How Do You Know You've Been Hacked?
The signs vary. Sometimes it's obvious, sometimes you only find out when Google emails you or a client complains.
Common signs:
- Strange links in your footer or content pointing to gambling, pharma, or adult sites
- Google Search Console shows a security warning
- Your host suspended the account for "malware"
- Visitors are being redirected to another site
- Your admin password stopped working
- Your site is listed as "deceptive" in Google
Step 1: Don't Panic and Don't Delete Everything
The instinct to delete everything and start fresh is understandable but wrong. You need to understand how they got in, or you'll get hacked again in a week.
Step 2: Take the Site Offline
Put up a maintenance page or take the site down via your host control panel. This stops the malware from spreading to visitors while you clean.
Step 3: Change All Passwords
Change all of these, even if they seem unrelated:
- WordPress admin password (all admin accounts)
- FTP / SFTP credentials
- Hosting control panel password
- Database password (in wp-config.php)
- Email account linked to WordPress
Also check: are there admin accounts you don't recognise? Delete them.
Step 4: Scan for Malware
Upload and run Wordfence or use your host's malware scanner. Or use a service like Sucuri SiteCheck.
Look for:
- Files in unexpected places (PHP files in
/uploads/) - Recently modified core files (
wp-login.php,index.php) - Obfuscated code (base64-encoded strings, eval() calls)
# Check for recently modified files (last 7 days)
find /path/to/wp -name "*.php" -mtime -7
# Look for eval+base64 (common malware pattern)
grep -r "eval(base64_decode" /path/to/wp --include="*.php"
Step 5: Clean the Infection
Option A: Restore From Backup
If you have a clean backup from before the infection, restore it. This is the safest approach.
Option B: Manual Cleaning
- Replace WordPress core files with a fresh download (don't touch wp-content or wp-config.php)
- Delete any plugins or themes you don't recognise
- Reinstall all plugins from scratch (from wordpress.org, not from the infected copies)
- Search the database for injected links:
SELECT * FROM wp_options WHERE option_value LIKE '%eval(%';
SELECT * FROM wp_posts WHERE post_content LIKE '%<script%';
Step 6: Find How They Got In
Common entry points:
| Vector | How to check |
|---|---|
| Outdated plugin | Check which plugins have updates you ignored |
| Nulled theme/plugin | If you used pirated software, that's almost certainly it |
| Weak admin password | Check access logs for brute-force attempts |
| Old WordPress version | Check wp-includes/version.php |
| Compromised hosting account | Ask your host for access logs |
Step 7: Harden Before Going Back Online
- Update WordPress, all plugins, all themes
- Delete any plugins or themes you don't actively use
- Install a security plugin (Wordfence, Solid Security)
- Enable two-factor authentication for admin accounts
- Change database table prefix if it's still
wp_ - Disable XML-RPC if you don't use it
Step 8: Request a Google Review
If Google flagged your site, go to Google Search Console → Security Issues → Request Review after cleaning. It usually takes 1–3 days.
When to Call Someone
If the infection is deep (database full of spam, malware in multiple files across directories, or you can't identify the entry point) — manual cleaning becomes time-consuming and risky.
I've cleaned hacked WordPress sites plenty of times. If you're in this situation now, tell me what you're seeing and I'll help you figure out the fastest path forward.