How to clean and secure a hacked WordPress website?

While this article is a guide on securing a hacked WordPress website, if you wish to convert your WordPress site into a mobile app, get started here.

Discovering that your WordPress website has been hacked can be alarming. From defaced pages to strange redirects or login lockouts, the signs are unsettling — but they’re not uncommon. According to recent security reports, more than 30,000 websites are hacked every day, and WordPress sites are frequent targets due to their popularity.

The good news? You can recover your website, secure it, and prevent future attacks with the right steps and tools. This guide walks you through everything you need to do — from diagnosing the breach to rebuilding your security infrastructure.

Step 1: Confirm if your WordPress site is actually hacked

Before taking any drastic action, ensure your site is truly compromised. Some issues (like plugin errors or server downtime) can mimic a hack. Check for these red flags:

• Search engine spam: Type site:yourwebsite.com into Google. If you see spammy pages, foreign characters, or irrelevant titles, your site might be compromised.
• Unexpected redirects: If visiting your site sends you to another domain, malware is likely embedded.
• Admin access issues: Being locked out of your dashboard or seeing altered credentials is a strong indicator of a hack.
• Browser or Google warnings: If users see “Deceptive site ahead” alerts, your site has been flagged for malware.
• Security plugin alerts: Warnings from plugins like Wordfence or Sucuri often point to active infections.

If one or more of these apply, your site is likely hacked. Before proceeding, take a complete backup of your website’s files and database — even in its infected state. This ensures you don’t lose data during cleanup or restoration.

Read: Common WordPress errors that can crash your website

Step 2: Check if you still have admin access

If you can still log in to your WordPress dashboard, recovery will be simpler. Once inside:

1. Remove unknown admin users: Go to Users → All Users and delete suspicious accounts.
2. Change your password immediately: Use a long, unique password with numbers, symbols, and mixed case.
3. Enable maintenance mode: Prevent public access to infected pages while you clean up.
4. Install a security plugin: Use Wordfence or Sucuri to scan your site and identify infected files.
5. Clean infected files: Most security plugins can automatically quarantine or delete malicious scripts.

If you can’t access your WordPress dashboard, move to the next step.

Step 3: Regain admin access via FTP or file manager

If your backend is locked, you can troubleshoot using an FTP client (like FileZilla) or your hosting control panel.

1. Deactivate all plugins:

• Log in via FTP and navigate to /wp-content/plugins/.
• Rename the folder to plugins.old. This disables all plugins.
• Try reloading your site. If it loads properly, one of your plugins is infected.
• Rename the folder back to plugins and then rename each plugin folder one by one (e.g., contact-form-7.old) until you find the culprit.
• Delete the malicious plugin and reinstall a fresh copy from WordPress.org.

2. Check themes for infection:

• Go to /wp-content/themes/ and rename your active theme.
• If the site loads with the default theme, the original one was compromised.
• Replace it with a clean version from the developer or WordPress repository.

3. Audit your WordPress core files:

• Download a fresh WordPress installation package.
• Compare its structure with your site’s directories.
• Delete any unfamiliar or suspicious files.
• Pay special attention to /wp-includes/ and /wp-admin/ — these rarely change.

Once done, your website should load normally, allowing you to log back in.

Step 4: Update WordPress core, themes, and plugins

Outdated software is the number one cause of WordPress hacks. Once you regain control:

• Update WordPress core to the latest version.
• Update all themes and plugins from trusted sources only.
• Delete unused or inactive plugins — they’re common malware targets.

To minimize downtime, use a staging environment (a test version of your website) to verify updates before deploying them live. This prevents compatibility errors and broken pages.

Step 5: Set correct file permissions

Incorrect file permissions can give hackers access to modify or upload malicious code.

Set your permissions as follows:

• Folders: 755
• Files: 644

These values restrict unauthorized changes while keeping your site functional. If you’re unsure, contact your hosting provider for specific recommendations based on your setup.

Step 6: Strengthen your security foundation

After cleaning your website, reinforce it against future attacks:

• Install a comprehensive security plugin: Wordfence, Sucuri, or iThemes Security are excellent options.
• Add a web application firewall (WAF): Blocks malicious traffic before it reaches your site.
• Enable two-factor authentication (2FA): Protects admin accounts from brute-force attacks.
• Limit login attempts: Prevents bots from guessing passwords.
• Use SSL encryption: Most modern hosts provide free SSL certificates.
• Regular backups: Automate weekly or daily backups using UpdraftPlus or your hosting provider.

Security is not a one-time task — it’s an ongoing process.

Step 7: Choose a secure managed hosting provider

The quality of your hosting environment plays a massive role in security. A managed WordPress host like WP Engine or Kinsta can dramatically reduce risks.

Premium hosts offer:

• Free SSL certificates
• Daily backups
• Malware scanning and auto-healing
• Platform-level firewalls
• 24/7 security monitoring

These features save you from dealing with hacks on your own and ensure your site remains stable and secure.

Bonus: Secure your mobile app with AppMySite

If you’ve built a mobile app using AppMySite, your app’s safety depends on your website’s security. By cleaning and protecting your WordPress site, you’re automatically securing your connected app.

AppMySite also allows you to:

• Build Android and iOS apps directly from your WordPress site.
• Sync content, users, and updates in real-time.
• Ensure smooth functionality even if your site was previously compromised.

A secure site equals a secure app — and AppMySite helps you achieve both.

Final thoughts

Getting hacked can feel overwhelming, but recovery is always possible. By identifying the source, cleaning up infected files, and implementing strong security practices, you can restore your website and protect it from future attacks.

Regular updates, backups, and a reliable hosting partner are your best defenses. Think of this as an opportunity to strengthen your WordPress setup and prevent future vulnerabilities — your website and users will thank you.