Fixing a Hacked WordPress Site

58. Fixing a hacked WordPress site.

There a number of practical steps you can take to address the problem once it’s happened, and / or prevent it from ever happening again. To check the issues the first place you must start with is your local environment. In many cases, the source of the attack / hack begins in your local box (i.e., notebook, desktop, etc…).

Full anti-virus

Ensure you’re running a full anti-virus/malware scan on your local machine. Some viruses can detect AV software and hide from them. So you should try a different one. This advice refers to both Windows, OS X and Linux machines.

Can’t log in

If you can’t log into your WordPress Admin Panel, that’s not a reason to panic. To get this going you can reset your password. But if you don’t want to mess with password hashes or can’t figure it out, just update your email and go back to wp-admin, click forgot password, and wait for the email.


There are various ways to scan your website. There are a number of great plugins in the repo that make this process easier. If you also want to unhide all the files and folders, to include extensions for all files. You can search for *.exe files, sort them by size, most malicious code is executable and is lesser than 5MB usually but can be > 5MB. Also, note that  not every .exe under 5MB is malicious, delete the known viruses/worms/autoruns, make a list of all suspected executables, check against online database.


Just make sure you don’t delete the system files.

Google Blacklist issues may be detrimental to your brand. They blacklist somewhere in the neighborhood of 9,500 to 10,000 websites a day. This number is growing daily. There are different forms of warnings, from large splash pages warning users to stay away, to more subtle warnings that pop up in your Search Engine Result Pages (SERPs).

Even though Google is one of the most prominent ones, there is a variety of other blacklist entities like Bing, Yahoo and a wide range of Desktop AntiVirus applications. You must understand that your clients / website visitors may leverage any number of tools and any one of them could be causing the issue.

The hack may affect more than just your site, especially if you are using shared hosting. You’d better check your hosting provider in case they are taking steps or need to. Your hosting provider may also be able to confirm if a hack is an actual hack or a loss of service, for example.

If they have stolen your password and are logged in to your blog, even if you change your password, they will remain logged in. That’s because their cookies are still valid. To disable them, you must create a new set of secret keys.

If your files and database are still there, you should back them up so that you can investigate them later at leisure, or restore to them if your cleaning attempt fails. Make sure to label them as the hacked site backup.

Share this!

Leave a Comment

Your email address will not be published. Required fields are marked *