How to Restore a Hacked WordPress Website (Step-by-Step Recovery Guide)

Are you looking for a way to restore a hacked WordPress website? Fellow step by step guide.

If your WordPress website has been hacked, act fast. Start by isolating the site, making a backup, restoring a clean version, and securing your login credentials. According to Colorlib, over 4.7 million WordPress sites are hacked each year, and 13,000 sites get compromised daily. (Colorlib, 2025)
This guide will show you how to restore your hacked WordPress site safely — and keep it secure in the future.

Why Restoring Your Hacked WordPress Site Matters

WordPress powers 43% of all websites. Its popularity makes it a prime target for cyberattacks. When hackers breach your site, they can inject malware, steal data, redirect visitors, or even blacklist your domain on Google.

As the experts at MalCare explain:

“Recovering a hacked WordPress site is challenging, but with the right process, it’s entirely manageable.” — MalCare Security Team

Recovering quickly restores user trust, improves search visibility, and protects your business reputation.

Step-by-Step: How to Restore a Hacked WordPress Website

1. Isolate the Website

Immediately put your site in maintenance mode or take it offline. This prevents further damage and protects visitors from malware.
If you can still access your admin area, use a maintenance plugin like SeedProd or WP Maintenance Mode.

2. Backup the Hacked Website

Before cleaning, create a full backup of your site files and database — even if it’s infected.
You may need this later for forensic analysis or rollback. Tools like UpdraftPlus, BlogVault, or your hosting control panel can help.

“Always back up your site before making major fixes. It’s your safety net.” — WPBeginner Team

3. Assess the Damage

Scan your site with Wordfence or Sucuri SiteCheck to identify infected files and suspicious activity.
Look for:

• Unknown admin users
• Redirects to spam sites
• Suspicious code in wp-config.php or functions.php
• Changed core files

If you see these, the site likely contains malware or a backdoor.

4. Restore from a Clean Backup (If Available)

If you have a clean backup (created before the hack), restore it using your backup plugin or host’s dashboard.
Make sure the backup predates the infection. Then, immediately update everything (WordPress core, themes, plugins).

If you don’t have a backup, skip to the next step for manual cleanup.

5. Manually Clean the Site (If No Backup)

You can manually remove the hack by:

• Replacing all WordPress core files from a fresh download at wordpress.org.
• Deleting and reinstalling all plugins and themes.
• Removing unknown files from wp-content/uploads/ and wp-includes/.
• Scanning your database for injected code or spam entries.

“Malware hides in unexpected places — ensure you scan uploads and includes folders thoroughly.” — Jetpack Security Team

6. Reset All Passwords

Reset every password connected to your site — including:

• WordPress admin users
• Hosting and FTP accounts
• Database credentials
• Email accounts linked to WordPress

Also, regenerate your WordPress security keys in wp-config.php to log out all active sessions.

7. Update Everything

Outdated software causes most hacks. After cleanup, update:

• WordPress Core
• Themes
• Plugins
• PHP version on the server

Remove any plugins or themes you no longer use. Keep only trusted, regularly updated extensions.

8. Check Hosting and Submit to Google

Ask your web host to scan the server logs for remaining threats.
Then, use Google Search Console to request a malware review if your site was blacklisted.

You’ll find this under:
➡ Security & Manual Actions → Security Issues → Request Review

9. Harden Your WordPress Security

Now, prevent future attacks.

• Install a security plugin (Wordfence, Sucuri, or MalCare).
• Enable two-factor authentication (2FA).
• Disable theme and plugin file editing in the dashboard.
• Limit login attempts.
• Schedule automatic off-site backups.

Following these steps ensures your website stays clean and protected.

Real-World Data & Insights

• 4.3% of scanned WordPress sites show active malware infections.
• 87% of hacked WordPress sites run outdated plugins or themes.
• The average cost of a hacked site cleanup is $300–$1,000 depending on severity.
  (Sources: Colorlib, Sucuri, WPScan, 2025)

Cybersecurity expert Mark Maunder (Wordfence) notes:

“The majority of WordPress hacks are preventable. Regular updates and a web application firewall go a long way.” — Wordfence CEO

WordPress Security Checklist

✅ Take your site offline
✅ Backup hacked files + database
✅ Scan for malware
✅ Restore a clean backup
✅ Replace core, plugins, and themes
✅ Reset all passwords
✅ Update software and PHP version
✅ Submit for Google review
✅ Install a firewall plugin
✅ Schedule automatic backups

Conclusion: Regain Control and Strengthen Your Site

Restoring a hacked WordPress website requires calm action and the right process.
By isolating your site, cleaning files, resetting passwords, and reinforcing security, you regain full control of your online presence.

Don’t stop at recovery — turn this setback into a security upgrade. Install firewalls, automate backups, and review user roles monthly.

💬 Your Turn: Have you ever faced a WordPress hack? Share your experience or tips in the comments — your insight could help someone save their site!

FAQ: Fixing a Hacked WordPress Site