Skip to main content
ZenCore
← Back to Blog
Security 12 min read

WordPress Site Hacked? Here's Exactly What to Do

A step-by-step emergency response guide for when your WordPress site has been compromised. From containment to cleanup to hardening.

Zen Core Digital

Don’t Panic — But Act Fast

Discovering your WordPress site has been hacked is stressful. Whether you’re seeing defaced pages, spam injections, malware warnings from Google, or suspicious admin accounts, the response needs to be swift and systematic.

This guide covers the exact process we use at Zen Core Digital when clients come to us with compromised sites. It’s the same methodology whether it’s a small blog or a high-traffic WooCommerce store.

Step 1: Contain the Breach

Before you start cleaning, stop the bleeding.

Take the site offline

Put your site in maintenance mode or take it offline entirely. This prevents visitors from being exposed to malware and stops the attacker from doing further damage.

// Add to wp-config.php temporarily
define('ABSPATH', '/path/to/wordpress/');
define('WP_SITEURL', 'https://yoursite.com');

// Or create a .maintenance file in the root
<?php $upgrading = time(); ?>

A simpler approach: ask your hosting provider to temporarily disable the site.

Change all passwords immediately

  • WordPress admin passwords (all admin accounts)
  • Database password (update in wp-config.php after changing)
  • FTP/SFTP credentials
  • Hosting control panel password
  • Any API keys stored in the site

Revoke all active sessions

// Add to wp-config.php — forces all users to re-login
define('AUTH_KEY',         'generate-new-value');
define('SECURE_AUTH_KEY',  'generate-new-value');
define('LOGGED_IN_KEY',    'generate-new-value');
define('NONCE_KEY',        'generate-new-value');
define('AUTH_SALT',        'generate-new-value');
define('SECURE_AUTH_SALT', 'generate-new-value');
define('LOGGED_IN_SALT',   'generate-new-value');
define('NONCE_SALT',       'generate-new-value');

Generate new salts at the WordPress salt generator.

Step 2: Identify the Attack Vector

Understanding how the attacker got in is critical — otherwise they’ll get back in after you clean up.

Check for unauthorized admin accounts

SELECT * FROM wp_users
JOIN wp_usermeta ON wp_users.ID = wp_usermeta.user_id
WHERE wp_usermeta.meta_key = 'wp_capabilities'
AND wp_usermeta.meta_value LIKE '%administrator%';

Delete any accounts you don’t recognize.

Review recently modified files

# Find files modified in the last 7 days
find /path/to/wordpress -type f -mtime -7 -name "*.php" | head -50

# Look for suspicious files in uploads directory
find wp-content/uploads -name "*.php" -type f

PHP files in wp-content/uploads/ are almost always malicious — legitimate uploads should only contain media files.

Check access logs

Look for patterns in your server access logs:

  • POST requests to unusual URLs
  • Requests to wp-login.php from many different IPs (brute force)
  • Requests to files that shouldn’t exist
  • Unusual user agents

Common attack vectors

In our experience, the most common entry points are:

  1. Vulnerable plugins (60%+ of hacks) — Outdated plugins with known exploits
  2. Weak passwords — Brute-forced admin or FTP credentials
  3. Outdated WordPress core — Known vulnerabilities in old versions
  4. Compromised hosting — Shared hosting where another site was the entry point
  5. Stolen credentials — Phishing or credential reuse from data breaches

Step 3: Clean the Infection

Scan all files

Use a server-side scanner, not just a WordPress plugin:

# Search for common malware signatures
grep -r "eval(base64_decode" wp-content/
grep -r "eval(gzinflate" wp-content/
grep -r "preg_replace.*\/e" wp-content/
grep -r "system(" wp-content/
grep -r "exec(" wp-content/
grep -r "passthru(" wp-content/

Reinstall WordPress core

wp core download --force --skip-content

This replaces all core files with clean copies. Never try to “clean” individual core files — just replace them all.

Reinstall plugins and themes

Delete all plugins and themes from the file system, then reinstall fresh copies from WordPress.org or the vendor:

# Remove and reinstall all plugins
wp plugin delete --all
wp plugin install plugin-name --activate

For premium plugins, download fresh copies from the vendor’s website. Never reuse potentially infected files.

Clean the database

Check for injected content in posts and options:

-- Look for injected scripts in posts
SELECT ID, post_title FROM wp_posts
WHERE post_content LIKE '%<script%'
AND post_content LIKE '%eval(%';

-- Check for suspicious options
SELECT option_name, option_value FROM wp_options
WHERE option_name LIKE '%inject%'
OR option_name LIKE '%backdoor%'
OR option_value LIKE '%eval(%';

Remove backdoors

Attackers almost always leave backdoors for re-entry. Common hiding spots:

  • wp-config.php — extra code appended or prepended
  • .htaccess — redirect rules for SEO spam
  • wp-content/uploads/ — PHP files disguised as images
  • wp-includes/ — modified core files
  • Theme functions.php — injected code
  • wp-content/mu-plugins/ — must-use plugins (auto-loaded)

Step 4: Harden the Site

Once clean, lock the door behind you.

File permissions

find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
chmod 600 wp-config.php

Disable file editing

// Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);

Configure a Web Application Firewall

A WAF blocks malicious requests before they reach WordPress. Options include Cloudflare WAF, Sucuri, or server-level ModSecurity rules.

Implement login security

  • Limit login attempts
  • Add two-factor authentication for all admin accounts
  • Change the login URL (not security through obscurity, but reduces bot traffic)
  • Disable XML-RPC if not needed: add_filter('xmlrpc_enabled', '__return_false');

Set up monitoring

  • File integrity monitoring (alerts when core files change)
  • Uptime monitoring
  • Google Search Console alerts (security issues tab)
  • Server access log monitoring

Step 5: Recovery & Notification

Request Google review

If Google flagged your site with a “This site may harm your computer” warning:

  1. Go to Google Search Console
  2. Navigate to Security Issues
  3. Review and fix all flagged issues
  4. Click “Request a Review”

Google typically removes the warning within 72 hours after a successful review.

Notify affected users

If user data was potentially compromised (especially for WooCommerce stores with customer data), you may be legally required to notify affected users. Consult legal counsel for your jurisdiction’s requirements.

Document the incident

Record what happened, how it happened, and what you did to fix it. This documentation is valuable for:

  • Preventing future incidents
  • Compliance requirements
  • Insurance claims
  • Client communication

When to Bring in Professionals

DIY cleanup is possible for simple infections, but consider professional help if:

  • The infection keeps coming back after cleanup
  • You can’t identify the attack vector
  • Customer payment data may have been compromised
  • Your hosting provider has suspended your account
  • Google’s malware warning persists after cleanup

At Zen Core Digital, our WordPress Security service covers emergency malware removal, root cause analysis, and comprehensive hardening. We’ve cleaned hundreds of compromised sites and our hardening process has a near-zero reinfection rate.

Contact us for emergency security support — we triage critical security issues same-day.

Need help with your WordPress site?

Our engineering team can diagnose and fix the issues discussed in this article.

Get a Free Site Audit