This post contains affiliate links. Which means I will make a commission at no extra cost to you should you click through and make a purchase. Read the full disclosure here.
Is your WordPress blog behaving strangely? You might be wondering, “Is my site hacked?” Or you might feel certain that you’ve been WordPress hacked and are starting to panic. Wondering how to remove malware from your WordPress site so you can fix the hack.
Below I’m going to cover how to fix a hacked WordPress site in 12 easy steps. Ordered in a way that is simple to follow. That prioritizes the most important steps you need to take to protect your work.
I’ll even go over how to get yourself removed from spam lists. Like Google’s list of malicious and potentially dangerous sites. To help get your rank back after recovering a hacked site.
Finally, I will also cover the additional steps you can take. Once your blog is clean of viruses, malware, and hacks. So you know all the best WordPress tips for how to protect your WordPress site from malware. This way your WordPress site doesn’t keep getting hacked!
Ready to fix your hacked WordPress site? Then, let’s get started!
- 1. Don’t Panic
- 2. Confirm You Have Been Hacked
- 3. Set Your WordPress Blog To Maintenance Mode
- 4. Create A Complete Backup Of Your Blog
- 5. Restore Your Blog From A Clean Backup Version
- 6. Ask Your Web Hosting For Help On How To Fix Your Hacked WordPress Site
- 7. Apply Any Missing Updates & Patches
- 8. Change Passwords & Examine User Roles
- 9. How To Fix Your Hacked WordPress Site Using Wordfence To Scan & Clean
- 10. Run Additional Checks To Ensure Everything Is Clean
- 11. Get Your Website Off Google’s Safe Browsing List
- 12. How To Prevent Future Infections & WordPress Hacks
1. Don’t Panic
Okay, so you’re thinking your blog has been hacked because it is being spammy or behaving strangely. It can feel like your hard work is going to hell and that everything is going wrong.
Whilst your WordPress site getting hacked is serious and you need to figure out how to fix it as soon as possible. It is not the end of the world. It is fixable! But you’ll need a clear head to tackle this.
So, get yourself calm and find that stubborn “I’m going to fix this” attitude.
If you need to, go get a tea, coffee or even go outside for a short walk and some fresh air. Whatever you need to do to calm yourself. This problem can wait a few minutes for you to get in the right mindset.
📌 In a rush? Pin this post to your Blogging or WordPress board to read it later! 📌
2. Confirm You Have Been Hacked
Before we look at how to fix your hacked WordPress site. Are you certain you have been hacked?
Sometimes you might think you’ve been hacked. When actually your blog is behaving oddly because of other reasons.
So, think and examine carefully:
- Is your WordPress problem related to recent blog updates that have gone wrong?
- Are the problems just spam comments? That could easily be solved with antispam plugins like Akismet or Antispam bee.
- Have you made recent changes or added new plugins that could be causing the problem?
Is My WordPress Site Hacked? What To Check For
In general, the signs that your website has been hacked are usually things like:
Spam content outside of comments. Such as your blog content, header or footer areas. These often link back to illegal content or things like drugs.
Blog pages you don’t recognize. Doing a Google search for your blog pages using site:type-your-blog-url-here.com. So for example, I could type into the Google search bar:
This would bring up all the pages Google can see on my blog. If Google brought up pages or posts that I didn’t recognize. That also could be a suspicious sign that my blog has been hacked.
Links to your blog or external links on your blog are redirecting to spam or malicious websites instead. You may need to view your blog like a visitor using incognito mode in your web browser to see these. As they can be super sneaky!
Reports of malicious or spammy behaviors. From your visitors, website monitors, your web hosting or even Google.
Depending on how your WordPress blog is hacked and how long it has been going on undetected. You might start getting messages alerting you to suspicious activity on your blog.
This is particularly serious as it can quickly hurt your reputation. Since others are seeing the hack. As well as it could get you into serious trouble with Google.
Resulting in damage to your SEO and Google flagging your website as malicious. Or even blocking your website from search results completely.
If you are noticing any of these on your blog. Then it’s time to follow the steps below on how to fix your hacked WordPress site.
3. Set Your WordPress Blog To Maintenance Mode
To start with, use the maintenance mode included with your blog. For example, if your blog is hosted with Bluehost like me. Then you can go to Settings > General and Enable the Coming Soon Page from there.
Or if you cannot find the option to enable it for your blog. Then this Under Construction Page plugin can help you quickly get one set up in just a few minutes.
With this, your blog will display a single page for all visitors to your blog. Where you can set a quick message and it will allow you to work on your blog without your visitors seeing any issues. And whilst not 100% it could reduce the chances of your visitors clicking malicious links.
4. Create A Complete Backup Of Your Blog
Before you work on fixing a hacked WordPress site. You should always backup everything first.
Now, this might seem crazy. After all, why would you want to backup the hacked version of your blog?
Well, sometimes web hosts might delete your blog if it is seen as malicious or spammy!
They might do this for many reasons. Like to help stop the spread of infection to other systems. Especially if you are on a shared hosting plan.
Or because they’ve detected your website as creating malicious content. And think your website is spam rather than a legit website that has been hacked.
Because of this, you should make sure to get a complete backup of your blog. Before you contact your web hosting. As it is always better to be safe than sorry!
This means it should include all your content, core WordPress files, media library and especially your database. That way you shouldn’t lose any of your recent blog work.
Just be sure to mark it up separate so you don’t accidentally restore from this file once your blog has been cleaned.
5. Restore Your Blog From A Clean Backup Version
Once you’ve run a backup of your blog. You should then check to see if you can restore your blog from a clean backup version. As this could be the easiest way for how to fix your hacked WordPress site with minimal fuss.
Before you restore your WordPress from a previous version though. Make notes of any new blog posts, settings or changes you’ve made that might not have been backed up. Or will require being redone once you’ve cleaned your blog of malware.
If you’ve written a blog post and not backed it up. It might be worth copying at least your written content. So you can paste it into something like Google docs. As you can often preserve much of the formatting this way.
Just be sure to check and remove any suspicious links. As you wouldn’t want to copy this back to your blog once cleaned.
Also, make sure that any backup you do restore from. Comes from an external source like Dropbox, Google Drive or somewhere saved locally to your computer.
You should never store backups locally on your blog’s server. Nor should you restore from these. As if you get hacked, they will likely be full of malware too.
If you cannot find a clean recent version of your blog. Because you haven’t set up your backups, backed up recently. Or you just don’t know when you got hacked. Because it seems to have been going on for a while.
Then your next steps might involve getting support. Or having to clean your website yourself.
6. Ask Your Web Hosting For Help On How To Fix Your Hacked WordPress Site
Many web hosting packages come with support. Meaning you should be able to raise a ticket with them to help fix your problem.
If your web hosting doesn’t offer support for this type of problem. Or you would like the get the issue resolved yourself. As sometimes the free support included with your web hosting can be slow.
Then keep reading to see if the below options can help solve the issue quicker.
7. Apply Any Missing Updates & Patches
Before you start cleaning your blog. Make sure you complete any updates you might have missed. For the core WordPress files, WordPress themes. Plus any WordPress plugins you have installed too.
As these might contain patches. To help prevent your WordPress website from getting hacked over and over again.
8. Change Passwords & Examine User Roles
Next, we should improve any security issues with passwords and user roles.
Go to Users > All Users from within your WordPress dashboard. Here you should change all the passwords for any users you have set up on your blog.
You can do this by clicking Edit under the Username. And then scrolling down to Account Management > Generate Password.
Always remember to create secure passwords. These should be long and complex. Like those generated by LastPass. Which is also an excellent tool to manage all your passwords safely. So that you don’t forget them.
Within the same WordPress Users screen. Remove any suspicious users and check that permissions haven’t been changed.
You should also change any passwords for logging into your web hosting, FTP or cPanel. As these may have been compromised as well.
Once you’ve done everything. Do another complete backup of your blog. So you can save your progress and avoid having to repeat these steps again. In case anything goes wrong in the later steps.
9. How To Fix Your Hacked WordPress Site Using Wordfence To Scan & Clean
Okay, so now we’ve done all the preparations. It is time to look at cleaning the malware files from your blog.
I’m going to cover how to do this with Wordfence. So, if you haven’t installed it yet. Now would be a good time to do so.
Once installed and active. Go to Wordfence > Scan. Then scroll down and look for the Scan Options and Scheduling link to click on it.
Set the Basic Scan Type Options to High sensitivity and then click Save Changes > Back To Scan.
Then find the Start New Scan button. And click on it for Wordfence to scan your WordPress website for malware, hacks and viruses.
This process will take a while so you might need to go do other things while it processes.
How To Fix Your Hacked WordPress Site By Removing Malware
Once the process has completed you’ll see some results underneath. You’ll need to go through all of these results individually. Luckily Wordfence will give you lots of suggestions to get started though.
Okay, so each result Wordfence gives you will have some icons next to it. You can click on the details to understand more about the file and why Wordfence has flagged it for you.
In addition, when the details are expanded. You’ll get options to View the File, View the differences between files or Mark as fixed.
In particular, the view differences between files option is useful. Especially when you are not sure about whether a file change is malicious or not.
If you know that the issue being flagged by Wordfence is a false positive. You can also click Ignore so that it isn’t flagged again. But only use this if you know what you are doing!
There will also sometimes be a Repair option. You can use this when available and Wordfence will restore your file. Using the version stored on WordPress.org.
So, work your way through all the results listed. Using repair whenever available or delete when the files are clearly malware.
If you do delete anything by mistake. Then this is where the backup you took just before running Wordfence will help.
After you’ve completed all the items Wordfence has given you. Run a second scan to check whether anything has been missed or your website is now clean.
If everything returns as clean then this would be a good time to change your admin password again. As well as do another complete backup of your blog too.
10. Run Additional Checks To Ensure Everything Is Clean
If running your website through Wordfence. And not getting any further warnings isn’t enough for your mind to rest easy yet. Then there are few other tools you can use to quickly test your blog for malware and hacks.
All you need to do to use the SiteCheck scanner. Is to enter your URL and click the Scan website button.
Sucuri will do a quick scan and give you some results. The important things to watch for are that no malware is found and that your site isn’t being blacklisted.
You should also scan your own local computer for malware and viruses. As these can jump from your computer to WordPress through accessing the dashboard.
Or your computer could become infected from browsing your blog whilst it has malware. I’ve used the free Avast Antivirus for many years and recommend it to all my family and friends.
Another plugin you can try is Malcare. This high-quality WordPress security plugin is also popular. The free version will let you scan your website for hacks and protect your blog with their firewall.
But if you want to use it to fix your website. Then you’ll need to pay for their premium version. Unless you feel tech-savvy enough to do it manually.
Using the free version of Malcare to double-check your blog is completely clean. Can be worth the extra few minutes to install and scan. As sometimes it can spot things the other WordPress security plugins mentioned above have missed.
11. Get Your Website Off Google’s Safe Browsing List
Now, if your blog is on Google’s safe browsing list. This is a bad thing. Despite how it might sound.
This is a list of websites that Google has flagged as unsafe for users. Meaning many browsers will block the connection to the website. With a big warning message about the URL leading to malware and spam.
For various reasons, if your blog ended up on Google’s safe browsing list. You’ll need to request for it to be removed. But only once your website has been cleaned.
Start by going to your Google Search Console.
If Google has flagged your website. You should have received an email. But there should also be errors under the Security Issues section. Within the new Search Console dashboard.
This report may still show issues even after you’ve cleaned your blog. So, for now, look for the Request a review button. You may be asked to write some details as to what you did to fix the malware issues. Just keep it simple and brief though.
If you have any problems then you can find Google’s official instructions here.
Once you’ve submitted your website for a review. It could take a couple of days or weeks depending on the type and severity of the WordPress hack you had on your blog.
12. How To Prevent Future Infections & WordPress Hacks
Right, so by now you should have gone through all the required steps to get your blog clean and fixed from any WordPress hacks, malware, and spam.
As well as some tips to get your blog removed from blacklists such as Google’s safe browsing list.
But now it is crucial that you take steps to ensure your blog stays secure. So you don’t find yourself having to solve this issue again soon. Because for some reason your WordPress site keeps getting hacked.
So, what should you do? Well, here are some of my top tips for you:
- Get these 7 quick, easy, and free security tips complete to prevent some major but common security issues.
- Always use complex, long, and secure passwords that are difficult to remember. A password generator like LastPass can help you create these. As well as remember them for you. By saving your passwords to a secure vault.
- Keep your blog updated or even set up automatic updates. So you always have the latest security patches.
- Protect your comments from spam using these plugins.
- Plus tons of other WordPress security tips and other mistakes you could be making.
Now over to you!
What made you realize your WordPress blog was hacked? Did you find out what was the cause of your WordPress hack, malware or virus?
If you found this blog post useful then please consider taking a few seconds to share it to your favorite social media platform!
📌 Enjoyed this post? Then pin this post to your best Blogging or WordPress tips board! 📌