WordPress Site Hacked: Complete Recovery Guide

Over 500,000 WordPress websites were infected with malware in 2024 (Sucuri). That’s not a scare tactic. It’s the reality of running the world’s most popular content management system.

Here’s what makes that number worse: a September 2025 analysis of 111,000 infected WordPress sites found that every single one had at least one active security plugin installed (WeWatchYourWebsite). Nearly 20% had two. These weren’t neglected sites. They were following best practices and still got compromised.

In this guide:

• Signs Your Site Has Been Hacked
• Immediate Actions (First 15 Minutes)
• How Attackers Get In
• Common Attack Types
• Cleaning Your Site
• Why Hacks Keep Coming Back
• Prevention That Actually Works
• When Professional Help Makes Sense

If your site is currently compromised and you need to act now, skip to Immediate Actions.

---

Signs Your Site Has Been Hacked

Not every hack announces itself with a defaced homepage. Most compromises are subtle, designed to avoid detection while extracting value from your site and your visitors.

Symptom	What You’ll Notice	Why It Happens
Redirect malware	Site works for you, but visitors report spam redirects	Attackers exclude admin IPs from redirects
Locked out	Can’t login, password reset fails	Attackers create backdoor accounts, lock you out
Unknown users	Admin accounts you didn’t create	Maintains access even if you change passwords
Google warnings	”This site may be hacked” in search results	Google detected malicious code
Host suspension	Email from hosting provider about malware	Automated scans detected infection
SEO spam	Japanese characters, pharma links in content	Attackers hijacking your domain authority
Performance issues	Slow site, high CPU usage	Hidden scripts consuming resources

The Hidden Redirect Problem

Your site loads normally when you check it. But visitors report being sent to pharmaceutical spam, adult content, or fake browser update pages.

This happens because attackers deliberately exclude admin IP addresses from redirects. You see your normal site. Everyone else sees something different. Check your site from mobile data or ask someone outside your network to visit.

Hosting Provider Alerts

When your host sends an email saying they’ve detected malware and suspended your account, take it seriously. Hosting providers run automated scans and will shut down infected sites to protect their servers and other customers.

By the time you get this email, the damage is already done. The infection has been active long enough for automated systems to detect it.

---

Immediate Actions (First 15 Minutes)

If your site is actively compromised, move fast. Every hour the infection remains active is another hour of potential damage to your visitors, your reputation, and your search rankings.

Priority checklist:

1. Document everything - Screenshots, error messages, strange URLs. You’ll need this for hosting support.
2. Take the site offline - Maintenance mode or rename .htaccess via SFTP to temporarily break the site.
3. Contact your hosting provider - Open a support ticket immediately. They have logs and may have clean backups.
4. Change all passwords - WordPress admin, hosting account, FTP/SFTP, database. Use strong, unique passwords.
5. Don’t panic-delete files - You might destroy evidence needed to understand the attack.

Important Caveat

Changing passwords alone won’t fix the problem. If backdoors exist on your server, attackers don’t need your password to get back in. Password changes stop further credential-based access but don’t remove existing infections.

---

How Attackers Get In

Understanding entry points helps you close them. WordPress core software is actually quite secure. The vulnerabilities come from everything around it.

Attack Vector	How It Works	Impact
Stolen credentials	Logins harvested from infected computers or previous breaches	81% of infections (2025 data)
Outdated plugins	Bots scan for known vulnerabilities in unpatched plugins	Leading cause alongside credentials
Nulled themes	”Free” premium themes contain pre-installed backdoors	Common and completely avoidable
Weak passwords	No 2FA means brute force attacks eventually succeed	Still a major entry point
Plain FTP	Credentials transmitted unencrypted, easily intercepted	Preventable with SFTP
Shared hosting	One infected site compromises all sites on the account	Very common with multiple installs

Stolen Credentials - The Biggest Threat

The 2025 WeWatchYourWebsite analysis found that 81% of WordPress infections came from stolen credentials or hijacked authentication cookies. Not code exploits. Not zero-day vulnerabilities. Just attackers logging in with valid usernames and passwords.

Where do they get these credentials? Often from infected personal computers. If your laptop or home machine has malware, attackers can harvest your WordPress login from your browser’s saved passwords or your FTP client’s configuration files.

This is a blind spot most security advice misses. You can have the most secure server in the world, but if your personal computer is compromised, attackers walk right in.

The Plugin Problem

Automated bots constantly scan WordPress sites for known vulnerabilities in popular plugins. When a security flaw is disclosed, attackers have tools that can find and exploit vulnerable sites within hours.

The problem is worse than “just keep things updated.” According to Patchstack, 33% of WordPress vulnerabilities disclosed in 2024 were never patched. The plugins were abandoned. Auto-updates only work if updates exist.

Multiple Sites on Shared Hosting

Running several WordPress installations on a single hosting account creates risk. If one site is compromised, attackers can potentially access all sites on that account.

In one case we’re aware of, a hosting provider’s automated malware scans detected an infection and sent a suspension warning. By that point, the infection had been active for weeks, spreading across multiple sites before anyone noticed.

---

Common Attack Types

Understanding what the malware does helps you recognise it and understand the business impact.

Attack Type	What It Does	Business Impact
Redirect malware	Sends visitors to spam/phishing sites	Lost customers, Google blacklist risk
SEO spam injection	Creates spam pages, hijacks rankings	Destroyed search visibility
Backdoors	Hidden code for re-entry after cleanup	Hack keeps recurring
Credential theft	Captures logins, customer data, payments	Legal liability, regulatory issues
Defacement	Replaces homepage with attacker’s message	Immediate reputation damage

Most infections combine multiple types. Redirect malware typically comes packaged with backdoors to ensure persistence. SEO spam infections often include multiple backdoor variants hidden across the site.

---

Cleaning Your Site

There are two paths here. Which one you take depends on your technical comfort level and how much time you have.

Where Malware Hides

If you’re comfortable working with files and databases, check these common hiding spots:

• .htaccess file - Unusual redirect rules, often scrolled far to the right to hide them
• wp-config.php - Code injected at the very top or bottom, outside normal configuration
• /wp-content/uploads/ - PHP files don’t belong here; any .php file is suspicious
• Inactive themes - Installed once, forgotten, now hiding backdoors
• Database tables - wp_posts and wp_options often contain hidden spam or encoded scripts
• Fake .ico files - Files named favicon.ico that actually contain PHP code
• One directory up - Backdoors placed above public_html survive WordPress reinstalls

The Security Plugin Problem

Here’s something most guides won’t tell you: malware now actively disables security plugins.

Wordfence, Sucuri, and other security plugins are specifically targeted by modern malware. The malicious code modifies or deletes the security plugin files to stay hidden. Your security plugin might show “all clear” because it’s been compromised along with everything else.

If your gut says something’s wrong but your security scan says everything’s fine, trust your gut.

When the Scope Exceeds Your Time

Cleaning a hacked WordPress site properly takes hours. Finding every backdoor, checking every file, auditing the database - it’s methodical work that can’t be rushed.

If your business is losing revenue every hour the site is down, or if the infection keeps recurring despite your cleanup attempts, the economics shift. The cost of extended downtime or repeated infections often exceeds the cost of professional cleanup done right the first time.

---

Why Hacks Keep Coming Back

“I cleaned it but it came back” is one of the most common frustrations. There are specific reasons this happens.

Common causes of recurring infections:

• Backdoors left behind - Hidden in uploads, database, inactive themes, or directories above web root
• Root cause not fixed - Vulnerable plugin still installed, weak password unchanged
• Infected backup restored - The “clean” backup was made after infection started
• Multiple sites reinfecting - One compromised site on shared hosting spreads to others
• Credentials already leaked - Old password was in attackers’ hands from a previous breach
• Abandoned plugins - A third of vulnerabilities never get patched; auto-updates can’t help

The Backup Trap

You restored from backup and thought you were safe. But the backup was made after the infection started. You’ve just reinstalled the malware.

Always verify backups are clean before restoring. Check the backup date against when you first noticed problems. If you can’t be certain a backup predates the infection, don’t trust it.

---

Prevention That Actually Works

Security advice often sounds simple: keep everything updated, use strong passwords, install a security plugin. The reality is more nuanced.

High-Impact Measures

Measure	Why It Matters	Reality Check
Two-factor authentication	Reduces unauthorised logins by ~73% (Sucuri)	WordPress doesn’t include this natively - add via plugin
SFTP only	Encrypts credentials during transfer	Plain FTP transmits passwords in cleartext
Site isolation	One breach doesn’t compromise everything	Don’t run multiple sites on same hosting account
Web Application Firewall	Blocks attacks before they reach WordPress	87.8% of exploits bypass standard hosting defenses
Regular updates	Patches known vulnerabilities	But 33% of vulnerabilities never get patched
Tested backups	Recovery option when everything fails	Untested backups are worthless

Security Plugins - Honest Assessment

Security plugins help. They’re not magic.

Plugin	Strengths	Limitations
Wordfence	Solid firewall, malware scanning, login security	Runs on server (performance impact); malware can disable it
Sucuri	Cloud-based WAF, cleanup services, good monitoring	Free version limited; full protection requires paid plan
Solid Security	User-friendly hardening, good login protection	Less comprehensive scanning than Wordfence
Patchstack	Excellent vulnerability intelligence, virtual patching	More focused than full security suites

No plugin protects against stolen credentials, infected personal computers, or backdoors already on your server. They’re one layer of defense, not a complete solution.

Quick Wins Checklist

If you’re securing a WordPress site today, prioritise these:

• Enable two-factor authentication for all admin accounts
• Switch from FTP to SFTP
• Remove unused plugins and themes
• Check for abandoned plugins (no updates in 12+ months)
• Verify backups are running and test a restore
• Set up a Web Application Firewall
• Review user accounts and remove unnecessary admins

---

When Professional Help Makes Sense

Some situations benefit from bringing in expertise. This isn’t about technical ability. It’s about time, complexity, and risk.

Consider professional help when:

• The infection keeps recurring - Something is being missed; fresh eyes often find what repeated attempts don’t
• Multiple sites are affected - Cross-site contamination requires simultaneous cleanup and environment reconfiguration
• Your host has issued warnings - There’s a timeline; trial-and-error isn’t viable when suspension is imminent
• Customer data may be involved - Legal notification requirements may apply; you need certainty, not guesses
• Business impact is significant - Extended downtime costs more than professional cleanup
• You’d rather focus on your business - Your time has value; spending days on malware isn’t the best use of it

The goal is getting your site secure and keeping it that way. Sometimes the fastest path to that outcome is worth more than the cheapest.

---

Where to Go from Here

500,000 infected sites in a single year. Security plugins installed on every one of them. The data makes clear that WordPress security requires more than default measures.

The pattern is consistent: stolen credentials, unpatched plugins, poor hosting hygiene, and missing foundational controls like two-factor authentication. These aren’t sophisticated attacks. They’re opportunistic exploitation of preventable weaknesses.

The good news is that most compromises are preventable with the right approach. The measures that matter aren’t complicated. They just require attention.

Not sure where your site stands? A website security audit can identify vulnerabilities before attackers do. Three Lions Technology offers a free consultation to assess your current setup and identify priorities. No sales pitch - just an honest conversation about your business and what it actually needs.

Book a consultation

---

Key Resources:

• WordPress Hardening Guide
• Sucuri SiteCheck Scanner
• Google Search Console
• Have I Been Pwned

References:

• Sucuri (2024). “SiteCheck Malware Trends Report.” Analysis of infected websites detected through SiteCheck scanner.
• Patchstack (2025). “State of WordPress Security.” Annual analysis of WordPress vulnerabilities and ecosystem security.
• WeWatchYourWebsite/SolidWP (2025). “When Security Plugins Aren’t Enough.” Analysis of 111,354 infected WordPress websites.
• W3Techs (2024). “Usage Statistics of Content Management Systems.” Web technology surveys.