
When a WordPress site gets hacked, it can cause serious problems. Hackers may steal sensitive information, add spammy links, or redirect visitors to harmful websites. This risks your visitors and damages your website’s reputation and ranking on search engines.
That’s why fixing a hacked WordPress site quickly and securing it is critical to protect your website and strengthen your trust with your audience.
This tutorial shows you how to check if your WordPress website has been hacked, offers step-by-step ways to repair it, and provides simple but effective tips to prevent future WordPress hacked incidents.
KEY TAKEAWAYS
- Regularly check your WordPress website for unusual activity like unexpected content changes, redirects, or new admin accounts.
- Use strong and unique passwords for WordPress admin, hosting, and FTP accounts to protect against brute-force attacks.
- Keep your WordPress core, themes, and plugins updated to fix security vulnerabilities.
- To stop malicious code from entering your site, avoid using plugins or themes you get from untrusted sources.
- Set up regular backups to restore your site quickly in case of a hack or error.
- Install WordPress security plugins to monitor and protect your website from threats.
- Scan your site for malware and remove suspicious files using trusted tools.
- Limit admin access to authorized users and enable two-factor authentication for extra security.
- Be proactive about security to keep your WordPress site safe and your visitors’ trust intact.
Table of Contents
Common Signs if WordPress Hacked
The signs may not always be obvious if your WordPress website is hacked. However, certain red flags can indicate a problem and recognizing them early is critical to protecting your site and visitors. Let’s look at some common signs below:
Unable to Log in to WordPress Dashboard
One of the first signs of a hack is being locked out of the WordPress admin dashboard. Attackers often take control of administrator accounts by stealing login credentials or exploiting vulnerabilities. When this happens, you lose access to manage your website, update content, or fix issues. If you don’t have access, it’s impossible to recover your site, making this a critical issue.
Unknown Redirection
If your site redirects visitors to another website, it’s a clear sign of hacking. Hackers may gain access to your server files or domain registrar account to cause these redirects. Through the registrar account, they can add a 301 Redirect in your DNS settings.
Alternatively, by cracking your WordPress admin password or File Transfer Protocol (FTP) credentials, they may insert redirect code into critical files like index.php or wp-config.php. These redirects usually lead to phishing or malware-laden pages, putting your users at risk.
For this reason, search engines can penalize your site, damaging SEO rankings. Such activities often stem from financial motives or internet vandalism – both affect visitor trust.
Unknown User Accounts with Admin Privileges
Hackers sometimes create new admin accounts to maintain control of your WordPress site. These accounts allow them to access your dashboard even after you make initial repairs. To identify and remove any suspicious users, it’s important to regularly review all accounts and their roles in the WordPress admin dashboard.
Sudden Traffic Drop & Performance Issues
A sudden decrease in website traffic can indicate redirection or harmful activities. Search engines may blacklist your site or remove it from search results because of malware or spammy behavior. This affects your visibility and impacts user trust, as visitors may avoid your site due to safety concerns.
Furthermore, if your site becomes unusually slow, crashes frequently, or behaves oddly, it may be due to hackers using your server’s resources for malicious activities. Malware or backdoors left by hackers can consume bandwidth and slow down your site’s performance.
Check for Website Content Changes
Hackers may alter your website’s content subtly or dramatically. They might add spammy links to your pages or completely deface them with inappropriate messages. These changes can harm your reputation and affect user experience.
They often involve unauthorized file changes. If this happens, you can use an FTP client or cPanel dashboard to review recently modified files in your WordPress installation. Look for files with strange names or unexpected updates. To be thorough, compare your files with a clean version of WordPress. This can help you find, and fix problems caused by hackers.
Warnings on Browsers & SERPs
Search engines and browsers may flag your site if it’s hacked. Messages like Google’s “This site may be hacked” or Chrome’s “Deceptive site ahead” warn users to avoid visiting your site. You can use Google Safe Browsing to check your site’s status and confirm if it’s been marked unsafe.
Website Doesn’t Load
Your website doesn’t load for various reasons, and a malicious attack is just one possibility. If this is the case, pay attention to the error message displayed when your site fails to load. While some errors are too generic to identify the issue immediately, recognizing the type of error is the first step toward diagnosing the cause.
Common errors include the HTTP 500 Internal Server Error, often seen as an Error Establishing a Database Connection or Internal Server Error. This general error indicates a server-side issue; this could originate from outdated plugins, broken code, or even hacking attempts. Server misconfigurations or caching problems are other possibilities.
The HTTP 502 Bad Gateway Error and 503 Service Unavailable also point to server-side problems. These may arise from traffic spikes, faulty plugins, or attacks. Misconfigured firewalls or content delivery networks (CDNs) could also contribute, especially in shared hosting environments, where issues on one site can affect the entire server.
Errors like 401 Unauthorized and 403 Forbidden occur when access permissions are altered, often due to password or file permission changes. A “Connection Refused by Host” message may result from incorrect passwords or server configuration issues.
If no recent changes were made, these could signal unauthorized access by hackers. For a broader range of errors, consider consulting a detailed error guide to troubleshoot your issue effectively.
WordPress Hacked? 10 Solutions to Try
When you discover your WordPress website has been hacked, it’s important not to panic. Begin your WordPress hacked recovery process by following the solutions below to regain control of your site.
Enable Maintenance Mode
If you have access to your WordPress admin dashboard, one of the first things you should do is enable maintenance mode. This step ensures that your visitors don’t see harmful or inappropriate content and gives you time to fix the problem without any distractions.
Use WP Maintenance Mode Plugin
You can use various plugins to enable maintenance mode; in this example, we use WP Maintenance Mode. This plugin is user-friendly and takes only a few minutes to set up. Here are the basic steps:
Go to the Plugins → Add New Plugin. Type the plugin name (e.g., “WP Maintenance Mode”) in the search bar and click Install Now.

Once it’s installed, click Activate to start using the plugin.

Click Maintenance in the sidebar. Enable maintenance mode and click Save Changes to save your modifications.

Now, type your website’s URL in your browser’s address bar and see if the maintenance mode is on. Once enabled, anyone visiting your site will see the maintenance message instead of the compromised pages. This keeps your audience safe and assures them that you are working to resolve the issue.

Remember, you can customize this page based on your requirements. For instance, you may update Page Title, Headline, and Description, modify Access Settings, and exclude pages from maintenance mode.

You can also do this by modifying the functions.php or .htaccess file.
Reset all Passwords
Hackers often gain access to WordPress sites by stealing or guessing passwords, so the next step in recovering from a WordPress hacked incident is to reset them immediately. Start with these accounts:
- WordPress Admin Account Password
- Database Password
- Hosting Account Password.
Update WordPress Admin Account Password
For a WordPress admin account, go to WordPress Dashboard → Users → All Users, and click on your username. Scroll down to Account Management. Click on Set New Password to let WordPress generate a strong password.
If you want to set your password manually, delete the generated one and enter your new strong password with a mix of numbers, letters, and symbols. Then, click on Update Profile at the bottom to save the new password.

However, if you can’t access the WordPress dashboard, use the Lost Your Password form to recover your account. You can access it by appending /wp-login.php?action=lostpassword to your domain name in the browser. For instance, visit:
www.yourdomainname.com/wp-login.php?action=lostpassword

Luckily, Hosted.com users can reset their WordPress admin password without directly logging into the WordPress admin dashboard. Do this by logging in to the Hosted.com control panel (cPanel). Navigate to Popular Applications → WordPress.

Click on WordPress Manager.

Next, click Login to access your WordPress admin dashboard and proceed with the password resetting process.

We suggest updating the credentials for all users, not just the admin password. This reduces the risk of follow-up attacks, as the hacker could have access to multiple accounts.
Important:
Now that you have accessed your WordPress admin account, remove all suspicious user accounts.
Change Database Password
Your database contains all your website’s data, making it a prime target. Therefore, change the database password in your hosting account’s cPanel or hosting panel. Here’s how Hosted.com users can update their WordPress database password:
Go to cPanel → Databases → Manage My Databases.

Scroll down to Current Users. Identify the database user whose password you want to reset. Next to the database user, click Change Password.

Fill in a new password in the provided fields or create a strong password with the Password Generator. Verify the new password in the Password (Again) field and click Change Password to save the changes.

After updating the password, edit the wp-config.php file to add the new credentials on the following line so WordPress can connect to the database.
define( 'DB_PASSWORD', 'new_password' );
Lastly, save the wp-config.php file and visit your site to ensure it functions correctly.
Hosted.com allows you to reset your WP admin password quickly and easily without needing to log into the admin dashboard, simplifying access for all users.
Plus, our experienced WordPress Hosting support team is always on standby to assist with any issues that may arise.
Revise Hosting Account Password
If hackers access your hosting account, they can manipulate your entire server. Update the hosting account password through your provider’s dashboard. Use a strong password and, if available, enable two-factor authentication (2FA) for extra security.
Resetting passwords will block hackers from hacking WordPress websites again and ensure all entry points are secure.
Restore From a Backup, if Possible
Restoring your site from a backup is one of the quickest and easiest ways to recover after your WordPress hacked event. A backup is a saved copy of your website created before it was compromised. If you have regular backups in place, you can use them to replace the hacked version of your site with a clean, secure one.
To start, check if your hosting provider offers automatic backups. Many WordPress hosting services, like cPanel Web Hosting, provide daily backups that can be restored with just a few clicks. At Hosted, we offer daily backups on all WordPress hosting packages, and users can create full or partial backups based on their requirements.
If you’ve created your backups using a plugin like UpdraftPlus, you can use their built-in tools to restore your site. When restoring a backup, ensure its date is before the hack event. Once restored, update all your WordPress software, including plugins and themes, to close any security gaps that may have caused the issue.
Tip: You may refer to our detailed tutorial titled: How To Backup Your WordPress Site: A Comprehensive Guide for further guidance
Update WordPress Core, Themes, & Plugins
Keeping your WordPress website updated is one of the best ways to protect it from hackers. Outdated WordPress core files, themes, or plugins often have security gaps that hackers can use to break into your site. However, updating everything ensures these gaps are patched using the latest security fixes. Here’s how you can do it:
Update Your WordPress Core
Log in to your dashboard and go to Dashboard → Updates. If an update is available, you’ll see a message prompting you to install it. Click Update Now, and WordPress will handle the rest. Always back up your site before updating to avoid losing data if something goes wrong.

Updating Themes & Plugins
Next, check for updates to your themes and plugins. You can find them under Dashboard → Updates or in the Plugins and Appearance sections.
Update each individually or click the Select All option to bulk-update everything simultaneously. If you’re using third-party plugins or themes not hosted on WordPress.org, visit their official websites to download the latest versions.
Deactivate all Plugins & Themes
Sometimes, a WordPress hacked event is caused by a vulnerable plugin or theme. Deactivating them can help you find out whether one is causing the problem.
To deactivate all plugins, go to Plugins → Installed Plugins in your WordPress dashboard. Use the Select All checkbox, then click Deactivate from the bulk actions dropdown menu. This disables all plugins without deleting them, so your site’s data remains intact.

If you cannot access your dashboard, use an FTP client or your host’s File Manager. Go to the wp-content folder, right-click on the plugins folder, and select Rename to rename it to something like plugins-disabled. This automatically deactivates all plugins.

Now, test each plugin. To identify the problematic plugin(s), reactivate them individually. After reactivating each plugin, check if the issue reappears. When it does, you’ve found the plugin causing the breach. Remove it and find a safe alternative.
Similarly, you can test your active theme. Go to Appearance → Themes and activate a default WordPress theme like Twenty Twenty-Three. If switching themes resolves the issue, your original theme may be compromised. Replace it with a clean version or switch to a new theme altogether.
Scan for Malware
Malware is harmful code that hackers can inject into your WordPress site to steal data, harm visitors, or take control of your website. Therefore, scanning for malware is an important step in a WordPress hacked to find and remove this unwanted code. Thankfully, you don’t need advanced skills to do this –security plugins and services make it simple and effective.
We’ve already covered the manual and automatic WordPress malware removal methods in the following tutorial that you may read here:
= WordPress Malware Removal: Manual & Automatic Methods
If you prefer not to use plugins or want an additional layer of security, you can use external services like Sucuri SiteCheck. These tools scan your website free by analyzing its URL.

Tip: For more advanced protection, consider subscribing to their premium services, which include automatic malware removal and monitoring.
Reinstall WordPress Core Files to Remove Malicious Code
If your WordPress site has been hacked, the core files, such as index.php or wp-config.php, may contain malicious code that could harm your website. Even if a scan identifies threats, some hidden or deeply embedded scripts can go unnoticed.
This is where you need to reinstall WordPress even after scanning for malware and ensure that any malicious code injected into core files is completely removed. Don’t worry; this process won’t delete your content, themes, plugins, or settings.
We’ve already covered how you can reinstall WordPress in 3 different ways in the following tutorial; however, we recommend creating a backup before reinstalling WordPress.
– How To Reinstall WordPress: Troubleshooting Guide
Once you’ve replaced the files, visit your website to ensure everything works properly. Check the admin dashboard, pages, and posts to confirm the issue has been resolved.
Disable PHP Execution in Untrusted Folders
Hackers often hide malicious scripts in folders like uploads, where files are stored but rarely checked. Disabling PHP execution in these folders can block destructive scripts from running, making your site much safer. Here’s how you can do it:
Access your site’s files using an FTP client or your web host’s File Manager feature. Hosted.com users can navigate to cPanel → Files → File Manager to access their website files.
Next, go to the folder you want to protect, such as wp-content/uploads. In the uploads folder, click the +File button. A New File window will appear; type your new file name as .htaccess and click Create New File.

After that, select the .htaccess file and click Edit to open this file in an editor.

Now, write the following code in the .htaccess file and save it:
<Files *.php>
Deny from all
</Files>
This code tells the server to block the execution of any PHP files in that folder.
To ensure everything works, try uploading a test PHP file to the folder and accessing it in your browser. If the .htaccess rules are working, the script won’t execute.

Clean Database
If hackers attack your WordPress website, they inject malicious code or create unwanted entries in your website database. These entries may include fake admin users, spammy links, or harmful scripts. That’s why cleaning your WordPress database is vital so your website runs securely and smoothly.
Before making any changes, create a backup of your website. This way, you can restore it if you accidentally delete a wrong record. After that, go through the following steps using the Hosted.com cPanel:
Log in to cPanel account. Head over to Databases → phpMyAdmin.

Choose your WordPress database from the list on the left and search for tables where hackers may have added malicious data. Common targets include:
- wp_users: Check for unknown admin accounts.
- wp_options: Look for strange settings or links.
- wp_posts and wp_comments: Search for spammy or unauthorized content.
You can use the search bar in phpMyAdmin to look for keywords like eval, base64, or URLs that don’t belong to your site. Once you identify suspicious rows, carefully delete them.
After cleaning, optimize your database to improve performance. Be aware: manually cleaning and optimizing your database is a lengthy process. It also carries the risk of accidentally deleting critical records, which could disrupt your website’s functionality.
To clean your database efficiently and safely, use a plugin like WP-Optimize. Once you’ve installed and activated the plugin, follow these steps:
Go to WP-Optimize → Database. Select or deselect options based on your requirements. Then, click Run all selected optimizations.

Tip: Make database cleaning a regular part of your website maintenance routine to keep hackers out and your site running at its best.
Review & Clean Sitemap
Your sitemap is a roadmap for search engines, guiding them to the most important parts of your website. If hackers alter your sitemap while hacking WordPress, they can add malicious links that harm your visitors and your SEO. In this case, reviewing and cleaning your sitemap ensures it only contains safe and useful information. Here’s how to do it:
First, locate your sitemap. Most WordPress sites use plugins like Yoast SEO, Rank Math, or Google XML Sitemaps to generate sitemaps. You can usually find your sitemap at a URL like:
yourdomain.com/sitemap.xml
Open this file in your browser to view the content. Now, carefully review the sitemap for any URLs that don’t belong to your site. Signs of a hacked sitemap include:
- Unknown pages or URLs.
- Links with spammy keywords.
- Redirects to external, unrelated websites.
Make a note of any suspicious links you find. If you’re using a sitemap plugin, go to the plugin’s settings in your WordPress dashboard. Remove any content types (e.g., pages or posts) that don’t belong in the sitemap. Then, update or regenerate the sitemap to reflect the changes.
Why is Your WordPress Hacked?
WordPress is a popular and powerful platform; however, its popularity makes it a target for hackers. Therefore, understanding why WordPress sites get hacked is important for protecting your website. Several factors contribute to vulnerabilities, from weak passwords to outdated software and insecure plugins or themes. Recognize these risks, then take proactive measures to protect your site.
Insecure Passwords
Weak passwords are one of the most common reasons WordPress websites are compromised. Using passwords like “password” or “123456” makes it easy for hackers to break in.
Create strong, unique passwords for your WordPress admin account, user accounts, and other critical areas like FTP and hosting. A secure password must include a mix of uppercase & lowercase letters, numbers, and special characters. Encouraging all users to follow these practices is key to lessen risks.
Outdated Software
Outdated WordPress core files, plugins, and themes are significant security vulnerabilities. Hackers exploit known weaknesses in older versions to gain unauthorized access to websites. However, regularly updating your WordPress installation, themes, and plugins ensures your site benefits from the latest security patches and features. Ignoring updates could leave your site wide open to attacks.
Improper User Roles & Permissions
When user roles and permissions are misconfigured, they can give access to the wrong people. For example, if every user has admin privileges, anyone could accidentally (or intentionally) harm your site. Assign roles carefully and follow the principle of least privilege – only give users the access they need.
Insecure Code
Using themes or plugins from unreliable sources can introduce malicious code or vulnerabilities to your site. Free themes and plugins should always come from the official WordPress repository, where they undergo strict reviews.
When purchasing premium themes or plugins, check the vendor’s reputation and get recommendations from trusted sources. Avoid nulled plugins or themes; these are often modified to harm your site or carry off sensitive information. These insecure codes put your site at risk and compromise your visitors’ trust.
Lack of Security Measures
A WordPress site without proper security measures is like a house with no locks. Without tools like firewalls or security plugins, your site is more vulnerable to attacks. Security plugins like Wordfence can block threats, scan for malware, and monitor suspicious activity. These tools are necessary for keeping your site safe.
Prevent Future WordPress Hacked Events
Keeping your WordPress website secure is essential to avoid hacks and data loss. Follow these simple measures to protect your site and its users.
- Regular Backups: Website backups act as a safety net. Set up automated backups using plugins. Store your backups securely on cloud services or external drives. This ensures you can restore your site quickly if something goes wrong.
- Implement Two-Factor Authentication (2FA): Adding 2FA strengthens logins by requiring a second step, like a code sent to your phone. Plugins like MiniOrange’s Google Authenticator make it easy to set up.
- Limit Login Tries: Prevent brute force attacks by restricting the number of failed logins. Use plugins like Limit Login Attempts Reloaded to block repeated attempts from the same IP.
- Use Security Plugins: Install trusted security plugins. These tools provide malware scanning, firewalls, and alerts for suspicious activity.
- Enforce Strong Password Policies: Encourage users to create passwords using letters, numbers, and symbols. Avoid using common or simple passwords.
- Regular Security Audits: Regularly check your site’s settings and logs to spot vulnerabilities early. Security plugins can automate this process.
- Enable Secure Sockets Layer (SSL): Don’t forget to enable SSL on your site. An SSL certificate encrypts the information (data) exchanged between your site and its users, making it harder for hackers to intercept sensitive information. Many hosting services offer free SSL certificates through Let’s Encrypt, which you can easily enable.
- Educate Users: Teach your team safe practices like avoiding suspicious links and regularly updating software. Awareness helps everyone play a role in security.
These steps will help keep your WordPress site secure and running smoothly.
![Protect your website with secure WordPress Hosting and a free SSL Certificate included Strip Banner Text - Protect your website with secure WordPress Hosting and a free SSL Certificate included. [More Info]](https://www.hosted.com/articles/wp-content/uploads/2025/01/wordpress-hacked-2-1024x229.png)
FAQs
Will changing my hosting provider improve my site’s security?
A good web hosting company can significantly enhance your site’s security. Search for hosting providers offering features like automatic backups, malware scanning, firewalls, and 24/7 support. While changing hosts won’t remove existing hacks, it can prevent future ones by providing a more secure environment.
What are “nulled” themes or plugins, and why should I avoid them?
Nulled plugins or themes are pirated versions of paid WordPress products. While they seem like a free alternative, they often have malicious code that can harm your site or steal sensitive data. Always download your plugins and themes from trusted sources like the official WordPress directory or reputable vendors.
What should I do if the WordPress hacked issue can’t be fixed?
If you cannot repair your site on your own, don’t panic. Start by contacting your hosting provider; they have tools and experts who can help. If that doesn’t work, consider hiring a WordPress security professional to clean and secure your site. Companies like Sucuri and Wordfence offer paid services that fully recover hacked websites.
Can outdated themes and plugins cause my site to get hacked?
Yes. Outdated themes and plugins are a common way hackers gain access to WordPress sites. Developers release updates to fix vulnerabilities; if you ignore these, your site will be open to attacks. Regularly check for the latest updates in your WordPress dashboard and remove unused plugins or themes to reduce potential risks.
How often should I back up my WordPress site?
It depends on how often you update your site. Make daily backups if you make changes daily, such as adding new content or products. If updates are less frequent, weekly backups may suffice. Many plugins and hosting services offer automatic backup.
Other Related Tutorials:
– WordPress SSL Certificates and Hosting: Importance for Security
– A Comprehensive Guide on WordPress Hosting Security
– Essentials of WordPress Security: An Overview
– Web Hosting Security Aspects of Different WordPress Hosting Types
– Managed WordPress Secure Hosting Features