something else<\/li>\n<\/ul>\n\n\n\n<p>If Google blacklisted your site, you need to formally request a review. <\/p>\n\n\n\n<p>In Google Search Console, go to Security Issues and click Request Review after confirming the site is clean. This process typically takes a few days, but it is necessary to remove the &#8216;This site may be hacked&#8217; warning from search results.<\/p>\n\n\n\n<p>This step ensures your WordPress hack fix is complete and your site is fully clean.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 7: WordPress Hacked Fix \u2013 Secure Your Site<\/strong><\/h2>\n\n\n\n<p>Recovery is only half the job. The sites that get hacked twice are almost always the ones that went back online without fixing what made them a target in the first place.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-c41a33f33a5fbdeb804de497869b0815\">1. <strong>Enable Two-Factor Authentication on All Admin Accounts<\/strong><\/h3>\n\n\n\n<p>Two-factor authentication (2FA) means that even if someone gets your password, they still cannot log in without a second code sent to your phone or generated by an authenticator app.<\/p>\n\n\n\n<p>Install a plugin like <strong><a href=\"https:\/\/wordpress.org\/plugins\/wp-2fa\/\" target=\"_blank\" rel=\"noopener\">WP 2FA<\/a><\/strong> or Google Authenticator by MiniOrange and enable it for every account with admin access. This one change blocks the vast majority of brute-force login attacks automatically.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-5ba862c0b8b4608739df5c09a5fc5e0c\">2. <strong>Install a Web Application Firewall<\/strong><\/h3>\n\n\n\n<p>A firewall sits in front of your site and blocks malicious traffic before it even reaches your server. <a href=\"https:\/\/wordpress.org\/plugins\/wordfence\/\" target=\"_blank\" rel=\"noopener\">Wordfence<\/a> has a solid free tier that works well for most sites. For higher-traffic or business-critical sites, Sucuri&#8217;s firewall or Cloudflare&#8217;s WAF offer more robust protection at the network level.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-090cffdec317161860f5f9275756da96\">3. <strong>Disable PHP Execution in Your Uploads Folder<\/strong><\/h3>\n\n\n\n<p>Your uploads folder is where WordPress stores images and media files. It should never run PHP code. Hackers know this and often hide malicious scripts in there, disguised as images.<\/p>\n\n\n\n<p>You can block PHP from running in that folder by adding a small .htaccess file to your \/wp-content\/uploads\/ directory with these two lines:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&lt;Files *.php>\u00a0 deny from all\u00a0 &lt;\/Files><\/p>\n\n\n\n<p><\/p>\n<\/blockquote>\n<\/blockquote>\n\n\n\n<p>If you&#8217;re not comfortable doing this yourself, ask your developer or hosting provider to set it up for you.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-1843e400ee67f574c2021638ec2c2b2b\">4. <strong>Set Up Automated, Offsite Backups<\/strong><\/h3>\n\n\n\n<p>A backup that lives on the same server as your site is not a real backup. If the server is compromised or goes down, you lose both.<\/p>\n\n\n\n<p>Use a plugin like <a href=\"https:\/\/wordpress.org\/plugins\/updraftplus\/\" target=\"_blank\" rel=\"noopener\">UpdraftPlus<\/a> or <a href=\"https:\/\/wordpress.org\/plugins\/blogvault-real-time-backup\/\" target=\"_blank\" rel=\"noopener\">BlogVault<\/a> to schedule daily backups and automatically send them to a separate location, such as Google Drive, Dropbox, or Amazon S3. <\/p>\n\n\n\n<p>Set it up, test a restore once to confirm it works, and then let it run in the background.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-black-color has-text-color has-link-color wp-elements-47a24577d9aa6ca280def99207d03dc1\">5. <strong>Change Your WordPress Login URL<\/strong><\/h3>\n\n\n\n<p>By default, every WordPress site&#8217;s login page sits at yoursite.com\/wp-admin. <\/p>\n\n\n\n<p>Every automated hacking bot on the internet knows this and hits it daily with login attempts.<\/p>\n\n\n\n<p>A plugin like WPS Hide Login lets you change this URL to something custom, like yoursite.com\/team-portal. <\/p>\n\n\n\n<p>It doesn&#8217;t make your site bulletproof, but it dramatically cuts the volume of automated attacks targeting your login page.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>When to Stop the DIY Fix and Call a WordPress Expert<\/strong>?<\/h2>\n\n\n\n<p>There&#8217;s no shame in knowing when a situation needs more than a solo effort. <\/p>\n\n\n\n<p>Here&#8217;s when you should bring in a professional:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Malware keeps coming back within days of cleaning:<\/strong> This typically means a backdoor is still active somewhere. An experienced developer knows where to look, including obscure locations like wp-cron injections and database triggers that automated scanners miss.<\/li>\n\n\n\n<li><strong>You&#8217;re completely locked out with no backup:<\/strong> Recovering file access without admin credentials requires direct server-level work that most site owners don&#8217;t have the setup or comfort level for.<\/li>\n\n\n\n<li><strong>Your site processes customer payments or holds sensitive user data:<\/strong> Every hour of delay increases your exposure and liability. Fast, professional cleanup is worth the cost.<\/li>\n\n\n\n<li><strong>The infection has been active for weeks or months:<\/strong> Older infections often go deeper, with multiple backdoors, database injections, and sometimes even nested WordPress installations that are also infected.<\/li>\n<\/ul>\n\n\n\n<p>Professional WordPress security cleanup typically runs between $200 and $500 for straightforward infections, and $500 to $2,000 for complex recoveries involving multiple backdoors, full database cleaning, and security hardening. <\/p>\n\n\n\n<p>Most reputable service providers complete the work within 24 to 48 hours.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Looking to hire an agency instead?\u00a0 <\/strong>A good <a href=\"https:\/\/codecaste.com\/\" target=\"_blank\" rel=\"noopener\">WordPress development agency<\/a> won&#8217;t just clean the site. They&#8217;ll identify what went wrong, fix the root cause, and set up a maintenance plan so this doesn&#8217;t happen again. That combination of cleanup plus prevention is what separates a one-time fix from actual long-term security.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Found your WordPress site hacked? Follow this simple guide to detect issues, remove malware, fix your site, and protect it from future attacks.<\/p>\n","protected":false},"author":2,"featured_media":5013,"comment_status":"closed","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[159,47,168],"tags":[50,98],"class_list":["post-4959","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress-maintenance","category-wordpress","category-wordpress-security","tag-wordpress","tag-wordpress-security-tips"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/posts\/4959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/comments?post=4959"}],"version-history":[{"count":93,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/posts\/4959\/revisions"}],"predecessor-version":[{"id":5079,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/posts\/4959\/revisions\/5079"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/media\/5013"}],"wp:attachment":[{"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/media?parent=4959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/categories?post=4959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/tags?post=4959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}