Join Waitlist

How to Recover a Hacked WordPress Site

Meet VPSUForm The Ultimate Free WordPress Form Builder

Introduction

Discovering that your WordPress website has been hacked can feel overwhelming. You might notice strange redirects, unknown users, spam content, or warnings from Google.

The good news is that most hacked WordPress sites can be cleaned and restored. The key is to act quickly and follow the right steps.

This guide will walk you through how to recover your hacked WordPress website safely.

Signs Your WordPress Site May Be Hacked

Here are some common warning signs:

  • Your website redirects to spam or unknown websites

  • New admin users appear that you didn’t create

  • Your homepage suddenly changes

  • Google shows “This site may be hacked” warning

  • Unknown plugins or files appear

  • Your hosting provider suspends your website

If you see any of these, your site may be compromised.

Step 1: Put Your Website in Maintenance Mode

Before fixing anything, it’s best to temporarily restrict access to your site.

This prevents visitors from seeing malicious content and stops attackers from continuing their activity.

You can:

  • Enable maintenance mode using a plugin

  • Temporarily disable the site from your hosting panel

Step 2: Scan Your Website for Malware

Next, run a malware scan to find infected files.

Some popular WordPress security tools include:

  • WordPress security plugins with malware scanning

  • Online malware scanners

  • Hosting security tools

These scans help identify infected files and suspicious code.

Step 3: Restore From a Backup (Fastest Solution)

If you have a recent clean backup, restoring it is often the fastest way to recover your site.

Restore backups from:

  • Your hosting control panel

  • WordPress backup plugins

  • Cloud backup services

After restoring, make sure to update everything and change passwords to avoid reinfection.

Step 4: Remove Suspicious Files and Plugins

Hackers often upload malicious files or plugins.

Check these areas carefully:

  • /wp-content/plugins

  • /wp-content/themes

  • /uploads

  • Unknown PHP files in the root directory

Remove anything you don’t recognize.

Also delete plugins that you no longer use.

Step 5: Reinstall WordPress Core Files

Sometimes core files get infected.

To fix this safely:

  1. Download a fresh copy of WordPress

  2. Replace these folders:

    • wp-admin

    • wp-includes

Do not overwrite your wp-content folder or wp-config.php.

This ensures the core system is clean.

Step 6: Reset All Passwords

After cleaning your site, reset all important passwords.

Change passwords for:

  • WordPress admin accounts

  • Hosting account

  • Database access

  • FTP/SFTP accounts

Use strong, unique passwords for better security.

Step 7: Remove Unknown Admin Users

Hackers sometimes create hidden admin accounts.

Go to Users → All Users and look for:

  • Unknown usernames

  • Suspicious email addresses

Delete any users that don’t belong to you.

Step 8: Update Everything

Outdated software is one of the main reasons sites get hacked.

Update:

  • WordPress core

  • Themes

  • Plugins

Keeping everything updated closes security vulnerabilities.

Step 9: Secure Your Website

Once your site is clean, strengthen your security.

Good practices include:

  • Installing a reliable security plugin

  • Limiting login attempts

  • Using two-factor authentication

  • Taking regular backups

  • Using strong passwords

Security should always be ongoing.

Step 10: Request Google Review (If Blacklisted)

If Google marked your site as unsafe, you can request a review.

Steps:

  1. Open Google Search Console

  2. Check the Security Issues section

  3. Request a review after cleaning the site

Google usually removes warnings after verification.

Final

A hacked WordPress site can be stressful, but recovery is possible.

The key steps are:

  1. Scan your site

  2. Remove malicious files

  3. Restore from backup if available

  4. Reset passwords

  5. Improve security

Once cleaned and secured, your website can continue running safely.

 

Final Thoughts

If you want a fast, reliable, and easy-to-use contact form plugin, VPSUForm is the clear choice. Build unlimited types of forms – contact, booking, feedback, surveys – with minimal effort.

👉 Download VPSUForm today and get started
👉 Learn more about VPSUForm’s powerful features here

Submit a Comment

Your email address will not be published. Required fields are marked *