It’s a stressful moment.
You wake up, turn on your computer, go to your website… and something’s not right. Maybe your site is redirecting to a casino page or some other strange site that definitely isn’t yours.
So what do you do?
First — don’t panic. All is not necessarily lost. Even if you don’t have a current backup, your site is probably fixable.
Over the years, I’ve cleaned hundreds of hacked WordPress sites. It can be time-consuming, but the process can be broken down into manageable steps. In this article, I’ll walk you through how I approach a hacked site — what I look for, what I do, and how to get things back to normal.
How to Quickly Confirm Your Site Is Hacked
One of the most common signs is a redirect. You go to your homepage and suddenly you’re sent to a casino or spam site.
When this happens, your site will likely get flagged by Google. It’s not always immediate — it depends on how often Google crawls your site. It could take a few days or even a couple of weeks before you see a warning or penalty.
Another common issue is being locked out of your admin account. Sometimes even the password reset won’t work. When that happens, you may need to access the database directly and create a new admin user.
Once I get access, the first thing I check is the user list. In many cases, hackers disable the original admin account and create their own. If I see an unfamiliar admin user, I remove it immediately.
Next, I look at the plugins. It’s very common to see something like a “File Manager” plugin added. These plugins give direct access to the file system — something hackers can easily exploit. If I see anything I don’t recognize, I assume it was added during the hack.
From there, I go through the site — posts, pages, everything. It’s not unusual to find hundreds or even thousands of spam posts added in the background. You won’t always see these on the front end, so you need to check inside the dashboard.
Step 1 — Stop and Don’t Make It Worse
There’s a principle in medicine: “First, do no harm.” The same applies here.
The first thing I do is create a full backup of the site — exactly as it is right now. That way, if anything goes wrong during cleanup, I can restore it.
Next, I put the site into maintenance mode. You can do this with a plugin or through your host. The goal is simple: prevent visitors (and search engines) from interacting with the infected site while you work on it.
After that, I install two plugins: Wordfence and Sucuri. Even the free versions are fine.
Once Wordfence is installed, I run a full scan using the “High Sensitivity” setting. This can take some time depending on the size of the site.
At this stage, I’m not deleting anything yet. I’m just reviewing what the scan finds.
This is important — rushing here can break the site further.
Step 2 — Identify How the Hack Happened
Once the scan is complete, you can start to see what caused the issue.
Common entry points include:
- Outdated plugins or themes
- Weak passwords
- Unauthorized admin users
- Insecure hosting environments
One of the most common things I see is a file manager plugin added to the site. If that’s there, I remove it immediately.
Weak passwords are another big issue. If I find any admin accounts using weak credentials, I replace them with strong, randomly generated passwords.
Sometimes the issue isn’t even the site itself — it’s the hosting environment running outdated software. That’s something that needs to be addressed before the site goes live again.
Step 3 — Remove the Malware (High-Level)
Once I have a backup and understand what happened, I move into cleanup.
I’ll start by letting Wordfence repair or remove any flagged files.
In many cases, I’ll also reinstall WordPress core files from a clean source.
Then I review the user database. During cleanup, I prefer to have only one admin account. Any others get downgraded until I can confirm they’re legitimate.
After that, I run another full scan.
If everything comes back clean, I disable maintenance mode and check the site in an incognito window to make sure everything is working as expected.
Step 4 — Secure the Site
Once the site is clean, the job isn’t done — now we secure it.
First, I update everything:
- WordPress core
- Plugins
- Themes
Then I remove anything unused. If a plugin or theme isn’t active, I delete it. No reason to leave extra code sitting there.
Next, I go into Sucuri and apply the hardening settings (the free version covers most of what you need).
Finally, I set up automated backups — at minimum, weekly.
What Most People Don’t Realize
Just because the site is working again doesn’t mean it’s secure.
One of the biggest issues I see is reinfection.
Hackers often leave behind backdoors — hidden ways to get back into the site later. If those aren’t removed, the site can get hacked again days or weeks later.
Fixing a hacked site and securing a website are two different things.
Ongoing updates, backups, and basic monitoring are what keep a site clean long-term.
Final Thoughts
If your site has been hacked and you’re not comfortable going through this process yourself, feel free to reach out. This is something I deal with regularly, and I’m always happy to take a look.
