If your WordPress site has been hacked, you'll know about it one of a few ways: Google is showing a warning in search results, your host has suspended the account, visitors are being redirected somewhere else, or you've found unfamiliar files or content. Whatever the symptom, here's how to deal with it fast and make sure it doesn't happen again.
An active compromise means malware may be spreading files, harvesting data, or sending spam from your server. Every hour of delay increases the damage and makes cleanup harder. If your host has suspended the account, contact support immediately, they can usually tell you what triggered the suspension and often have access to logs that will help identify the infection point.
Before doing anything else, take stock of the symptoms. Is the homepage redirecting to a pharmacy site? Are there new admin users you didn't create? Is Google Search Console showing a Security Issues alert? Each symptom points to a different type of infection, which helps narrow down where to look. Document what you observe, this information is useful both for cleanup and for preventing recurrence.
While you clean, you don't want visitors landing on a compromised or broken site. If you still have admin access, activate a maintenance mode plugin or create a simple maintenance.php in your root directory. If your host suspended the account, they've already done this for you, ask them to keep it suspended until cleanup is complete.
Change your WordPress admin password immediately, and change your hosting control panel password, FTP password, and database password. An attacker with a persistent backdoor will attempt to re-enter if they see their access is being revoked. Rotating all credentials upfront closes those doors before you start cleaning.
If you have a backup from before the infection, restoring it is the fastest and most reliable fix. This is why daily automated backups exist. Restore the backup, then immediately update WordPress core, all plugins, all themes, and change every password associated with the account: WordPress admin, FTP, database, hosting control panel, and email.
If you're not sure when the infection occurred, check the modification timestamps on your files before restoring. In cPanel's File Manager, you can sort files by date modified, look for PHP files in unexpected locations (like wp-content/uploads/) or core files with recent modification dates. This tells you approximately when the attack occurred, so you know which backup to restore to.
If you restore a backup and the infection reappears within hours or days, the attacker left a persistent backdoor, or the vulnerability that allowed entry still exists. In that case, you need to find and close the entry point before the restored site goes live.
Install the Wordfence Security plugin and run a full scan. It compares every WordPress core file against the official WordPress.org checksums, flags files that don't match, and cross-references your plugin and theme files against known malware signatures. Work through the results systematically, Wordfence will tell you whether each flagged item is a modified core file (restore it), a known malware signature (delete it), or an unknown file in a suspicious location (investigate and delete if not legitimate).
Manual checks to run in parallel: Look in wp-content/uploads/ for PHP files, there should be none. Check wp-config.php for injected code at the top or bottom of the file. Check .htaccess for redirect rules pointing to unfamiliar domains. Look at the database, specifically the wp_options table for injected JavaScript in widget settings, theme header/footer fields, or the siteurl value.
Run Sucuri SiteCheck (sitecheck.sucuri.net) as a second opinion. It scans your site's public-facing pages for known malware indicators and checks your domain against major blacklists. It won't find server-side infections that aren't visible in the HTML output, but it confirms what visitors and Google are seeing.
Cleaning without finding the cause means you'll be reinfected within days. The most common entry points in order of frequency: an outdated plugin with a publicly documented vulnerability, a nulled (pirated) theme or plugin that came pre-loaded with malware, a compromised admin password obtained via brute force or credential stuffing, and a compromised FTP password obtained via a local malware infection on your own computer.
Check your server access logs for suspicious patterns. In cPanel, go to Metrics > Raw Access Logs. Look for: repeated POST requests to PHP files in the uploads directory, large numbers of requests to wp-login.php or xmlrpc.php from unfamiliar IPs, and requests to plugin or theme files that shouldn't be directly accessible. The timestamp of unusual activity often lines up with when you first noticed the problem.
Cross-reference the suspicious timestamps against your plugin update history. If a specific plugin was last updated six months ago and has known vulnerabilities disclosed since then, that's your likely entry point. Check the WPScan Vulnerability Database (wpscan.com/plugins) for your plugin and theme versions.
wp-config.php at 600 or 440.define( 'DISALLOW_FILE_EDIT', true ); to wp-config.php to prevent theme/plugin editing from the dashboard.wp-content/uploads/ containing: <Files *.php> deny from all </Files>Log into Google Search Console and check the Security Issues report under Security & Manual Actions. It will tell you which pages were flagged and what type of issue Google detected (malware, unwanted software, social engineering, or deceptive content). This is also useful context for understanding what the malware was doing.
Once the site is thoroughly cleaned, click "Request Review" in the Security Issues report. Describe the steps you took to clean the site and prevent recurrence, be specific. Google typically rechecks within 24 to 72 hours for security issues. The warning will be lifted once they confirm the site is clean. If the review comes back rejected, something was missed, run another Wordfence scan and check Sucuri SiteCheck again before resubmitting.
After cleanup, verify through multiple channels. Scan with Wordfence again, a clean scan doesn't guarantee nothing was missed, but it confirms the obvious issues are gone. Check Sucuri SiteCheck from a different network. Use Google's Safe Browsing checker (transparencyreport.google.com/safe-browsing/search) to see your site's current status. Ask someone on a different device and network to visit the site and confirm they see no browser warnings or unexpected redirects.
Monitor the site closely for the following two weeks. Set up Wordfence email alerts for new file changes, new admin user creation, and failed login spikes. If the same indicators return, the entry point was not fully closed and you need to investigate again.
HostBible plans include daily backups, free SSL, server-level malware protection, and a support team that responds fast when something goes wrong. Don't wait until there's a problem.
View Hosting Plans